26 June, 2013

Carberp Trojan Bot + Bootkit Source Leaked - Download

According to Andrey Komarov of Russian security firm and cybercrime investigations Group - IB, the source code of the Carberp Trojan Bootkit has been leaked by a member of the team that created it. 
"Some of the members would love to destroy the project and move onto another business or new product," Komarov said.

Carberp is a financial malware, or a trojan program used primarily to steal online banking credentials & other sensitive information from users. Carberp started out in 2010 as a private, not-for-sale, Trojan program developed and used by a single gang, but after a limited number of sales of the builder in 2011, the number of Carberp-powered fraud operations multiplied.






For a long time the Trojan program was almost exclusively used to target online banking users from Russia, Ukraine, Belarus, Kazakhstan, Moldova and other former Soviet Union states. However, variants and configuration scripts targeting U.S. and Australian banks were found this year.


The Russian forum user "madeinrm" offered the source code for sale because someone else using the nickname "batman" had already passed on the source code to a third party, apparently against madeinrm's approval.

The toolkit for sale consisted of the full source code of Carberp, including: comments; web-injects; all the Carberp modules; source code of Gazavar (the worm module); the admin panel for the command and control servers; Windows exploits related to vulnerabilities patched last year (specifically CVE-2012-1864 and CVE-2012-0217); a bootkit module, etc. 




Madeinrm said he intended to screen potential customers but was not looking to sell the hitherto secret code powering the malware to a large number of people, rather than selling it at a higher price through an exclusive deal.

It getting leaked potentially puts the crimeware in the hands of a much larger group of attackers, putting more users at risk. However, it also enables security researchers to take a deep look at the malware, which will help them get a handle on how to defend against it. This is shared for the latter one's.


The complete archive weighs in at 5GB. However, the leaked archive seems to be only 1.9Gb (compressed). It contains the full source code for Carberp, but only the partial source code for the bootkit module. 

A deeper analysis of the bootkit is shown here:

http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf
http://blog.avast.com/2013/04/08/carberp_epitaph/

A removal tool released for the Carberp Trojan:

http://www.hotforsecurity.com/download/carberp-removal-tool

The Download links for the Leaked Carberp Trojan Bot and Bootkit (1.9Gb):
http://xlnk.cc/Carberp1
http://xlnk.cc/Carberp2




Yay! I'm not going to bug you without the Password to the archive. Here it is:

Kj1#w2*LadiOQpw3oi029)K   Oa(28)uspeh

Kindly comment, like and share this blog post... :)

3 comments:

Anonymous said...

The archive is stated to be 1.88GB in size. However after download the "krab.rar" file weighs in at only 433.6MB. What do you make of this? I have seen what others in the space have said about the descrepency. Just wanted your take please. Too bad the leaker did not publish an MD5 or SHA1 value along with it.

Tyson_08 said...

You might want to give the download another try, maybe using the mirror?
I'm not sure as to why this must have happened. If there's a problem with the downloads, let me know so I can create another mirror.

Anonymous said...

thanks working

Post a Comment