Carberp source code leak

Yesterday (6/24/2013) the Carberp source code eventually leaked to the public. It is a 1.9 GB package containing different source codes including the Carberp and Rovnix bootkit source. The package also contains sensitive data such as chat logs, logins, GIT repository URLs, original projects paths and user names in Visual Studio configuration files. There are good blog entries of my colleagues here and here with some nice screenshots.

It was first sold on exploit.in (second screenshot), then leaked on darkode.com (first screenshot) and later it leaked on other forums and eventually on Twitter.

BNi_qoZCYAAsMl4

exploit.in Carberp sale

Download

Link 1: http://multiupload.nl/A6CFLK4U6M
Link 2: https://mega.co.nz/#!0YsXWBRD!CMqd9nrm1d0XABKlifI9vmxprpQ6RnfsdhBHeKrDXao

The password is:

Kj1#w2*LadiOQpw3oi029)K   Oa(28)uspeh

Analysis of the package

Via kernelmode.info:

Ursnif related

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\VNCDLL.dll
pro\all source\TZ\vnc\VNCd.7z->VNCd/VNCDLL.dll
pro\source builder plugins inj's modules etc\WndRec\vncdemo\VNCDLL.dll
pro\source builder plugins inj's modules etc\Сорцы и Модули\VNCd.7z->VNCd/VNCDLL.dll

Rovnix related (BKLoader itself)

pro\all source\bootkit.old\KLoader\release\i386\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\bksetup.exe
pro\all source\test\bootkit\1\bksetup.exe
pro\all source\test\bootkit\1\setupdll.dll
pro\all source\test\bootkit\bksetup.exe
pro\all source\test\bootkit\setupdll.dll
pro\all source\TZ\bootkit\bin\bksetup.exe
pro\all source\TZ\bootkit\bin\setupdll.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\bin\release\i386\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\bin\release\i386\SetupDll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkSetup.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\setupdll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\setupdll.dll
pro\source builder plugins inj's modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/DrvTest.sys
pro\source builder plugins inj's modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/SpoolNetAdvr.sy_
pro\all source\bootkit\bin\Release\i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\driver_i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\driver_i386\kloader.sys
pro\all source\TZ\bootkit\BK\bin\release\i386\kloader.sys
pro\all source\bootkit.old\KLoader\release\amd64\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\BkSetup.dll

Alureon related (dropper of old variants, still ITW)

pro\all source\DropSploit1.rar->DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1.rar->DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit\out\builder_Release.exe
pro\all source\DropSploit\out\builder_Release.sys
pro\all source\DropSploit\out\dropper.dll
pro\all source\DropSploit\out\Release\dropper.dll
pro\all source\DropSploit\test\1\builder_Release.exe
pro\all source\DropSploit\test\2\builder_Release.exe
pro\all source\DropSploit\test\3\builder_Release.exe
pro\all source\DropSploit\test\5\builder_Release.exe
pro\all source\DropSploit\test\6\builder_Release.exe
pro\all source\DropSploit\test\7\builder_Release.exe
pro\all source\DropSploit\test\8\builder_Release.exe

Claywhist (VNC) related
pro\all source\RemoteCtl\Release\hvnc.exe

Phdet related

pro\all source\TZ\kill_os\bin\os_kill_debug.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe

Zeus related

pro\all source\GrabberIE_FF\Release\GrabberIE_FF.dll
pro\all source\temp\zeus src.rar->zeus src\output\builder\zsb.exe
pro\all source\temp\zeus src.rar->zeus src\output\client32.bin
pro\all source\ZeuS 2.0.8.9\output\builder\zsb.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/builder/zsb.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/client32.bin

SpyEye related

pro\source builder plugins inj's modules etc\Сорцы и Модули\spyinject2.zip->iehookdll_mod.dll
pro\all source\RemoteCtl\Release\rdp.dll
pro\all source\temp\rdp.dll
pro\all source\temp\rdp.exe
pro\all source\TZ\rdp\rdp.plug
pro\source builder plugins inj's modules etc\plugs\rdp.plug

Vundo related

pro\all source\AgentFullTest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\new.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav2.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release\new.exe
pro\all source\bootkit\BkBuild\BootkitRunBot.dll
pro\all source\Demo_Cur2\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Debug\RU.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\WhiteJoe.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\WhiteJoe.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkInstaller.dll
pro\source builder plugins inj's modules etc\ConfigBuilder\ConfigBuilder\ConfigBuilder.exe
pro\source builder plugins inj's modules etc\ConfigBuilder\for test\ConfigBuilder.exe

