Carberp source leaked

Forum for analysis and discussion about malware.
rinn
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan

Re: Carperp Source Code

Post by rinn » Tue Jun 25, 2013 4:21 am

Well, for now everybody can built their own power loader from this source :)
_ExploreBypass (with a Heavens Gate rip-off in Share folder).

Best Regards,
-rin

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Carperp Source Code

Post by EP_X0FF » Tue Jun 25, 2013 4:43 am

rinn wrote:Well, for now everybody can built their own power loader from this source :)
I don't think so. It is just a Explorer exploit part from PL, well there are many other exploits in this pack, even ransomware source. All this pack is pack of 3rd party code. Since this code is easy to read, more clones will be created soon.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Carperp Source Code

Post by EP_X0FF » Tue Jun 25, 2013 6:22 am

Suprisely found Alureon related code in this pack.

Here is the short list of malware families which components/code included in Carberp package. Note: I've tried to remove some duplicate entries.

Ursnif related

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\VNCDLL.dll
pro\all source\TZ\vnc\VNCd.7z->VNCd/VNCDLL.dll
pro\source builder plugins inj's modules etc\WndRec\vncdemo\VNCDLL.dll
pro\source builder plugins inj's modules etc\Сорцы и Модули\VNCd.7z->VNCd/VNCDLL.dll

Rovnix related (BKLoader itself)

pro\all source\bootkit.old\KLoader\release\i386\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\bksetup.exe
pro\all source\test\bootkit\1\bksetup.exe
pro\all source\test\bootkit\1\setupdll.dll
pro\all source\test\bootkit\bksetup.exe
pro\all source\test\bootkit\setupdll.dll
pro\all source\TZ\bootkit\bin\bksetup.exe
pro\all source\TZ\bootkit\bin\setupdll.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2\bin\release\i386\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\biin\BkSetup.dll
pro\all source\Инфа по буткиту\Бинарник БК\LatestBk\BK2.8.2_KIP\BK2.8.2_KIP\bin\release\i386\SetupDll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkSetup.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Release\setupdll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\BkSetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\bin\SetupDll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\bksetup.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Release\setupdll.dll
pro\source builder plugins inj's modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/DrvTest.sys
pro\source builder plugins inj's modules etc\Сорцы и Модули\Rootkit.7z->DrvTest/debug/SpoolNetAdvr.sy_
pro\all source\bootkit\bin\Release\i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\driver_i386\kloader.sys
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\driver_i386\kloader.sys
pro\all source\TZ\bootkit\BK\bin\release\i386\kloader.sys
pro\all source\bootkit.old\KLoader\release\amd64\kloader.sys
pro\all source\BootkitDropper\nbuild\SrcDir\BkSetup.dll

Alureon related (dropper of old variants, still ITW)

pro\all source\DropSploit1.rar->DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1.rar->DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit1\out\builder_Release.exe
pro\all source\DropSploit1\out\Release\dropper.exe
pro\all source\DropSploit\out\builder_Release.exe
pro\all source\DropSploit\out\builder_Release.sys
pro\all source\DropSploit\out\dropper.dll
pro\all source\DropSploit\out\Release\dropper.dll
pro\all source\DropSploit\test\1\builder_Release.exe
pro\all source\DropSploit\test\2\builder_Release.exe
pro\all source\DropSploit\test\3\builder_Release.exe
pro\all source\DropSploit\test\5\builder_Release.exe
pro\all source\DropSploit\test\6\builder_Release.exe
pro\all source\DropSploit\test\7\builder_Release.exe
pro\all source\DropSploit\test\8\builder_Release.exe

Claywhist (VNC) related
pro\all source\RemoteCtl\Release\hvnc.exe

Phdet related

pro\all source\TZ\kill_os\bin\os_kill_debug.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\all source\TZ\kill_os\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\os_kill_src.7z->os_kill_src/bin/os_kill_debug.exe

