Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Carberp Malware Kit Leaked


  • Please log in to reply
39 replies to this topic

#1 th3fall3n777

th3fall3n777

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:02:10 AM

Posted 10 July 2013 - 12:54 AM

http://www.infosecurity-magazine.com/view/33135/carberp-source-code-leaked-new-variants-expected/

 

There was a firesale of the Carberp code the week of June 17th - apparently (as far as I understand) one of the members of the Carberp cyber-crime gang began selling the code without the authorization of his partners in crime.  At the height of the sale I read that that going price was $50k.  But then a week later the code was leaked (the RAR containing the kit was being distributed on various underground hacker community sites, but did not include the password until about a week ago when that was then posted.) 

 

I guess the archive is about 5GB in size and allegedly contains the commented source code for Carberp and all of its modules, including the bootkit ones; the source code for the administration panel used on Carberp command-and-control servers; exploits for two Windows privilege escalation vulnerabilities that have been patched in 2012, CVE-2012-0217 and CVE-2012-1864; and so-called “Web inject” scripts that allow the malware to interact with different online banking websites.

 

I know this is "old news" at this point, but I haven't seen it yet here so thought it would be a good first post!

 

Cheers,

 



BC AdBot (Login to Remove)

 


#2 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:03:10 AM

Posted 10 July 2013 - 01:14 AM

Think of what antivirus makers can do with this. Mwuhahahahhah *evil laugh* also, hello, I'm Zestypanda, one of the many helpful geeks here. ^_^ ~Zestypanda.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#3 th3fall3n777

th3fall3n777
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:02:10 AM

Posted 10 July 2013 - 10:16 AM

I just had this awesome visual of Mr. Burns from the Simpson rolling his fingers, "excellent."  But yeah - sneaky b@$t@rd$!  



#4 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:03:10 AM

Posted 10 July 2013 - 03:15 PM

If it wasn't illegal I would loe to get my hands on that source code. :D

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#5 th3fall3n777

th3fall3n777
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:02:10 AM

Posted 10 July 2013 - 03:29 PM

I have snippets and screenshots I could send you if you're at least curious to see some of it - I was doing some "recon" on a certain forum after getting a tip from a blogger that the RAR was on sale - while in there I was able to grab some interesting pictures. There is some code in a couple of the pictures - not enough to do anything with, but enough to understand what the idea is.  If you want I'd be happy to send you the pictures in a .rar or .zip format.  



#6 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:03:10 AM

Posted 10 July 2013 - 06:41 PM

Nah, too many NSA agents. :P is it written in C or C++?

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#7 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:10 PM

Posted 10 July 2013 - 06:47 PM

If it wasn't illegal I would loe to get my hands on that source code. :D

It's not illegal to download, own or modify, it's not child porn. It's only illegal to deploy it on machines without the owners written/clicked consent.

 

Great story, thanks for bringing this to me.



#8 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:03:10 AM

Posted 10 July 2013 - 07:00 PM

But, I mean, you all know I'm not gonna deploy it, but what if my ISP sees me downloading the source folder and then contacts the FBI or something.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#9 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:10 PM

Posted 10 July 2013 - 07:16 PM

You could mail the FBI yourself and tell them you have it, they don't care... Better things to do with their lives than bother you for having information. It is a constitutional right in most civilized countries. "Freedom of Information"

 

Also, your ISP doesn't monitor exactly what you download always, but looks for patterns that bring suspicious connections under scrutiny. So no running botnets from your home connection without a socks5 proxy and a VPN ok?

 

edit: just googled it, 'Freedom of Information' is a human right actually, by international law.


Edited by TsVk!, 10 July 2013 - 07:21 PM.


#10 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:03:10 AM

Posted 10 July 2013 - 07:49 PM

But, I live in California, or communifornia :P

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#11 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:10 PM

Posted 10 July 2013 - 08:14 PM

I live in the 'Police State of Australia'... I know your pain. :censored:



#12 th3fall3n777

th3fall3n777
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:02:10 AM

Posted 11 July 2013 - 01:52 AM

I was just going to add that I don't have the Carberp kit! lol Just some screenshots of various things - like a picture of the directories included in the Carberp RAR - or least the directories that were in it on the day I read the blog about it, which was a couple of weeks ago at this point.  There is some code displayed - for instance java scripting, but it's only portions of it. 



#13 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:10 PM

Posted 11 July 2013 - 04:43 PM

I downloaded this code yesterday to have a look.... At 1.9 gig it is an extremely involved package. Must have taken many people years to write. 



#14 th3fall3n777

th3fall3n777
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin
  • Local time:02:10 AM

Posted 11 July 2013 - 05:42 PM

Carberp has been around since (I believe) roughly 2009... the only reason it's in the news again is the leak of the kit online for free.  When that happens, we can expect mutations!  The original Carberp gang in Russia took IBank and other Russian banks for 250mill. 



#15 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:10 PM

Posted 11 July 2013 - 06:04 PM

The Citadel botnet which is part of the Carberp package stole $500 million this year from European banks, mostly Spain, Italy and the like. There's the code for several other botnets there also. It's worth billions.

 

There's no wonder that they started fighting amongst themselves with that sort of money floating around, greed creates distrust.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users