Carberp source code now leaked

The Bootpocalypse

While security blogs are still flooding the internet with the old news of the carberp source going on sale for $50k, I’d like to take some time to give you some slightly more recent news and a recap. 
  • Towards the end of last month it became apparent to me that the carberp source had gone on sale. There was a sudden influx of people selling carberp binaries using a non cracked builder, hinting towards having the source, as well as a few screenshots and videos flying around. Around this time I was eager to blog about the sale, however couldn’t find enough solid evidence to make a post. 
  • On the 8th of June it was confirmed (to me) that the carberp source on sale was legitimate, but I was still waiting for a sales thread screenshot before posting my article. 
  • By the 18th of June i still hadn’t got a screenshot, Trusteer had beaten me to blogging about the sale, and i gave up writing my article. 
  • About a day later i was in the right place at the right time and managed to get the full carberp source, totally free.
  • Up until the 22nd I had withheld my new and improved post due the the fact that although the source was fairly easy to come across, it was still widely believe to be only in the hands of people with $50k to spare.
  • By that same evening the rar file i had been given (apparently from a private board) had been posted on exploitin, a fairly easy to access Russian community, however the password was not posted. 
  • Some time between the exploitin thread being posted and this morning, the rar password was revealed, on the same forum, but the post required members to have 150 posts in order to view.
  • About an hour ago a slightly incorrect version of the password is posted on dk, an invite only English community, by someone from exploitin. 
  • Less than 5 minutes after the dk post, the password is posted twice on a public board known as tf, both times the thread is removed withing a few seconds.
  • [Added 22:20 UTC]: Corrected rar was allegedly password has been posted on dk.
  • [Added 22:39 UTC]: Password was just posted on public forum along with link to rar. 
As of now it appears a much larger amount of public forum members have access to the source. Although the leak still seems fairly under control, the correct password has not yet been posted on any public boards, it looks as if we can expect a public leak in the next few hours. Password + rar has been posted in public for the first time. My predictions for the week ahead are strong winds, with a chance of bootkits and apocalyptic firestorms.

. As this will probably be my last post about the carberp leak (unless anything interesting happens), i will take the opportunity to post a few screenshots of interest.

First proof of carberp source posted on a public board

A close, but incorrect, version of the rar password posted on dk (pic from )

Top of install.c (commonly posted screenshot)

The folders of bootkit project

Kernel mode TCP/IP using NDIS hook

Carberp using gapz code injection technique
Carberp gets leaked on public board

Uncategorized
9
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Uncategorized
1
Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Uncategorized
1
Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …