Friday, September 7, 2012

"Daily"

Hey guys, sorry for the lack of updates. I've got a lot of content I'm gathering for a bunch of posts, but it'll take me some time to organize it all.

I just wanted to break the silence to make a brief post about a skid I found who goes by the name of Daily, aka Nick Moses.

Skidforums profile: http://www.hackforums.net/member.php?action=profile&uid=99678



He's apparently been one of the biggest 4chan malware spreaders, constantly spamming up all the boards with links to shitty Java drivebys and such. He's been doing this for years now, but he's ramped up his skid efforts in the past two months.

A few examples:

https://archive.installgentoo.net/g/thread/17666171 (2011)
https://archive.installgentoo.net/g/thread/27294499 (2012)
https://archive.installgentoo.net/g/thread/27279939 (2012)

He's even been getting into the hearts of weeaboos and redirecting them to Java drivebys (with some code he copied and pasted from 1 of 2,000 security blogs).

http://archive.foolz.us/jp/thread/9657436/#9657603

He also is apparently somewhat of a 4channer himself. Here's him attentionwhoring in an old moot sticky:


Just Google any of his domains, which I'm going to list towards the bottom, and you'll see tons and tons of 4chan hits. This is only a tiny sampling.

Seems he's mostly been spreading Blackshades lately, developed and sold by the fine gentlemen in the below blog post. After a few "issues" he's started only spreading DarkComet instead. But anyway, onto the fun stuff.


First, I found his Blackshades panel install, and graciously liberated him of his bots and logs to save him some money on bandwidth and hard drive space.

About 250 bots were uninstalled by the time it finished

I also found some kind of stolen password storage panel on his website mosesmusic.net. It's tied to some shitty VB password stealer.

Analysis: http://malwr.com/analysis/24a8aa62c2e2a5caffcd400552cb60e7/
Request: http://mosesmusic.net/backup/index.php?action=add&username=Me&password=DP7CM-PD6MC-6BKXT-M8JJ6-RPXGJ&app=Windows&pcname=LAB&sitename=Microsoft

I continued to be of assistance, and helped him free up a few megs (or however much it takes to store 16,000 passwords).

Password stealer panel



I went one step further and performed a "citizen's revokal" of all his domains, by order of acclaimed domain authority Meatspin Inc.

utilities.3utilities.com (used for RAT connections)
Logged into his Namecheap account
An order he made
Giving 67.55.108.167 some much needed traffic



I've got some more shit but I won't bore you with the details. I currently have all his domains, though he's trying to recover them and probably trying to register some new ones. When that happens I will be in talks with Namecheap.

Go hog wild.


Daily - Nick Moses

http://www.hackforums.net/member.php?action=profile&uid=99678

Nicholas (Nick) Moses
Age: 21

16 Water St
Orleans, VT 05860-1306
United States
(802) 754-1050

Parents' address (possibly old; above address may be their current one):

Jay Moses (Father) & Wanda Moses (Mother)
3258 Glen Rd
Newport, VT 05855-9043
United States
(802) 334-4522


Went to Champlain College in Vermont: http://www.champlain.edu

College dorm/apartment address as of 2010:

Nick Moses
Mailbox #663
Champlain College
P.O Box 670
Burlington, VT 05402


Associated IP Addresses:

71.80.41.168 - Used for malware hosting and bitcoins, appears residential, probably current home IP. Being used right now as DarkComet C&C. (ISP: Charter)
68.114.56.227 - Home IP, probably old (ISP: Charter)

94.249.213.172 - Previously hosted nickmoses.net
76.191.96.58 - Previously hosted mosesmusic.net
216.38.2.217 [utilities.3utilities.com] - VPS of some sort, used as a proxy (Provider: GigeNET)
216.38.8.176 [artemishost.no-ip.biz] - Another VPS, some malware he spreads connects back here; also has some recorded bitcoin transactions (Provider: GigeNET)
67.215.9.235 [apocalypsefree.in] - DarkComet hosting
91.236.116.105 [apocalypsefree.in] - DarkComet hosting
216.38.7.236 - no-ip.org DarkComet
184.82.139.23 - no-ip.org DarkComet
46.37.186.66 - no-ip.org DarkComet

Emails:

itsnickmoses@gmail.com
daily.middleman@gmail.com
dailydaily500@yahoo.com
black_daily500@yahoo.com
black_daily500@hotmail.com

MSN: dailyamcry@hotmail.com
AIM: dailydaily500
Skype: itsnickmoses
XBL: Daily500


Facebook: https://www.facebook.com/nickmoses
Archived Facebook info: http://profileengine.com/people/nickmoses/nick.moses

Google+: https://plus.google.com/104296121370055224470/
Myspace: http://www.myspace.com/coolmoses
Photobucket: http://s576.photobucket.com/profile/daily500
Formspring: http://www.formspring.me/itsnickmoses
Steam: http://steamcommunity.com/id/itsmemoses
Xfire: http://beta.xfire.com/profile/dailydaily500/
DeviantArt (lol): http://daily500.deviantart.com
Ebay: http://myworld.ebay.com/dailydaily500/
Chess.com: http://www.chess.com/members/view/daily500
Runescape Username: dailymage

Profiles owned by him presumably used for stalking or deception, possibly hacked accounts:

https://www.facebook.com/beth.davis.7712
http://www.myspace.com/242729140
http://www.myspace.com/330598988
http://www.bebo.com/PleaseSignIn.jsp?Page=c/profile&MemberId=1863201824


All usernames:

nickmoses
itsnickmoses
itsmemoses
Daily
daily500
dailydaily500
dailymage


Domains:

apocalypsefree.in
doomzco.com
slackforum.com
nickmoses.net
mosesmusic.net
dudeitscool.net
dudeitshosting.net
pagemake.org (Java drivebys)
teengirlslive.us (used for spreading Java drivebys, Google it and you'll see tons of 4chan threads)
teencamlive.net (spreading)
teencamzlive.us (spreading)
photos-at-90.org (expired)  

Nick Moses, hacker extraordinnaire


what I don't even

16 comments:

  1. I lol'd when you somehow didn't take the hint when apocalypsefree.in was redirecting to stallman.org

    ReplyDelete
  2. Its cool man, 95% of your dox are incorrect and I'm getting my domains back.

    ReplyDelete
  3. Why don't you add me on skype and talk to me?

    ReplyDelete
  4. I'm fine with email or Google IM.

    ReplyDelete
  5. wtf nick man making up fake porn sites dude lot changed from wags class at ncuhs crazy hacking fucker

    ReplyDelete
  6. Damn, Admin..
    I love you so hard right now lols, You are legend!

    ReplyDelete
  7. How about Jabber?

    ReplyDelete
  8. Oh hai thread design.


    I think I remember giving this away for free to this guy.

    ReplyDelete
    Replies
    1. Someone gave it to me, yep. Probably you.

      Delete
  9. it would be an honor to be hacked by daily. that guy is famous.

    ReplyDelete
  10. Brilliant !!!
    I'm bookmarking skidlist

    ReplyDelete