And i was right about this, Okay Carberp source is leaked but 2Gb... what the final size of a carberp stub 700Mb ?
This archive contain really a lot of things who have nothing to do with Carberp like Zeus source code, Trusteer reports, RootkitUnhooker, UPX, openVPN, Stoned Bootkit, KonBoot, a leaked version of Citadel (lol?) and various others... (still entertaining)
This without speaking about all files generated by the IDE, (all useless .html, .obj, .idb, pdb...)
All useless double EXE files, 7z/rar/zip archives.
Those guys need to learn to organize their shit, the source code is the same chaotic mosaic.
On This archive Carberp is not the only thing who got leaked, there is also Mystic Compressor.
One of my first love (even if it's lame, i've unpacked really a lot of stuff packed with this)
I've always wondered who was behind Mystic and it's the first time i see the compressor.
To give you an overview of the AVs Detection on Mystic, here is a simple Hello world in assembler:
Without mystic: https://www.virustotal.com/en/file/5b3a24f86859ebb5856a5abd7c78bb5a819de7e1c1150f51b0f2fc6ff2fb4fad/analysis/1372161832/
With Mystic: https://www.virustotal.com/en/file/e46248776110c58f77da4a654db96ca1881028a91991712f5d61bd04cba87864/analysis/1372161816/
Some links about mystic compressor:
Stating the obviously main leak, Carberp builder:
2f143aa5c616a5e0995c9d68afc03d3e TS: 2013-01-21
2.2.1 - 8e2a2c2fe8e5165904a7934567e9b8f5 TS: 2013-01-30
2.1 - e158889586ec328ce1edbfe5ace72697 TS: 2013-01-02
220.127.116.11 - bf38f21f7787c54b4adc2b7484b71768 TS: 2012-12-25
18.104.22.168 - 949fff00b88a48ac1ebe03601b908468 TS: 2012-09-08
Builder of the first Carberp leak:
d57474d7df5ae5c823390a174111de5d TS: 2012:10:01
ee00c34194898d739f77d0cd861efbc7 TS: 2012-08-17
9b125eecf8ef814f109182081dd2d8f1 TS: 2011-09-13
275d1983de8a313fc22db0c2f0a8dfe7 TS: 2012-08-17 *from the first leak*
Liberty Reserve inject (will be so useful now!):
And to finish some translations done by @Malwageddon
I've not really looked at the Carberp source without ending with a headache.
It's more fun to watch the 'information wars' about Carberp code on twitter :)
HS: Peter Kleissner got the idea to group the more interesting content: http://blog.virustracker.info/?p=276
Brace yourself, Carberp C&Cs start already to appear.