Carberp itself

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\disktest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\FakeDll.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG2.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_FDI_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release\bki.plug
pro\all source\BJWJ\Builds\Bin\Release\bktest.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav1.exe
pro\all source\BJWJ\Builds\Bin\Release\bootkit.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release\bot.plug
pro\all source\BJWJ\Builds\Bin\Release\docfind.exe
pro\all source\BJWJ\Builds\Bin\Release\first.plug
pro\all source\BJWJ\Builds\Bin\Release\Full.exe
pro\all source\BJWJ\Builds\Bin\Release\ifobstst.exe
pro\all source\BJWJ\Builds\Bin\Release\livrus.exe
pro\all source\BJWJ\Builds\Bin\Release\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release\mmm.exe
pro\all source\BJWJ\Builds\Bin\Release\mybot.exe
pro\all source\BJWJ\Builds\Bin\Release\mytest.exe
pro\all source\BJWJ\Builds\Bin\Release\ola.exe
pro\all source\BJWJ\Builds\Bin\Release\ola1.exe
pro\all source\BJWJ\Builds\Bin\Release\ola2.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_FDI.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_serg.exe
pro\all source\BJWJ\Builds\Bin\Release\second.plug
pro\all source\BJWJ\Builds\Bin\Release\test.exe
pro\all source\BJWJ\Builds\Bin\Release\testftp.exe
pro\all source\BJWJ\Builds\Bin\Release\testnew.exe
pro\all source\BJWJ\Builds\Bin\Release\testtt.exe
pro\all source\BJWJ\Builds\Bin\Release\tinytst.exe
pro\all source\BJWJ\Builds\Bin\Release\tst.exe
pro\all source\BJWJ\Builds\Bin\Release\vnctest.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec2.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.exe
pro\all source\Bot Builder\WhiteJoeRebootPing.exe
pro\all source\temp\2012-07-04_FakeDllFiles\bot.plug
pro\all source\temp\marazm\Droper\WhiteJoe.exe
pro\all source\test\test\ola.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Bot.plug
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Loader_dll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\WhiteJoeRebootPing.dll
pro\source builder plugins inj's modules etc\Full.exe
pro\source builder plugins inj's modules etc\Full_btc.exe
pro\source builder plugins inj's modules etc\plugs\bki.plug
pro\source builder plugins inj's modules etc\plugs\bki_log.plug
pro\source builder plugins inj's modules etc\plugs\bot.plug
pro\source builder plugins inj's modules etc\plugs\bot_log.plug
pro\source builder plugins inj's modules etc\plugs\log\bki.plug
pro\source builder plugins inj's modules etc\plugs\log\bot.plug
pro\source builder plugins inj's modules etc\RU_Az_btc.exe
pro\source builder plugins inj's modules etc\RU_Az_if.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\DBG_bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB_hnt.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU.exe
pro\all source\BJWJ\Builds\Bin\Release\mmmm.exe
pro\all source\BJWJ\Builds\Bin\Release\RU.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_Cur2\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Debug/WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Release\RU.exe
pro\source builder plugins inj's modules etc\InjTest.exe
pro\all source\BJWJ\Builds\Bin\BootkitTest\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\CoreDll.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\Locker\bin\Debug\locker.exe
pro\all source\temp\Demo_cur.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\temp\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\Demo_ifobs.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\Demo_iFOBS_src.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\iFobsLdr.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\src2\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\WndRec\output\log\IBank\1237\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.dll
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.dll
pro\all source\bootkit\BkBuild\ping.dll
pro\all source\temp\marazm\Droper\WhiteJoe.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Loader.exe

Stoned framework with Black Hat Europe 2007 Vipin Kumar POC, detected as Sinowal
pro\source builder plugins inj's modules etc\Сорцы и Модули\Stoned Bootkit Framework.zip

There is also a copy of Win32 Obfuscator known as Mystic Compressor.

adminpanel без иконки\bot_adm\cache\cryptor\CRYPTOR.EXE
pro\all source\BootkitDropper\nbuild\Tools\Mystic.exe
pro\all source\Locker\build\Tools\mystic.exe
pro\all source\test\Mystic.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\Tools\Mystic.exe