The always-lively Russian fraud forums offer amateur and professional hackers a wide variety of tools to assist them in their criminal activity. Authorized dealers offer malware modules, botnets, rootkits, stolen credentials and the like for very reasonable prices. Although commoditized malware variants (such as Zeus) are sold on a daily basis, it is rare to see the source code of known malware being offered for sale. The security team at IBM Trusteer recently identified a Russian forum member who is offering the Trojan’s Carberp source code for $50,000.

The seller, who goes by the alias “=Sj=,” provides a highly detailed description of the new developments and capabilities of the malware. The seller also explicitly writes that the source code is sold in coordination with the Carberp author and that it will only be sold to a trustworthy member. This comment is of particular interest as members of different advanced fraud forums are apparently also attempting to sell the source code at a significantly lower price. One assumption is that a breach of contract by a Carberp seller caused a buyer to take revenge and sell the source code.

The Carberp Source Code Bootkit

The highly elaborate ad provides a detailed overview of numerous functions, processes and modules incorporated into Carberp. One of them is the newly designed bootkit, which the seller claims will significantly improve the infection rate. According to the ad, it “enables you to load a specifically compiled driver from the moment the OS starts. … The driver receives commands before all other loaded drivers (including all drivers at boot-load) and can monitor them or affect the way they load. A digital signature of the driver is unnecessary.”

This is in fact a Master Boot Record (MBR) rootkit. In addition to the advanced features offered, the seller details some functions described as “oldies but goodies,” such as:

  • Form grabbers for the major browsers
  • FTP grabbers
  • RU and UA grabbers (for targeting Russian and Ukrainian applications)
  • Email grabbers
  • Certificate grabbers
  • VNC and RDP

Trusteer analysts have witnessed past occurrences in which a private group acquired malware source code (Citadel), enhanced it, sold variants and offered help and support. With the current feature set this malware offers, it can easily be configured to conduct targeted attacks on a wide variety of businesses as well as for use in data theft and reconnaissance. It remains to be seen if this is an attempt to dilute the Carberp source code due to internal struggles within the Trojan or its buyer groups. Another possibility is that the source code will be acquired and enhanced to create a new malware product for sale to the underground fraud community.

Driver Boot Loader

Enables you to load specifically compiled drivers from the moment the OS starts. The driver is loaded prior to the initialization of the NT core — prior to the initialization of PatchGuard — and can patch any code that runs at core. The driver receives commands before all other loaded drivers (including all drivers at boot-load) and can monitor them or affect the way they load. A digital signature of the driver is unnecessary.

All Windows OS are supported, starting from XP to Windows 8, inclusive. All architectures are supported, x86 and AMD64 (EM64T). The boot-loader works with all types of NTFS-partitions. The compiled project consists of three main parts:

  • Initial loader (IPL)
  • Specially-compiled, with the account of initialization prior to the NT core, driver
  • Installer-software (or library-installer (DLL))

The IPL code is metamorphic, consisting of a certain amount of blocks, which are scrambled randomly with each project compilation. The IPL code is encrypted and is dynamically decrypted at runtime. This way, each IPL code, when fully complied, is different from its predecessor in a binary way. The driver is also encrypted when it is being written to disk and decrypted by the initial loader at startup.

A small limitation to the driver size: In relation to the different technical specifics of the IPL, the driver cannot be more than 100 KB.

The project is compiled through MS Visual Studio 2005 and MS Windows 7 WDK.

Additional Components

The driver can contain the following additional components:

  • A virtual OS manager. Creates a virtual, encrypted (RC6) file system (VFS) within unmapped disk sectors. Offers a user-mode interface to work with files on that FS.
  • Filter of disk-access. Blocks external access to sectors containing IPL and virtual FS. Conceals the virtual FS.
  • DLL injector. Allows to load (inject) DLLs that are on the VFS or attached, independent of the driver-file, in the desired process. Has an interface to control injections from user-mode.
  • Driver loader. Offers an interface to load third-party unsigned drivers.
  • TCP/IP protocol stack (incl: ARP, ICMP, DNS). Provides user-mode add-ons and drivers with an interface for networking outside of BSD-sockets.

The Project Inventory List

  • IPL Generator (\BkGen)
  • Loader library (\BkLib)
  • Installer software (\BkSetup)
  • Installer library (\SetupDll)
  • Driver-injector (\KLoader)
  • Virtual File-System library (\FsLib)
  • Library for loading third-party drivers (\DrvLdr)
  • Library-filter for defending the sectors of the loader and virtual FS (\BkFilter)
  • Utility for file attachments (\FJ)
  • Utility for controlling the virtual FS (\VFS)
  • Batch files for compiling an example loader with DLL examples (\BkBuild)

IPL Generator

Compiles only under x86 in the executable file BkGen.exe; creates the file at run, which contains the metamorphic code of the initial loader. Generates a unique loader with every run.

Loader Library

Compiles under x86 and AMD64 in static library (/lib). Contains functions needed for installing and initializing the loader. Imported via the installer and driver. See file bklib.h. for details.

Installer Software

At compilation, seeks the loader file and integrates itself to resources. Compiled only under x86 to the file BkSetup.exe.

Installer Library

Compiles for X86 and X64 to the dynamic library SetupDll.dll. The library exports one function: ULONG BkInstall (BOOL bReboot). When it is called, the loader is installed to the system. In case of an error, the function returns a Win32 error code.


Compiles under x86 and AMD64 as an NT driver (kloader.sys). It injects attached DLLs to desired processes. The DLL and processes lists are contained in the configuration file for the FJ utility.

Virtual File-System Library

Compiles for x86 and AMD64, linked in the injector-driver (kloader.sys). Creates a virtual file system in an unmarked section of the system hard drive. In case an unmapped sector does not exist sufficiently, the last section of the disk is reduced in size for this purpose.

The file system is a modified FAT16 system. The cluster size is equal to the physical disk size. The maximum supported volume of the virtual disk is ~32MB. The file names are 8.3, because long names are not supported. Catalogs are unsupported. The FS is completely encrypted (RC6).

Library for Loading Third-Party Drivers

  • Compiled under x86 and AMD64 and linked to the driver-injector (kloader.sys)
  • Allows [users] to load and execute third-party drivers for the NT core
  • Filter-library for Protecting Loader Sectors and Virtual FS

Compiled under x86 and AMD64 and linked to driver-injector (kloader.sys). Filters low-level requests to read/write disk sectors. Prohibits the change (write) of sectors containing the initial loader. Blocks changes by third parties and drivers to the FS sectors. When reading the sectors containing the virtual FS, it nullifies its contents, in turn masking the existence of a file system.

Utility for File Attachments

Compiles only to x86 in the executable, FJ.exe. Used for joining injected DLLs to the driver file and for attaching the driver file to the installer. For details, see \FJ\ReadMe.txt.

Batches for Compiling an Example Installer

  • BkBuild.bat: compiles an installer with the attached drivers kloader.sys for x86 and AMD64, respectively. To each driver, DLL files to inject are attached.
  • BkSetup.cfg: configuration file for compiling the installer and its driver attachments
  • setupdll.cfg: configuration file for compiling the installer library and its driver attachments
  • demo32.dll: a 32-bit demo-library
  • demo 64.dll: a 64-bit demo-library

Compiling Order

  1. With the help of Visual Studio 2005, compile the entire project. First compile for i386, and then for AMD64.
  2. Open a console (cmd.exe), access the folder \BkBuild and launch BkBuild.exe from console.
  3. Fetch the ready installer from \BkBuild\R.


  • Bootkit (MBR Loader)
  • FTP grabbers
  • Browsers, mail programs
  • Form grabbers IE, FF, FTP
  • Sniffer
  • Certification grabber from IE, HTML injections in IE and FF
  • Universal keylogger
  • Grabbers of RU and UA
  • VNC, RDP and many more

More from Fraud Protection

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

What Are the Biggest Phishing Trends Today?

According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That's a 33% increase from 2021. One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…

NFT Security Risks: Old Scams and New Tricks

The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021. To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account. As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as…