Zeus related

pro\all source\GrabberIE_FF\Release\GrabberIE_FF.dll
pro\all source\temp\zeus src.rar->zeus src\output\builder\zsb.exe
pro\all source\temp\zeus src.rar->zeus src\output\client32.bin
pro\all source\ZeuS 2.0.8.9\output\builder\zsb.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/builder/zsb.exe
pro\source builder plugins inj's modules etc\Сорцы и Модули\zeus2089.7z->zeus2089/output/client32.bin

SpyEye related

pro\source builder plugins inj's modules etc\Сорцы и Модули\spyinject2.zip->iehookdll_mod.dll
pro\all source\RemoteCtl\Release\rdp.dll
pro\all source\temp\rdp.dll
pro\all source\temp\rdp.exe
pro\all source\TZ\rdp\rdp.plug
pro\source builder plugins inj's modules etc\plugs\rdp.plug

Vundo related

pro\all source\AgentFullTest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\new.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav2.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitRunBot.dll
pro\all source\BJWJ\Builds\Bin\Release\MiniLoader.exe
pro\all source\BJWJ\Builds\Bin\Release\new.exe
pro\all source\bootkit\BkBuild\BootkitRunBot.dll
pro\all source\Demo_Cur2\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Debug\RU.exe
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\WhiteJoe.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\WhiteJoe.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\BkInstaller.dll
pro\source builder plugins inj's modules etc\ConfigBuilder\ConfigBuilder\ConfigBuilder.exe
pro\source builder plugins inj's modules etc\ConfigBuilder\for test\ConfigBuilder.exe

Carberp itself

pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\disktest.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\FakeDll.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG1.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_DBG2.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_Az_FDI_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU_DBG.exe
pro\all source\BJWJ\Builds\Bin\Release\bki.plug
pro\all source\BJWJ\Builds\Bin\Release\bktest.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav.exe
pro\all source\BJWJ\Builds\Bin\Release\blockav1.exe
pro\all source\BJWJ\Builds\Bin\Release\bootkit.exe
pro\all source\BJWJ\Builds\Bin\Release\BootkitDropper.exe
pro\all source\BJWJ\Builds\Bin\Release\bot.plug
pro\all source\BJWJ\Builds\Bin\Release\docfind.exe
pro\all source\BJWJ\Builds\Bin\Release\first.plug
pro\all source\BJWJ\Builds\Bin\Release\Full.exe
pro\all source\BJWJ\Builds\Bin\Release\ifobstst.exe
pro\all source\BJWJ\Builds\Bin\Release\livrus.exe
pro\all source\BJWJ\Builds\Bin\Release\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release\mmm.exe
pro\all source\BJWJ\Builds\Bin\Release\mybot.exe
pro\all source\BJWJ\Builds\Bin\Release\mytest.exe
pro\all source\BJWJ\Builds\Bin\Release\ola.exe
pro\all source\BJWJ\Builds\Bin\Release\ola1.exe
pro\all source\BJWJ\Builds\Bin\Release\ola2.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az1.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_FDI.exe
pro\all source\BJWJ\Builds\Bin\Release\RU_Az_serg.exe
pro\all source\BJWJ\Builds\Bin\Release\second.plug
pro\all source\BJWJ\Builds\Bin\Release\test.exe
pro\all source\BJWJ\Builds\Bin\Release\testftp.exe
pro\all source\BJWJ\Builds\Bin\Release\testnew.exe
pro\all source\BJWJ\Builds\Bin\Release\testtt.exe
pro\all source\BJWJ\Builds\Bin\Release\tinytst.exe
pro\all source\BJWJ\Builds\Bin\Release\tst.exe
pro\all source\BJWJ\Builds\Bin\Release\vnctest.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec.exe
pro\all source\BJWJ\Builds\Bin\Release\wndrec2.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.exe
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoeRebootPing.exe
pro\all source\Bot Builder\WhiteJoeRebootPing.exe
pro\all source\temp\2012-07-04_FakeDllFiles\bot.plug
pro\all source\temp\marazm\Droper\WhiteJoe.exe
pro\all source\test\test\ola.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Bot.plug
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\Loader_dll.dll
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\SrcDir\WhiteJoeRebootPing.dll
pro\source builder plugins inj's modules etc\Full.exe
pro\source builder plugins inj's modules etc\Full_btc.exe
pro\source builder plugins inj's modules etc\plugs\bki.plug
pro\source builder plugins inj's modules etc\plugs\bki_log.plug
pro\source builder plugins inj's modules etc\plugs\bot.plug
pro\source builder plugins inj's modules etc\plugs\bot_log.plug
pro\source builder plugins inj's modules etc\plugs\log\bki.plug
pro\source builder plugins inj's modules etc\plugs\log\bot.plug
pro\source builder plugins inj's modules etc\RU_Az_btc.exe
pro\source builder plugins inj's modules etc\RU_Az_if.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\DBG_bot.plug
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Full_SB_hnt.exe
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\RU.exe
pro\all source\BJWJ\Builds\Bin\Release\mmmm.exe
pro\all source\BJWJ\Builds\Bin\Release\RU.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_Cur2\WhiteJoe\Debug\WhiteJOE_Bank.exe
pro\all source\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Debug/WhiteJOE_Bank.exe
pro\all source\keys\Builds\Bin\Release\RU.exe
pro\source builder plugins inj's modules etc\InjTest.exe
pro\all source\BJWJ\Builds\Bin\BootkitTest\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012.rar->build\Loader_dll.dll
pro\all source\temp\marazm\Droper\Droper_23.01.2012\build\Loader_dll.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\CoreDll.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoe.exe
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Debug\WhiteJoeRebootPing.exe
pro\all source\Demo_Cur.rar->Demo_Cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\Demo_cur_old.7z->WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\Locker\bin\Debug\locker.exe
pro\all source\temp\Demo_cur.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\temp\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\Demo_ifobs.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\Demo_iFOBS_src.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\dll\iFOBSBal\WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\iFobsLdr.7z->Demo_cur/WhiteJoe/Release/WhiteJOE_Bank.exe
pro\all source\TZ\ifobs\src2\Demo_cur\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\WndRec\output\log\IBank\1237\WhiteJoe\Release\WhiteJOE_Bank.exe
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoe.dll
pro\all source\BootkitDropper\Bin\RDEBUG_CONFIG\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\Bin\Release\WhiteJoeRebootPing.dll
pro\all source\BootkitDropper\nbuild\SrcDir\WhiteJoe.dll
pro\all source\bootkit\BkBuild\ping.dll
pro\all source\temp\marazm\Droper\WhiteJoe.dll
pro\all source\BJWJ\Builds\Bin\Release DEBUGCONFIG\Loader.exe

Stoned framework with Black Hat Europe 2007 Vipin Kumar POC, detected as Sinowal
pro\source builder plugins inj's modules etc\Сорцы и Модули\Stoned Bootkit Framework.zip

There is also a copy of Win32 Obfuscator known as Mystic Compressor.

adminpanel без иконки\bot_adm\cache\cryptor\CRYPTOR.EXE
pro\all source\BootkitDropper\nbuild\Tools\Mystic.exe
pro\all source\Locker\build\Tools\mystic.exe
pro\all source\test\Mystic.exe
pro\all source\Инфа по буткиту\Инсталятор БК\BootkitDropperPlugBuild\Tools\Mystic.exe
Ring0 - the source of inspiration

t4L
Global Moderator
Posts: 139
Joined: Tue Mar 09, 2010 5:44 pm

Re: Carberp source leaked

Post by t4L » Tue Jun 25, 2013 8:05 am

Brace yourself. Carberp and clones are coming.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Carberp source leaked

Post by rkhunter » Tue Jun 25, 2013 9:25 am

EPIC

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Carberp source leaked

Post by EP_X0FF » Tue Jun 25, 2013 4:07 pm

So what inside of this package?

