You are here: Home » Hi-tech Crime » Russian-Ukranian Botnet Group Busted – Details of an Advanced Botnet

Russian-Ukranian Botnet Group Busted – Details of an Advanced Botnet

by Dave on April 5, 2013

ukraine454A joint Ukrainian and Russian law enforcement operation busts the alleged boss of the Carberp botnet and malware development group. The bust included about 20 developers of the malware-driven botnet that stole hundreds of millions of dollars.

A 28-year-old Russian national was arrested in the Ukraine in a joint operation involving the Security Service of Ukraine (also known as the SBU) and the Russian Federal Security Service, reported Ukrainian newspaper Kommersant Ukraine. This week’s arrests follow the March 2012 arrests of eight alleged members of the Carberp gang by Russian police.

Police said that in the past few years, the Carberp botnet gang used their malware to steal $250 million from Russian and the Ukrainian bank customers among others. Carberp was also used as part of the Eurograbber malware attack campaign that as of December 2012 netted attackers an estimated $47 million.

The Ukraine, home to 46 million people, is a hotbed of computer crime. A February 2013 report from Germany’s Deutsche Telekom telephone carrier, which tracks online attacks, said that the majority of the world’s cyber attacks are launched from Russia, followed by Taiwan, Germany and the Ukraine. More than half [!] of all malware distributed worldwide is also generated by servers located in the Ukraine.

The financial malware developed by the Carberp gang targets people’s personal financial website login details — primarily at Russian banks — which the malware would steal and relay to the botnet’s controllers. Typically, the gang would initiate remote connections to the infected PCs, access financial accounts and initiate transfers to corporate accounts that served as a front for attackers. The gang would then use money mules ( to withdraw transferred money from Moscow-area ATMs.

[Read this carefully – this is how sophisticated malware has become!]
As with many other forms of banking malware, Carberp — which infects Windows systems – is able to block antivirus updates on infected PCs and to remove other types of competing malware that might be installed, such as Adrenalin, Barracuda, BlackEnergy, Limbo, MyLoader, SpyEye and Zeus, according to a MalwareIntelligence blog post. Carberp can also intercept encrypted communications between a banking website and an infected PC’s browser — including one-time codes generated by banks — and can disguise its behavior via stealth and rootkit techniques and steal usernames and passwords from numerous types of software, including remote-access tools.

Unlike other well-known botnets such as Zeus (, SpyEye or Citadel, Carberp’s creators initially appeared to keep their operation relatively small, and at times completely private. In theory, that approach would minimize the malware developers’ profile and make them less of a target for law enforcement agencies.

In February 2011, however, the Carberp gang made a splash when they began advertising their malware to any buyer for $10,000 per toolkit, although they stopped selling the software just one month later and also ceased customer support.

By the end of 2011, a different group of developers had transformed the malware into a full-fledged banking Trojan that could modify the Java code in a tool used by 800 Russian banks, according to a blog post from Aleksandr Matrosov, security intelligence team lead at security firm ESET. At that point, the attackers were also using the malware to target at least three large well-known banks in the United States, typically infecting people via drive-by downloads from compromised websites, or via spam emails with malicious PDF, Excel or other types of files attached. Finally, as an apparent side business, the Carberp botnet was also being used to launch distributed denial of service (DDoS) attacks, as well as to redirect infected computers to Blackhole toolkit infections.

Come early 2012, the developers behind Carberp retooled the malware to also target Facebook users with a man-in-the-browser ( attack that attempted to trick them into divulging e-cash vouchers.

The 2012 arrests of eight alleged Carberp operators — including two brothers who allegedly ran the Carberp gang — quieted down related botnet activity. But according to a blog post from Limor Kessem, a cyber-intelligence analyst at security firm RSA, at the end of last year, a new version of Carberp appeared that rented for $2,000 to $10,000 per month, or up to $40,000 per month for the full-featured version.

[This is an excellent example of how a successful botnet develops, gets busted, then morphs, redevelops and repeats the cycle again and again.] The original article is here:


Be Sociable, Share!

Comments on this entry are closed.

Previous post: