
Carberp Source Code Leaked - yelnatz
https://threatpost.com/carberp-source-code-leaked/
======
huhtenberg
Bootkit alone is probably worth $40k -
[https://github.com/hzeroo/Carberp/tree/master/source%20-%20a...](https://github.com/hzeroo/Carberp/tree/master/source%20-%20absource/pro/all%20source/bootkit)

The code looks better than a lot of commercial kernel code of comparable
complexity, and it _is_ complex. From readme -

    
    
      --
    

_Bootkit is a driver for loading other drivers at the OS boot time. Driver is
loaded before the initialization of NT kernel (i.e. before the start of the
PatchGuard) and it can patch arbitrary kernel code. The driver gets launched
before every other drivers, including the boot-time ones, and it can monitor
and control their loading. No digital signature is required.

Supported Windows versions - from XP to W8 inclusively.

Supported platforms - x86 and amd64.

Boot-loader works with all types of NTFS partitions.

The code is metamorphic, it consists of several blocks that are randomly
rearranged with each build. The IPL (initial loader) code is encrypted and it
is incrementally decrypted during the execution. Considered together, this
means that each build of the bootkit is binary unique. The driver is also
encrypted when stored on the disk and it is decrypted by IPL upon loading._

    
    
      --
    

All in all, this is quite a leak. Very few people can code something like this
and it's a unique chance to peek at and learn from their work.

~~~
slacka
>code looks better than a lot of commercial kernel code

Sounds like we need another of Fabien Sanglard's source code reviews:)
Normally I'd stay away from this sort of thing, but if it's a good as people
say, I might have to check it out myself.

------
scrapcode
I don't understand how people comprehend this shit. Not only is it malicious,
it's absolutely hideous.

~~~
pvnick
Shitty coders with shitty morals write shitty software for shitty people

~~~
siddboots
It might not read quite like the poetry, but this is definitely not _shitty_
code.

Of course, I agree with you completely wrt their morality.

------
vichu
Out of curiosity, where could one actually obtain this source code?

~~~
yelnatz
Here [https://github.com/hzeroo/Carberp](https://github.com/hzeroo/Carberp)

------
flippyhead
Some times I feel like the world I live in is from a science fiction novel.

~~~
rplacd
I'm sure all the tropes exist today in some form or another (and they needn't
be products of the new millenium, either - I've been seeing reportage from
Naipaul's cramped Bombay well since the 70s, wrought out of an incredible
amount of tiering and complete alienation between the tiers) but we consider
them individual failures of society, and god knows if we'll ever suspend the
ideals from our rhetoric in order to assemble the full enchilada.

------
ccarter84
D*mmit. Guess I finally should break down and burn a linux bootdisk for
banking.

~~~
lifeguard
Ahhh, but what system can you trust to burn the linux boot CD on?

~~~
al1x
Not to mention by the time you burned it it would be well out of date
(security patches). If you're going to go that route you'd be better off
buying a USB stick with a write-lock (Kanguru sells some).

~~~
akama
Kanguru has some really nice thumb drives. I own two and would recommend them
to anyone. Keep in mind, you can also store private keys on them.

~~~
jlgaddis
> you can also store private keys on them

As regular files (e.g. `cp ~/.gnupg/secring.gpg /media/kanguru/`) or can you
somehow import them such as with a smart card?

I carry multiple devices at the moment but it would be nice to consolidate.

~~~
akama
Only as regular files, but with the write lock you can be sure that they don't
get deleted.

------
frozenport
$40,000 dollars sounds cheap

~~~
driverdan
Really? How many hours do you think it'd take to write something like this?

~~~
yelnatz
botnets make that much everyday

~~~
Wingman4l7
Assuming that, you'd think the author of this codebase would have done some
sort of calculation on expected daily return from renting a botnet created via
this software, and priced it accordingly. There is a calculation similar to
what I described to determine what a successful poker bot is worth.

Otherwise it would make more sense to just run it themselves -- although that
would of course expose them to [more] legal risk. Reminds me of bitcoin mining
-- can you make more money selling ASIC miners or just mining BTC with the
ones that you've built?

~~~
frozenport
Probably stolen software that requires work to deploy.

------
mmcnickle
What is the legality of selling this as opposed to using it? I assume it's
legal?

------
shin_lao
Does it go around W8 protected boot? From what I understand it cannot.

But how it goes around the signature requirement of drivers is very clever.