First of all, do not expect from this pack any genious things. There is good russian term used in programming - "bydlocode" - somehow awfully written code which has only one purpose - quick profit.

You will notice using of third party components (even mp3 encoder lol) everywhere in this code.

First thing I was wondering looking on this pack was it size. Seriously 5 Gb of code? lolwut?

Due to fast coding style they left all garbage from compiler in package, did numerous copy-paste of the same code in different files, or even numerous copies of the same files.

So I did fast searching through this source trying to figure out, how much is it really in size.


Table format: Type, File Count, Size (KB)

1) Compiler generated trash (mostly, some lib, obj can be additionally used)
1c.png
Almost 2 Gb of just junk, well except few libs, obj's, but there are multiple copies of ntdll.lib

2) Archives, shouldn't really count, but some of them unpacked and they present in pack in both states: archive and it unpacked data
2c.png
3) Executables (MZ PE, I maybe missed some btw), most of them can be found in "Release" or "Debug" folders, so they are result of compilation from source and not important, as they can be reproduced from source.
3c.png
4) Source and text files (including long conversations with freelancers). Not that many as you can think, some of files are multiple copies of each other as stated before.
4c.png
Overall from most obvious file types:
20858 files
3588540 KBytes

from a total 29024 files (I excluded all webtrash) and 5 Gb in size.

Likely real Carberp source size is less than... 50 Mb (excluding 3rd party stuff, compiler junk, compiled binaries etc).

Carberp package is chaotic mosaic created by various people with different view of coding etc, that have only some interesting pieces (from rootkit point of view) like Alureon stuff and BkLoader (however they both a boring to be honest). The only problem I see with this stuff - script-kiddies who are angry copying this pack right now, downloading it from piratebay etc, they definitely will try to push something from this massively or copy-paste in their own "super" bots. Copy-paste this "bydlocode", facepalm.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Carberp source leaked

Post by EP_X0FF » Tue Jun 25, 2013 4:42 pm

And as conclusion, favorite quotes from Carberp pack code (sorry I have no idea how to translate this, not to lose original sense and humor).

Utils.cpp (here author does cosplay of Captain Obvious)

Code: Select all

// ----------------------------------------------------------------------------------------
bool isFileExists(int FlagFolderDest, WCHAR*Path)
{
	// Эта поебень делает такую-то хуйню
	// тоесть проверяет существуер ли файл в стандартном пути(определенном системой)+Path  

	WCHAR SysPath[MAX_PATH];
	pSHGetFolderPathW(NULL, FlagFolderDest, NULL, SHGFP_TYPE_CURRENT, SysPath);
	plstrcatW( SysPath, L"\\" );
	plstrcatW( SysPath, Path );
	return FileExistsW(SysPath);
}
Utils.cpp (here author unsure what this function does)

Code: Select all

// ----------------------------------------------------------------------------------------
// Сложно бля пару переводов строки после функции сделать, ну топо разделить код одной функции от другой
bool FileCreateInFolder(int FlagFolderDest, WCHAR*Path,LPVOID Data,int count)
{
    // И эта поебень хуёзнает чё-то делает
	// тоесть создает файл и пишет данные заданным размером

	WCHAR SysPath[MAX_PATH];
	pSHGetFolderPathW(NULL, FlagFolderDest, NULL, SHGFP_TYPE_CURRENT, SysPath);
	plstrcatW( SysPath, L"\\" );
	plstrcatW( SysPath, Path );
	if (File::WriteBufferW( SysPath, Data, count ))
		return true;
	else
		return false;
}
and to end with Utils.cpp, final words of one of the authors

Code: Select all

// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

// Нахуй руки оторву за такую писанину!!!!!!!!!!!!!!!! GSV

// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
JavaKeyLog.cpp ("if there is no active Keylogger we don't need clipboard handling")

