Carberp source code now leaked

The Bootpocalypse

While security blogs are still flooding the internet with the old news of the carberp source going on sale for $50k, I'd like to take some time to give you some slightly more recent news and a recap. 

  • Towards the end of last month it became apparent to me that the carberp source had gone on sale. There was a sudden influx of people selling carberp binaries using a non cracked builder, hinting towards having the source, as well as a few screenshots and videos flying around. Around this time I was eager to blog about the sale, however couldn't find enough solid evidence to make a post. 
  • On the 8th of June it was confirmed (to me) that the carberp source on sale was legitimate, but I was still waiting for a sales thread screenshot before posting my article. 
  • By the 18th of June i still hadn't got a screenshot, Trusteer had beaten me to blogging about the sale, and i gave up writing my article. 
  • About a day later i was in the right place at the right time and managed to get the full carberp source, totally free.
  • Up until the 22nd I had withheld my new and improved post due the the fact that although the source was fairly easy to come across, it was still widely believe to be only in the hands of people with $50k to spare.
  • By that same evening the rar file i had been given (apparently from a private board) had been posted on exploitin, a fairly easy to access Russian community, however the password was not posted. 
  • Some time between the exploitin thread being posted and this morning, the rar password was revealed, on the same forum, but the post required members to have 150 posts in order to view.
  • About an hour ago a slightly incorrect version of the password is posted on dk, an invite only English community, by someone from exploitin. 
  • Less than 5 minutes after the dk post, the password is posted twice on a public board known as tf, both times the thread is removed withing a few seconds.
  • [Added 22:20 UTC]: Corrected rar was allegedly password has been posted on dk.
  • [Added 22:39 UTC]: Password was just posted on public forum along with link to rar. 
As of now it appears a much larger amount of public forum members have access to the source. Although the leak still seems fairly under control, the correct password has not yet been posted on any public boards, it looks as if we can expect a public leak in the next few hours. Password + rar has been posted in public for the first time. My predictions for the week ahead are strong winds, with a chance of bootkits and apocalyptic firestorms.

. As this will probably be my last post about the carberp leak (unless anything interesting happens), i will take the opportunity to post a few screenshots of interest.




First proof of carberp source posted on a public board

A close, but incorrect, version of the rar password posted on dk (pic from )

Top of install.c (commonly posted screenshot)

The folders of bootkit project

Kernel mode TCP/IP using NDIS hook

Carberp using gapz code injection technique
Carberp gets leaked on public board



SHARE

MalwareTech

Hi. I’m a 20 year old programmer and security enthusiast currently living in the UK, my skills include: Malware Analysis, Reverse Engineering, and Windows Internals. I also have experience programming in the following languages: C/C++, ASM, PHP, Python, C#, Objective-C, as well as a few web scripting languages. Hope you enjoy reading my blog!

    Blogger Comment

10 comments:

  1. https://twitter.com/Ivanlef0u/status/349315255312195584

    ReplyDelete
  2. Thanks! This might prove to be a fun exercise in my security course next year.

    ReplyDelete
  3. ^Figure it out yourself, this blog is not meant to give you the tools so you can run along and infect people.

    ReplyDelete
  4. Wie ist denn das PW für das File aus dem ersten Post?

    ReplyDelete
  5. What is the Password for the .rar file?

    ReplyDelete
  6. Peni!s is the password

    ReplyDelete
  7. The archive contains sources for sinowal (mebroot aka torpig) and some other well known pieces of high end malware such as Gozi, etc.

    The archive is 5GB uncompressed and I haven't had time to comb through it all. Some amazing and evil code in there. Some serious effort went into this project.

    ReplyDelete
    Replies
    1. The files in the archive are reversed mebroot taken from Peter Kleissner's website. The torpig/sinowal part aren't included, but it looks as if carberp team were trying to learn from the reversed bootloader.

      Delete
  8. In the archive are several pw protected 7zip and rar archives. Does anyone know how to get these pw? Of course, they are different from the one used to encrypt the entire archive.

    ReplyDelete