CIA used Carberp code to build persistent malware

Parts of the infamous banking trojan Carberp were incorporated into malware developed by the CIA, according to the latest leak of secret documents by WikiLeaks.

The CIA freely admitted it had purloined components of Carberp in the user guide [pdf] for the Stolen Goods 2 persistence method.

Hiding a dynamic link library and a device driver payload on a computer hard drive's volume boot meant they survived Windows being rebooted.

"The components were taken from malware known as Carberp, a suspected Russian organised crime rootkit,"  the 2014 document from CIA's engineering development group (EDG) states.

"The source of Carberp was published online, and has allowed [the CIA] to easily steal components as needed from the malware."

Carberp has been active mostly in Russia and Eastern Europe since 2009, possibly earlier. It is believed to have caused losses in the hundreds of millions of dollars, and its developers were arrested in 2013.

That same year, the source code for Carberp was leaked online, and has been used to build other malware.

CIA's Stolen Goods 2 was designed to be used with the Grasshopper malware installer, according to the document classified.

Stolen Goods 2 works with 32 and 64-bit versions of Windows XP and Windows 7, with no driver signing required.

The document's authors warned that attempting to use the rootkit on Windows 8, 8.1, or Server 2012 would render the target computer unbootable.

According to the CIA, Stolen Goods 2 was not detected by Kaspersky and Symantec's antiviruses, and the agency believed it would also not be found by other security programs.

There is no mention in the documents of whether the CIA's Carberp-based malware was deployed in the field.