Code: Select all

// оконная процедура "фейкового" окна. нужна для отлова сообщения об изменениях в клипборде
LRESULT WINAPI CBSpyWndProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
    switch (uMsg)
    {
    case WM_CREATE:
	{
        hNextViewer=(HWND)pSetClipboardViewer(hWnd);
        break;
    }
    case WM_DRAWCLIPBOARD:
    {
        // пока не активен кейлоггер клипборд нам в хуй не впился
JavaKeyLog.cpp (сучка падала, no comments)

Code: Select all

// функа ищет по HWND прошлую кэл-бэк процеруду. в окно жабы зашить не получилось - сучка падала..
// хотя можно с SetWindowProp в принципе переделать, должно работать (только что придумал:)
WNDPROC GetWndProc(HWND hWnd)
{
    for (int i=0; i<=dwWndsCount; i++)
    {
        if (Wnds[i].hWnd == hWnd)
            return Wnds[i].lpWndProc;
    }
    return NULL;
}
JavaKeyLog.cpp (author angry on keyboard keys)

Code: Select all

           int dwLen=(int)pGetKeyNameTextW(lParam,szBuff,sizeof(szBuff));
            if (dwLen > 1)
            {
                // если это не символ а какая-то клавиша (ctrl, alt.. да любая другая VK_* хуйня) - выводим в отдадочный вывод [KEY]
                //pwsprintfW(buff,L"[%s]", szBuff);
			}
            else
IBank.cpp (some "shits")

Code: Select all

//всякая хуйня
bool SHIFT_FLAG = false;
bool CAPSL_FLAG = false;
Coreinstall.cpp (author angry on Microsoft programmers and shows himself as expert in human anatomy)

Code: Select all

  do
  {
    /*
      Тупые, притупые идусы из MS, не понимают что они тупые притупые. Дело в том, что в MSDN
      написано, что NetUserEnum может работать с уровнями 4, 23, а на практики мы получаем 
      большой индуский ХУЙ!
    */
pe_rebuild.cpp (we don't need bound import)

Code: Select all

   if (bRet)
    {
        /// добавляем информацию о директориях
        for (int i=0; i < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; i++)
        {
            /// пропускаем bound import (нахуй он нам не всрался)
            if (i == IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT)
                continue;
socks5server.cpp (the author's reflections on the meaning of life)

Code: Select all

  //Bind
      case 2:
      {
        SOCKET destSocket;

        //Я ибал в рот тупых уродов написавших тупой rfc и тупорлых говнокодеров,
        //Я ставлю листинг на проивзольны порт на все IP сервера, и пашел на хуй софт который не
        //сможет это прочитать. Возможно меня ввел в забулждение FlashFXP 3.6.0. Т.к. в destAddr
        //он отправляет какие то данные сервера. А по rfc, как я понел, там должны быть данные
        //сокс-сервера, где нужно ждать сединения.
        
        //Ищим свободный порт.
        ((SOCKADDR_IN6 *)destAddr)->sin6_port = 0;
By the way, people usually do the same typos in same words. Using this as base you can find code that was written by one person and code that was created and commented by other guy (even without analyzing their coding styles and preferences).
Ring0 - the source of inspiration

cjbi
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am

Re: Carberp source leaked

Post by cjbi » Tue Jun 25, 2013 5:34 pm

Expiro (file infector) related

krab\source - absource\pro\all source\Worm\

gritland
Posts: 31
Joined: Tue May 11, 2010 10:57 am

Re: Carberp source leaked

Post by gritland » Tue Jun 25, 2013 8:15 pm

Some sources make you think - "whitehackers" write exploits to order?

sysret windows exploit - it private or public exploit?

http://imgur.com/p41dYUp

User avatar
0x16/7ton
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Contact:

Re: Carberp source leaked

Post by 0x16/7ton » Wed Jun 26, 2013 12:16 am

Cause and effect

Post Reply