Saturday, December 8, 2012

Nick Moses, botnet master

Daily / Nick Moses is at it again.


Ran the uninstall command for a good few hours.

It reached about 250 executions
He logged in and noticed, removed it, and changed all his passwords.

Ran the command again; he noticed once more. This time he changed the database password, fucking up his own Blackshades panel for quite a few hours before he realized what he did.

Nick Moses, intrusion prevention expert

Finally I got in a third time and made a small modification to Blackshades' command processing file that would silently run the uninstall command. That took out the rest of his Blackshades bots. Over the course of the week about 1300 bots were uninstalled.

Blackshades panel credentials:
micknoses:Nigger123:67.189.249.252
apoc:copa:74.36.162.180
define('DB_SERVER', "localhost");
define('DB_USER', "root");
define('DB_PASS', "Nigger123");
define('DB_DATABASE', "niggers");
$CFG_PASSWORD = "Nigger123";
daily500:nigger123456@pool.bitclockers.com:8332 //Bitcoin pool credentials for his bots
Top notch security.


He also had the same password stealer as last time ("Pieces of Eight"). Wiped about 8000 password captures.

Here was some of the shit on his server:
$ ssh root@daily-apoc.com
root@daily-apoc.com's password: 
[root@Daily-Apoc ~]# ls -al
total 153340
drwxr-x---  3 root root     4096 Dec  1 19:53 .
drwxr-xr-x 20 root  500     4096 Dec  1 15:25 ..
-rw-------  1 root root      728 Dec  1 19:53 .bash_history
-rw-r--r--  1 root root       24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root root      191 Jan  6  2007 .bash_profile
-rw-r--r--  1 root root      176 Jan  6  2007 .bashrc
-rw-r--r--  1 root root      100 Jan  6  2007 .cshrc
-rw-r--r--  1 root root      129 Jan  6  2007 .tcshrc
-rw-r--r--  1 root root 84733045 Sep 30 20:31 xampp-linux-1.8.1.tar.gz
-rw-r--r--  1 root root 39143077 Sep 30 20:31 xampp-linux-devel-1.8.1.tar.gz
-rw-r--r--  1 root root 33103312 Sep 30 20:31 xampp-linux-upgrade-1.8.0-1.8.1.tar.gz
drwxr-xr-x  3 root root     4096 Sep 30 12:52 xampp-upgrade
[root@Daily-Apoc ~]# last -ai
root     pts/1        Sun Dec  2 13:15 - 16:27  (03:11)     67.189.249.252
root     pts/0        Sat Dec  1 15:34 - 19:53  (04:18)     174.127.99.221
reboot   system boot  Sat Dec  1 15:25          (13:57)     0.0.0.0
root     pts/1        Sun Apr  5 19:36 - 19:36  (00:00)     81.152.164.227
root     pts/0        Sun Apr  5 19:28 - down   (00:07)     81.152.164.227
reboot   system boot  Sun Apr  5 19:28          (00:07)     0.0.0.0
root     pts/0        Sun Apr  5 19:24 - down   (00:02)     81.152.164.227
reboot   system boot  Sun Apr  5 19:24          (00:02)     0.0.0.0

wtmp begins Sun Apr  5 19:23:49 2009
[root@Daily-Apoc ~]# ls -al /opt/lampp/htdocs/installation/ /opt/lampp/htdocs/update/
/opt/lampp/htdocs/installation/:
total 172
drwxr-xr-x 9 root   root  4096 Dec  1 16:45 .
drwxr-xr-x 6 nobody root  4096 Dec  2 00:49 ..
-rw-r--r-- 1 root   root  2000 Mar  2  2011 alive.php
-rw-r--r-- 1 root   root 10602 Mar  4  2011 bots.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:42 classes
-rw-r--r-- 1 root   root 14907 Mar  4  2011 cmd.php
-rw-r--r-- 1 root   root   522 Dec  1 16:40 config.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:42 db
-rw-r--r-- 1 root   root 12425 Mar  2  2011 dos.php
-rw-r--r-- 1 root   root  2502 Feb 28  2011 fg.php
-rw-r--r-- 1 root   root   978 Jan 14  2011 header.php
drwxr-xr-x 4 root   root  4096 Dec  1 16:44 img
-rw-r--r-- 1 root   root  2314 Jan 27  2011 index.php
-rw-r--r-- 1 root   root 12381 Mar  4  2011 install.php
-rw-r--r-- 1 root   root  1279 Dec 31  2010 logout.php
-rw-r--r-- 1 root   root  9018 Mar  4  2011 logs.php
-rw-r--r-- 1 root   root  6541 Mar  2  2011 main.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:34 pieces
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 plugins
-rw-r--r-- 1 root   root  9185 Feb 28  2011 pws.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 screens
-rw-r--r-- 1 root   root  1127 Mar  2  2011 scr.php
-rw-r--r-- 1 root   root  7746 Jan 26  2011 settings.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 webcam
-rw-r--r-- 1 root   root  6831 Mar  2  2011 webc.php

/opt/lampp/htdocs/update/: // CVE-2012-4681 Java driveby
total 28
drwxr-xr-x 3 root   root 4096 Dec  2 01:04 .
drwxr-xr-x 6 nobody root 4096 Dec  2 00:49 ..
-rw-r--r-- 1 root   root  915 Dec  1 21:34 Certificate.crt
drwxr-xr-x 2 root   root 4096 Dec  2 01:06 download
-rw-r--r-- 1 root   root  782 Dec  2 00:49 index.php
-rw-r--r-- 1 root   root  782 Dec  2 00:49 install.php
-rw-r--r-- 1 root   root 3150 Dec  1 21:34 java.jar

// Blackhole iframe injector, deobfuscated URL is hxxp://blackhole.twilightparadox.com/analytics/except/turn-engineer_charges_got.php

[root@Daily-Apoc ~]# cat /opt/lampp/htdocs/videos/index.php
<script>//long obfuscated code</script>

// and finally
[root@Daily-Apoc ~]# rm -rf /*


He also recently managed to independently become infected with some malware himself, causing a bit of public embarrassment on a popular malware forum: http://trojanforge.com/showthread.php?t=1425

lol
He wasn't too happy about this turn of events.




4 comments:

  1. Nice one, Mr Admin. I'll be sending you an email soon.

    Nick

    ReplyDelete
  2. I love your work Admin. Keep it up :)

    ReplyDelete
  3. Ahahahahahah
    Good one.
    We need moar people like you. :D

    ReplyDelete