Website that we were running was under DDOS couple of years ago, what we did is we took ips of servers that made ddos. Then we scanned the ports, found vulnerability in the application that was running on it then get into the server using this vulnerability. We checked open connections and found one used for command and control server (irc server) then we listened to irc channel. DDOSers were talking private things on that channel... Then we entered their channel and disabled all their bots using their own software that we got source from link pasted on their channel. Then we confronted them, period of silence after they have read what we wrote was priceless. They never ddosed us again.
These days I'd be worried about CFAA or otherwise getting V& for this. In the "good old days", it was possible to get away with and laugh about this type of vigilante justice. These days though, you're more likely to wind up in prison. No longer worth it for lulz. Sad times now, but good memories.
Honestly, my bigger concern would be motivating a retaliatory attack. A lot of the people who run botnets have big egos and respond poorly to this kind of challenge, especially when it can mean serious lost money for them.
I've caused a retaliatory attack against a system I was responsible for once (thankfully not an important one) and I know at least one other security professional with a similar story - and in his case it was an important network and it stayed down due to retaliatory DDoS for long enough to generate a lot of upset people.
Any kind of active and specific pushback to malicious actors is poking a hornet's nest, and if done on the behalf of an employer, there should be serious discussion and acceptance of the risk of retaliation. Particularly with people running DDoS operations who, in my experience, tend to be a little immature.
I have had the opposite experience. What the author did here is something I've been doing for years (I've got quite a collection of crapware and have published a couple of articles about operating honeypots and honeynets). I occasionally drop in on the people running botnets and surprise them in their C&C channels. More often than not, the person is surprised and quiet and suspicious, and then curious. I get the sense there is some respect coming back the other way for whatever reason. I do spend time cataloging the botnet and its inventory and features, though I don't always present that information to the person running it. The worst reaction I've ever had was just having people hang up on me immediately after I reveal myself to them. They must think I'm law enforcement. Perhaps it's because I don't confront these guys in public, or that I don't antagonize them. I'm not sure. But I have never had anyone retaliate against me, and I have done this quite a lot over the years.
What they did at the time would still have definitely been illegal. Probably not any more illegal than it is now. I doubt they'd be prosecuted, but breaking into any system is illegal.
I'd just be afraid I'd have rotten luck and wind up on the wrong person's computer (government, big business, etc) because they happened to be part of a bot net. (I'm not ready to move to Moscow quite yet)
Watch out. You laugh at this as if it's some Marvel Universe pop culture thing. In fact, some of the readers here have families that were sent to Siberia during or shortly after WW2. You wouldn't joke about concentration camps. I hope.
Technically, my grandmother went to a camp that was west of proper Siberia. (Something about being family of a war hero in what they called the Polish-Bolshevik war.)
Botnets have notoriously bad security. Many of the people running them have no technical knowledge and/or are using "cracked" versions of paid botnet software that are backdoored or intentionally left unsecured. A lot of the software is heavily modified or even left incomplete by the person that leaked it, leading to vulnerabilities open to anybody with some technical competence and the time to poke around a little.
Unrelated to this discussion, I must compliment you on your chosen handle. I used a variation of that back in the day during Half-Life and early Counter-Strike. Zero and everything hehe. Cheers.
Serial DDoSers tend to have about the same level of computer knowledge as your parents. They just buy/rent botnets or pre-made software and templates to spread botnets.
And that's for the people actually hosting the botnet or "booter" (which seems to be what the parent poster found). Most of the time, it's one more layer down: just some kids paying for the right to enter an IP to DDoS temporarily.
Sure, I used Maltego (commercial version + commercial domaintools access):
https://en.wikipedia.org/wiki/Maltego
(although Maltego also has a free version).
I love domaintools as it allows to find anything by anything.
Like domains (current and historical) by email, or even by fragment of registrant information, such as by phone number or by zip code.
A more sensible solution would be to convert all fixed elements into "position: absolute" ones. That is less prone to cause errors and avoids impeding navigation.
