Researchers find Carbanak source on VirusTotal

Security researchers at FireEye have uncovered the source code for the notorious Carbanak Trojan, responsible for the theft of millions of dollars from financial institutions worldwide - after it had been uploaded to Google's VirusTotal service two years ago, seemingly without anyone noticing.

The primary tool of a group known to researchers as FIN7, the Carbanak Trojan introduces a remotely-accessible back-door which has been used to exfiltrate millions of dollars from banks and other financial institutions around the world. The Trojan is well known, and has been the subject of exhaustive analysis - but all based on reverse-engineering the compiled binaries, the source code being a closely-guarded secret of its creators.

At least, that was the theory. Two years ago, though, someone uploaded a pair of archives to Google's VirusTotal service - which scans submitted files through a range of anti-virus engines - which contained the full source code to the Carbanak Trojan. Despite these files then being shared with anti-virus vendors and other security researchers signed up to the VirusTotal distribution scheme, however, nobody noticed - until now.

'Our colleague Nick Carr uncovered a pair of RAR archives containing Carbanak source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie),' explain FireEye researchers Michael Bailey and James Bennett in a joint blog post. 'FLARE malware analysis requests are typically limited to a few dozen files at most. But the Carbanak source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code.'

In the first of a series of posts analysing the malware, the researchers translate the sourced code comments and associated operator manuals from Russian to English, detail the graphical user interface that would be used to tweak the Trojan's operation, and detail the source code's anti-analysis mechanisms. A second post details its techniques for evading detection via anti-virus applications, usernames that may point to the Trojan's original authors, the exploits used to attack target systems, and hard-coded passwords and private keys; another post has been promised, but not yet published, to include a retrospective look at a previous analysis without the benefit of the source files.

The Carbanak code has now been made available to other security researchers, though no explanation has been given for how it slipped under the radar on VirusTotal for a full two years.