Sunday, December 2, 2012

"Suit"

For the first time, we have a "developer" here on the skid list. Indeed, a professional programmer of great prowess and ingenuity.

He goes by the name "Suit" (also "saywh4t" and others) on skidforums: http://www.hackforums.net/member.php?action=profile&uid=438020

At first glance, he appears to be a typical "bot herder," trojan spreader, and password thief. Dime a dozen.

Bot exchanging service

lol


What makes him stand out, though, are his endeavoring malware development projects:

Shitty advertisement


Another shitty advertisement


Truly revolutionizing the field of skidware. Do his claims hold any water, though? What gives his "products" a competitive edge?

Suit, otherwise known as Reece Chambers, did all of his development for s00tbot with webhosting from xhostfire.com; a now defunct web hosting service for skids.

I gently slipped a shell into his website's sandy beach and listened to its soft murmurs.

$ uname -a
Linux usa.xhostfire.com 2.6.18-274.18.1.el5.028stab098.1 #1 SMP Sat Feb 11 15:30:41 MSK 2012 i686 i686 i386 GNU/Linux
$ last -i
cunningp pts/0        130.216.30.121   Thu May 17 14:25 - 14:25  (00:00)
root     pts/0        70.95.123.70     Mon Apr 30 06:46 - down   (00:00)
sunnyval pts/0        174.56.103.168   Sun Apr  8 15:52 - 15:52  (00:00)
hackal   pts/0        46.99.251.19     Sun Apr  1 08:16 - 08:16  (00:00)
albini   pts/0        46.99.251.19     Sun Apr  1 08:15 - 08:15  (00:00)
socialen pts/0        96.44.101.216    Sat Mar 31 15:14 - 15:14  (00:00)
root     pts/0        85.76.123.168    Mon Mar 26 07:09 - down   (01:42)

$ ls -al ~/public_html/*

/home/cunningp/public_html/Website:
total 5672
drwxr-xr-x  7 cunningp cunningp    4096 May 23 02:43 .
drwxr-xr-x 12 cunningp nobody      4096 May 30 06:32 ..
-rw-r--r--  1 cunningp cunningp     220 Apr 25 17:42 .wysiwygPro_preview_339a5242a75565fc8cdd28b92e3ac846.php
drwxr-xr-x  2 cunningp cunningp    4096 May  2 22:34 Images
-rw-r--r--  1 cunningp cunningp 1419623 Apr 30 20:29 SecurityPanel(no_Install).zip
-rw-r--r--  1 cunningp cunningp 1406284 Apr 29 23:14 SecurityPanel.zip
drwxr-xr-x  2 cunningp cunningp    4096 Apr 17 18:43 SpryAssets
drwxr-xr-x  2 cunningp cunningp    4096 Apr 17 17:45 Templates
-rw-r--r--  1 cunningp cunningp    7741 May  3 22:01 about.php
-rw-r--r--  1 cunningp cunningp    2872 Apr 17 17:59 clients.html
-rw-r--r--  1 cunningp cunningp     923 Apr 26 23:04 clients.php
-rw-r--r--  1 cunningp cunningp    1682 May  1 21:02 config.php
-rw-r--r--  1 cunningp cunningp 2849380 May 30 16:39 error_log
-rw-r--r--  1 cunningp cunningp       0 May  1 20:48 gate.php
-rw-r--r--  1 cunningp cunningp     871 May  1 21:06 gatev2.php
-rw-r--r--  1 cunningp cunningp    1266 May  1 02:42 hidetest.php
drwxr-xr-x  2 cunningp cunningp    4096 May  4 08:08 include
-rw-r--r--  1 cunningp cunningp    2748 May  2 20:42 newClient.php
-rw-r--r--  1 cunningp cunningp    4137 May  2 21:43 newCommand.php
-rw-r--r--  1 cunningp cunningp    3274 May  2 20:32 newStat.php
-rw-r--r--  1 cunningp cunningp    2262 May  3 03:55 query.php
drwxr-xr-x  3 cunningp cunningp    4096 Apr 17 15:58 source
-rw-r--r--  1 cunningp cunningp    2133 Apr 23 01:37 statistics.html
-rw-r--r--  1 cunningp cunningp     751 Apr 25 20:38 stats.php
-rw-r--r--  1 cunningp cunningp    2459 Apr 27 02:55 style(original).css
-rw-r--r--  1 cunningp cunningp    4115 May  3 18:13 style.css
-rw-r--r--  1 cunningp cunningp    5372 May  2 19:28 test.php
-rw-r--r--  1 cunningp cunningp    2629 Apr 30 02:30 test2.php

[etc...]

$ ls -al /root              // root home dir is 777, lol
total 19416
-rw-r--r--  1 root root    10113 Mar  5 12:27       1
drwxrwxrwx 21 root root     4096 May 30 08:33 .
drwxr-xr-x 22 root root     4096 May 30 09:15 ..
-rw-------  1 root root      318 Apr 30 06:46 .bash_history
-rw-r--r--  1 root root       24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root root      191 Jan  6  2007 .bash_profile
[snip]
drwxr-xr-x  2 root root     4096 Mar 24 20:14 gott4
-rw-r--r--  1 root root    26065 Jan 29 02:20 gott4.zip
-rw-r--r--  1 root root    36358 Mar 24 20:04 index.html
-rw-r--r--  1 root root    30580 Mar 24 20:04 index.html?h=96f62342bc4f8f81944d259b6e0c153e&t=1332579809&f=92c4469c
-rwx------  1 root root     1067 Jan 10  2006 install.sh
-rw-r--r--  1 root root     1067 Jan 10  2006 install.sh.1
-rw-r--r--  1 root root     1067 Jan 10  2006 install.sh.2
drwxr-xr-x  2 root root     4096 Jan 17 18:25 public_ftp
drwxr-xr-x  3 root root     4096 Jan 17 18:25 public_html
-rw-r--r--  1 root root    12027 Mar 24 20:11 slow.pl
-rw-r--r--  1 root root     1286 Mar 24 20:06 syn.pl
drwxr-xr-x  3 root root     4096 May 30 02:41 tmp
-rwx------  1 root root      443 Jan 10  2006 uninstall.ddos
-rw-r--r--  1 root root      443 Jan 10  2006 uninstall.ddos.1
-rw-r--r--  1 root root      443 Jan 10  2006 uninstall.ddos.2



Here's some of his botnet panel code; his comments prefaced with "//", mine with "/*".

$hwid = ($_POST['hwid']);  //Collects hwid
...
$pc = ($_POST['pc']);    //Collects pc name
/* what ever would I do without those helpful comments */
$query = "INSERT INTO `".$sqlSettings['tableVisitorsList']."`";
$query .= "VALUES('', '$ipAddress', '$hwid', '$pc', '$os', '$status', '$country', '$mode', '', '$tStamp', '$tStamp', '', '')";
/* this looks perfectly safe */

He also made his own proprietary PHP "obfuscator" for distributing the source, which sadly enough I'm sure will still stop most script babbies.

function kEFFEX($NmkVE)
{
$NmkVE=gzinflate(base64_decode($NmkVE));
 for($i=0;$i<strlen($NmkVE);$i++)
 {
$NmkVE[$i] = chr(ord($NmkVE[$i])-1); /* this ain't your father's gzinflate base64decode...he subtracts 1 and renames some variables too! */
 }
 return $NmkVE;
 }eval(kEFFEX('longfuckingstring');

The binary itself is some shitty generic C#. Really making waves. Yawn.


Anyway, next I moved onto his Dropbox.

He put a very frightening legal notice inside his Dropbox folder:

DROPBOX EMPLOYEE'S PLEASE NOTE: All items in this folder are protected by the Digital Millennium Copyright Act,


Scanning, Decompiling, Executing, or Submitting these files to any entity without the expressed permission of Myself


is ILLEGAL and a VIOLATION of the DMCA laws and If you violate these laws we will contact our lawyers

I immediately stopped surveying the contents of the folder and DBAN'd my drive to avoid the risk of a lawsuit.

Since he foiled my plans to look at his Dropbox, I was about ready to throw my arms in the air and give up.

However, I got to thinking. His Dropbox was off-limits, but why not just remote into his desktop? I didn't see any mention of that in the DMCA warning. A loophole!

So I did, just to take a peek.

Just snapped a few brief shots. I certainly did not want to intrude!


Reece viewing his own botnet panel
Chatting with friends
Presumably transfering malware to another computer of his



I wanted to get a more personal look at Mr. Chambers. So much more can be conveyed in person than through cold, drab internet posts.

So, I sent an electromagnetic pulse to his webcam's lense and peered through it.

Hey, I can barely see you!
That's better.

So there're my observations of his programming abilities and top notch security safeguards.

Finally, here's a bit of info about Reece. All previously mentioned files, including his website and more goodies, are located at the bottom.

Suit/Hyphee/saywh4t (Reece Chambers)
http://www.hackforums.net/member.php?action=profile&uid=438020

Reece Chambers
10 Ngataringa Rd.
Devonport, Auckland
0624
New Zealand
Phone: 09-445 4496

Emails:

hyphee@windowslive.com (MSN)
saywh4t@gmail.com
subjective.suit@gmail.com
hyphee@gmail.com
r.hyphee@gmail.com

Facebook: http://www.facebook.com/reece.chambers.58
Stalker Facebook: http://www.facebook.com/profile.php?id=100002535412838
"crackhackforum" account: http://www.crackhackforum.com/user-26879.html
Skype: rsnoopyc

Usernames:

Suit
Hyphee
TheRealHyphee
saywh4t

Aliases:

George Tubby
George Phuey

Domains:

cunningpanda.com
xhpel.co.cc
youlaugh.co.cc
lots more

Files: http://www.mediafire.com/?zh65o6rc6ge6gz9
(may be flagged by AV due to his malware binaries)


A lot more blog updates coming soon.
Spread the word

4 comments:

  1. Might look at the files. Might be interesting.


    You'll probably be RAT'ing me next.


    ReplyDelete
  2. I fucking trusted you...
    Alas, I digress, nice exposé sir. I'll be sure to send you a
    shout out some time.

    ReplyDelete
  3. People sure love leaving cryptic comments, don't they.

    ReplyDelete
  4. I...I...can't....stop....laughing.

    skidlist admin nice work as always.

    ReplyDelete