You'd think so, but I've seen a lot of websites that dump a sticky "social sidebar" on top of the content, and if it's absolutely positioned you can't read the stuff that it's stuck in front of.
But that doesn't work as well, since for example on this page there is JS event tied to scrolling the page that moves the header with you. So you'd have to tie your own anti-move trigger to the same event, which might mean same script won't be universal. If you just remove the header with a script, you can still get to the navigation by refreshing the page.
I actually just tried in this page and it works perfectly even before any scrolling has happened by just using "position:absolute !important" in the "position:fixed" elements;
It bothered me as well so I unchecked the width rule on the col-sm-7 CSS class (in the browser inspector) and then saw more text per screen which helped.
I've done this a few times for fun, simply search YouTube for a "game code generator" or something like that, take your pick, download their magic "tool" from the link in the video description and get disassembling with ILSpy [1]. A ton of these "account stealers" are written in VB.NET and seem to be generated from a template.
Remember to stay safe and use a sandbox or virtual machine when dealing with malicious code.
Anyone knows a better decompiler for .net other than ilspy? It's a hit or miss for me with ilspy, would like to try something better even if it's paid.
That's a great little story, interesting to read how these sorts of scams are carried out, but I also found the code analysis and decompilation tale fun!
I agree, it's amazing how stupid criminals can be, even online. It's scary to think what someone as smart as these security researchers could do if they went black hat...
I don't think criminals are stupid; they're simply lazy. They put the minimum amount of effort is into a scam like this in order to make it profitable.
An off the shelf key logger is used; a couple of stolen email accounts, and a spammer is used for delivery. There are automated tools that will pack the key logger executable in a word document also.
As for the part of the security researcher; reversing .net code isn't challenging. This is by design - the framework does not obfuscate or make it challenging to look at the code. The author of the key logger could have built in protections or obfuscated his executable but for one reason or another has not.
Most likely all of the reversing or analysis was also done with automated tools, and the analyst simply had to run them. OfficeMalScanner can be used to locate packed executables in MS documents and extract them, and then it is simply a matter of dumping the binary in the .NET decompiler of your choice (the author uses ILSpy, I personally prefer RedGate Reflector) and looking at the code.
IMO this is a marketing piece that happens to have an interesting story attached to it.
I don't think criminals are stupid; they're simply lazy. They put the minimum amount of effort is into a scam like this in order to make it profitable.
Criminals come in all shapes and sizes, at all levels of intelligence, skill, and laziness or lack thereof. There are indeed criminals who aren't stupid but are lazy; but in my experience counseling the incarcerated, most criminals (that I spoke to in a non-scientific, non-random sampling) were both stupid and lazy. Of course, maybe that's confirmation bias, because I only spoke to the criminals who got caught.
What I found most fascinating were the criminals who were smart in the short-view, stupid in the long-view, and extraordinarily not lazy. Many young hackers fit into this category. They work long hours and invest a lot of effort in a crime, thinking all the while that the investment had a better return than non-criminal activity over the long-term.
I just hope someday the general public realize what a poor job Microsoft has done regarding security on Windows operating systems and embrace other (and more promising) alternatives
broadly speaking, how would you design things? All I can think of doing is putting explicit permission grants on everything, requiring everyone to click a million times as was done with the first version of Vista's UAC, IIRC, which is no solution IMO.
I fully agree that putting administrator permissions on everything is not a solution, as users will start clicking it away without thought, but there's a good number of things in this article where I could not believe that it does not require administrator permissions.
So, simply a clearer separation would be necessary.
ever heard of code signing ? Maybe MSFT could use some of its 23 BILLION dollars of yearly profit to test some of the programs and conditionally approve them if they pass muster, also based on the historical reputation of the signer (like ebay feedback). Then if they contain sleeper code or other exploits, the keys are pulled, updates are pushed to ALL users of the program that revokes the key, thereby preventing mass exploits
Come on, you're talking about the biggest and one of the oldest technological conglomerates on earth. They could fix the ecosystem if they wanted. But since they dont care about users, they'll wait till google does it for them and then sue over IP rights
Sure, because it is not like anyone would accuse them of abusive business practices and of trying to kill open source if they made it impossible to run software not signed by them... /s
Even if you assume they would add a UEFI "enable developer mode" setting, this would get them so much bad press (and, also, it would actually make developing and distributing software on Windows a lot harder for smaller and open-source developers, and deploying custom software harder for enterprise costumers).
One of the things I love to criticize MS for is their "user account control" : gee, looks like you're actually trying to....USE.... your computer for something. You know, actually ...USING...your computer might damage it. Since making a secure platform isn't profitable, we'll just make the screen darker, cause you know, darkness kills the spyware.
See, the signing system doesn't have to be mandated. It could pop up a UAC-like screen but with an actually useful message: this code is known to have malware, we recommend you dont run it. If you absolutely want to, press OK at your own risk.
Another message could say it's completely unsigned, so devs could still write and distribute their own code. But make it free to submit to the "app store" and get reviewed by MS. That would work wonders to improve security across their whole ecosystem, and not force anything down the users' throats.
Eh same is for email. Anyone with acces to that can trigger a password recovery exchange on most sites or pass an id verification check on the stricter ones.
a few questions I'm wondering about, if anyone can help:
- how do those PW stealers work? are they similar to the Steam one, where it'd delete existing creds and then sniff newly entered ones?
- can this thing detect certain apps like FileZilla and then say "user entered <FTP site creds>" and send individual fields, and is that what is meant by supporting say FTP and FileZilla?
- what does PHP support mean? maybe looks for common stuff like php.ini, various other conf files like FPM, and tries to find DB/cache connection creds?
there's one other thing I'm wondering about, which is the light/easily crackable encryption of the keylogger's internals, and I vaguely remember reading about Google's encryption on the new recaptcha and people talking about all this stuff like complicated encryption routines baked into the client side JS that I really didn't understand except at a handwavy level, and wonder if that's the kind of thing some, say, intelligence/espionage outfit could use.
very interesting/engaging (fun) article, all in all, for me. and I appreciated the understatement of the (well-deserved) plug at the end.
> can this thing detect certain apps like FileZilla and then say "user entered <FTP site creds>" and send individual fields, and is that what is meant by supporting say FTP and FileZilla?
Could well be. I haven't messed with Win32 in a while, but I'm pretty sure that you can sniff the contents of other applications' windows and dialogs. With a little work, you should be able to take a common app and work out how to detect it's login windows, find the username and password and other relevant fields, and pull out the contents.
I know if I was writing a hostile keylogger, I'd go to a lot of trouble to know exactly what was entered where, instead of having to see a long stream of keyboard input and figure out what the usernames and passwords are, and what services they go with.
Winspy++ offered the ability to look at the content of password fields in native applications IIRC. It's been a few years since I've done anything on Windows.
Keyloggers simply record all key presses so if you delete the credentials for a game and someone then tries to run that game the first thing you catch is the credentials to log in again.
The most obvious way is to hook the message stream from the window manager to the applications, windows provides some convenient hooks for this.
as for the first point, yup, I understood that from the article; I probably should have used "similar to Steam" rather than "like Steam". I mostly meant, you'd get a long stream of characters and you'd have to manually try to dejumble them.
Whereas, I believe if you go by your second point, you can see "Ok, the user put username <x> in the username textfield, password <y> in the password field, address <a> in the address textfield, port <p> in the port textfield" and so on, which would make for a more structured data dump. Maybe not possible or feasible for every single application, but if you could get the highest usage targets, like the most common FTP clients, or Steam as they have apparently done, and the browser password storage stuff (or fields for say, most common banking sites, PayPal, etc.) then you could save yourself a lot of time.
> - can this thing detect certain apps like FileZilla and then say "user entered <FTP site creds>" and send individual fields, and is that what is meant by supporting say FTP and FileZilla?
FileZilla simply use a file in your personnal directory to store passwords exactly like your browser too.
Using Volafile to host the keylogger executable seems like a pretty bad choice considering that this website will delete your files after only 2 days. Or maybe this shouldn't surprise me so much considering the "skills" of the attacker.
