Last week rumors started circulating that the source code for the crimekit known as “Carberp” was leaked on the net. However, the code resided inside password protected zip file so it could not be confirmed that the leak was genuine. A very similar situation as when the source code for ZeuS was leaked.
CSIS have been investigating this further and now confirms that we have the complete source code for Carberp and that the code compiles and works just as descripted in the associated text files included in the package. The package also include the Carberp bootkit along with other source codes for what seems to be e.g. Stone bootkit, Citadel, Ursnif etc. The package is currently undergoing deeper analysis. We also found several text files containing apparently private chats and various usernames and passwords for several FTP servers. This also needs to be investigated further ...
As with the leakage of the ZeuS source code, back in May 2011 (https://www.csis.dk/en/csis/blog/3229/), this means that it-criminals have every chance to modify and even add new features to the kit. The very same thing we predicted in 2011 and which fueled new commercial crimekits still being used in attacks today such as IceIX and Citadel.
The archive itself has the following properties:
Size: 2015529409 bytes
The archive is password protected but that was published yesterday.
A few screenshots found below:
New screenshots from the Carberp builder and config builder:
and the video server: