BSides CT 2023 - illwill: FINDING MOBMAN

um and uh yeah hi your kids hi your wife got our own official cyber felon here um I'd like to introduce uh our next speaker ill will talking on uh finding mobman thank you uh yes so I'll start off with a little slide here of who I am security consultant red teamer penetration tester also as ran said cyber felon um been kind of in this industry off and on for the past 20 plus years professionally in the past like decade or so that was great but basically this whole talk is about how I got started into infos SEC and what kind of guided me along the way um so we're going to be talking about the origins and evolution of sub seven sub seven was basically a Trojan that came out first one initially came out in 99 working on it in 98 released it around like February of 99 it was basically a back door Trojan a rat which was remote access tool basically wasn't the first of its kind but it was one of the originals that kind of got people into cyber security pretty much uh one of the podcasts I was listening to was like one of the programs that launched a thousand infoset careers basically the basis of this tool a lot of knowledge that people gained of how computers work pretty much and push it towards security uh sub seven its name itself basically from another Trojan that was out at the time called netbus basically the author had switch netbus reversed it and basically came up with Sub sub 10 and then uh added a seven instead of a 10 and that's basically how he uh he named it at the time originally the first couple of versions they were for Windows 9598 probably up until the last few releases it didn't work on NT based uh computers so uh Windows 2000 was one of the first um that people were actually using then over to XP when XP rolled out so he eventually moved up and and and got that working on NT machines a lot of it was like a hardcoded issue he had like the RAS passwords basically when you used to use dialup uh all that stuff would be stored on the computer and he had it hardcoded on there to pull those uh Ras passwords up if it didn't find them it would crash so essentially the program itself started off as just a simple goey with a bunch of buttons on it that you can do all types of stuff uh connecting to the server pretty much basically there's a few different components of it and basically you start off with a server is something that you would send to the victim you would have the client and you would have the edit server the edit server would edit the server to your likings basically any notifications that you got any information about the victim and all the stuff that you wanted to do so you would edit the server send it to them once they they uh clicked on it it would basically give you a notification that hey you can get on this computer this was back in dialup not a lot of people had firewalls not a lot a lot of people had antivirus not a lot of people knew what the hell to do on their computers so it was very simple to trick a lot of people a lot of people got into social engineering you know getting this on a person's computer they would send them send them a file call it like my pictures.exe or my pictures.com any type of H file type that was executable at the time and then he basically started pulling in different stuff from different uh uh back doors starting up the guey getting the guey better having more features adding more stuff on there and eventually it rolled out to its final version before he stopped coding it which was 2.2 which a lot of people didn't it actually worked a lot better than the original versions but people were too confused on how most of the stuff worked because it it was using a lot of plugins it had a lot of new features So eventually he just got frustrated and went back and went from 2.2 back to 2.15 he basically fixed a lot of stuff that was broken on there and got that stuff working um I think one of the final releases they did at Defcon they were handing out floppies to people at Defcon and basically spreading it spreading it that way along with like the the certain websites that they were on so as you see here the icons for the uh the different components edit server server sub seven if you didn't know what the hell you were doing a lot of people would click on the server the server was conf preconfigured for a few different things so if you downloaded a shady site some might somebody might have it preconfigured for all their notifications and that they would you would become their victim clicked on it a lot of people wrecked a lot of computers that way because nobody was paying attention to how Stuff work and they're just basically like okay I can hack with this let me just click on everything again with the with the uh the client the edit edit server all that stuff the the guey basically is everything that you configured on there and then you had all the different features on the menus itself you would have first Connection menu You' have the ip scanner basically you'd scan Network ranges for just one port open so usually by default the 27 374 was the port that was open you wouldn't want to do this a lot a lot of ranges or huge ranges because at the time isps there weren't a lot of people on there there wasn't a lot of noise there wasn't a lot of traffic so a lot of times your ISP would kick you off or you would get warnings to to be kicked off if you were like just scanning out right the second functionality is to get PC info basically it just pulls up info on the computer so if you had anything stored in either your emails or or the computer system itself if you named it what your username was the get home info was basically your address book for for emails and then you would have the server options basically when you're connected to the server you can change any of the settings on there so you can basically change the port that it's working on you can remove the back door itself uh you can update the server itself basically it would just upload to the newer say like you had the 2.51 you would just upload that it would execute that and then you'd be working in the in the newest version and then you would have the IP notify which was basically kind of I think it was probably one of the first of its kind was IRC actually command and control stuff over IRC which as you know like Cobalt strike and and all these different c2s that are out now they basically use that type of functionality where you know multiple people can jump on and attack stuff at the same time it's just not not one person um icq was an old messenger back in the day that you would just get notifications they had an API that you can basically just a web get to and basically it would just it would just shoot you a message it would you would just enter the uin and whatever message you want to put on there so basically say like victim's online at this IP address this port Etc then you would have email notifications basically same thing just in the body your email you would have that information keyboard basically key loggers sending Keys uh retrieving those key logs itself basically would work in the background so even if you were disc connected you could basically go and grab those those logs themselves look for any passwords filter any passwords out and you can wipe the logs all that stuff the chat basically it popped up a small chat dialog box you could talk to your victim like you were like a customer service or something like that so so in the event that you were doing a social engineering basically you would do that stuff you pop some stuff up and you get them to do certain things that you needed them to do so if you said like hey you need to log into this website and fix this blah blah blah you can kind of control them that way and then you had the Matrix which was basically if you were you know someone new at a computer your whole screen turns black pretty much and you can't do anything but watch this person pretty much type to you and and you can answer to so basically your whole screen would just fill up with this black screen The Matrix would pop up basically you they couldn't do anything until you Clos that out pretty much or they shut off their computer message manager is pops up different message boxes so like errors stuff like that you would you can change the icons to X's exclamation points Etc and change the text on the title and body of the of the message box then you have the spies you could spy on the different Messengers icq aim MSN and then uh IC icq takeover basically you can take over that user session as them and basically create more victims you could basically send them links C them into into clicking on stuff and basically you know it goes by the friends list pretty much they they all know you know who you are and they just trust you with that a little bit more you would get the FTP server which was basically it would open up an FTP server on the victim s uh you would be able to grab any type of files from that from that PC that you had access to again Windows 98 95 there wasn't much Access Control list stuff like that um for the user so basically you had run of everything pretty much if you want to upload stuff into certain spots startup folders to execute other stuff and just basically read all their data again with the Raz passwords that's that was the uh the cache passwords dial up passwords all that stuff would be pulled from there and and just displayed on the screen a lot of times icq aim those were in the in the registry they were en encrypted a certain way you would just have to decrypt them I think aim at the time I don't know if it was the original version or or version down the line was basically they use Blowfish encryption so they take your password encrypt it and then throw it in the registry and basically what the program did was just decrypt it from the registry static key and then basically um show you in plain text app redirect basically you could execute any programs on the computer itself or execute anything as a program basically it was just the using the windows shell execute functionality and then it would just show the output so if you were to execute command. exe or command.com I think it was at the time you basically look like you would have a shell on that computer and you basically could do whatever you want on there and then Port redirect is in you know if they had other stuff that they had access to you would be able to redirect it to that IP that that port and stuff like that redirect that data didn't work too well obviously on L because there was no way for sub seven at the time to connect in it was basically a direct connection you cann't somebody was on DSL and they're behind a landan there was no way for you to connect on there you can get all the notifications because it's outbound but coming in does nothing then you got the file manager again um something for you to to browse the drives folders and everything look for any type of Juicy information that you may have uh Window Manager give the ability to see all the open Windows it would give you all the names of the windows that are open so youve got notepad open you got internet explorer open it would have all that and give you the ability to either hide it disable it show it process manager at the time there was like a crap Task Manager in Windows 98 didn't have a lot of functionality it was basically the API just showed you like the exe name no paths or anything you didn't know what was really running on there you just got a list of all the exe so if you knew what to kill without breaking the computer you can kill those processes that had AV on there A lot of times AV didn't really have protection that it used used to have so you're able to just K kill anything I will pretty much Texas speech would be another thing that would care off people would be whatever you typed and sent to this person it would be translated by true voice which was a a plugin that you would upload that translated text to speech pretty much it was kind of the the original to that so basically you would just type out like you know what I Know What You Did Last Summer or something like that and it would just play through your speakers and scare the [ __ ] out of you you got the clipboard manager which would anything that you copy pasted it stays in that clipboard you could just take all that data on there A lot of times people copying passwords it may be still in the clipboard so a lot of lot of good information on there and again going back to the ircbot the original type of C2 where again you and your friends can join in the fun it's not just you sitting at this your guys are you know your friends on IRC or your you know whoever you're talking with Once that's connected in you have control of that of that bot pretty much you can send all the commands you know just just through text on IRC reads all the data and kicks back whatever whatever information or whatever it's doing this is the file manager here basically again it just shows the drives shows you can dou load download you can edit files you can basically do whatever you can in front of the computer you can even set the wallpaper so if you want to put some like you know weird picture on the background of their desktop kind of like the ransomware does now and it's like you know shows stuff like that is pretty much based on all the all the crap that was around 20 25 years ago it's just they have some newer features they might have you know better coding stuff like that where you know there's there's more ways to to kind of hide stuff you can you can execute Shell Code there's all types of stuff that you know originally started from these Trojans you know kind of the basis of of it and it's like kind of like you know the great artists you know don't don't paint stuff they steal it's the same thing with like uh the industry pretty much even from the c2s the antiviruses they all have the same shitty features they all have the same bells and whistles it's just a matter of like how you know how they're going to be you know how they're going to be perceived and how they can make money off a lot of stuff fund manager was basically all the stuff that you can do just to screw around with a victim I mean again a lot of the a lot of people they were they were doing it for chis and Giggles it wasn't really it wasn't really like a an evil thing for for most people a lot of a lot of it was just them screwing around like how can I prank my friend you know you can turn on the webcam and see what they're doing if you know at the time if they did have the old shitty like you know 100 pixel webcams you could pop that stuff up and and kind of Li live stream it it's almost almost a live stream it's just multiple pictures were being taken out of such a small range that even on dialup it was it was pretty quick so it was there wasn't any not a lot of compress on the time A lot of times they're using bitmat files but because you know the stuff was so small it you know went pretty quick I think I think the desktop background stuff or or viewing the desktop that did that did uh translate to jpeg just because it was such a huge huge file to do I think it did uh do it on server side where it reduced the file before sending it that way you had you know you had less bandwidth that you're using flip the screen basically you flip it up and down vertical and horizontal and uh just screw with people printing stuff again you can just print it you have that a printer attached to the machine you just print whatever the hell you want on there the browser is basically you can send people to a specific URL a lot of times there was other stuff that was out back in the day so if you needed to get some more access or stuff on the computer getting people to open up like click for pay type sites where every time like somebody went to that site you would get like a penny or something like that so A lot of times people use it for that where they can get people to click on stuff A lot of times there was browser exploits in Old Firefox Internet Explorer just by viewing viewing the page half the time you can get owned by a zero day you know you have access to the computer but you know this would help elevated access on type some type of stuff depending on machines and then with the resolution you know changing the Monitor and the colors for the the windows taskbar you can change the Windows button itself to whatever you whatever icon you wanted you can change the colors to it screen saver basically you can start a screen saver with any chosen text so if you know if you don't want them to see you moving the the mouse around or have have you see them doing anything on the screen you could start that up or you could just screw with somebody to basically lock them out and do whatever you want restarting Windows you can just rebooted all that stuff and then you've got the the sound you can record sound if they had a microphone hooked up to the computer a lot of times desktops they either did or didn't but at the time you can record stuff that was going on in there pull that data down and see what's going on in that environment date and time wasn't much it's just like you can you can set the DAT T date and time just to do uh time stamps on stuff where you know you know it looks like you know this file was created five years ago and they're like oh it's always been here whatever and then the extra stuff was just I guess the most famous one of this is the CD ROM open and close everybody's favorite cup holder you know you would you would own somebody and you know you would pop open their CD ROM to scare the [ __ ] out of them you know someday for for you know stabbing somebody over TCP IP if that RFC ever uh comes to fruition kind of be the start of it and then start you know hiding hiding certain things from the user screwing with their caps if they're typing you're just [ __ ] with them by you know turning caps on scroll and all that stuff so let's see so this is the edit server I'm going to have a just a pop quiz I want to see if anybody knows what this sound is doesn't play let me see if I could get it to play anybody know what that is who said who who said it over here okay you said it uh where's Kevin here give him a prize so icq was again one of the notifications that you would get on there if you had a lot of victims for sub seven and you dial up to uh to online when you when you get online because of your bandwidth because of your shitty computer with like 64 Megs of Ram uh running Windows 98 se you would get something that and you would have like a million notifications that would just lock up your computer for like the first five minutes that you signed on but it was a great notification because it was instantaneous anytime that they signed online or you know started up their computer basically that notification would come straight to you and you could just get right in get on their computer and just do what you what youever you wanted to do so again the edit server is this is the the pregame for your server or your back door you've got the startup method so basically R run all these all these different ones that like antivirus and all these people know about R run R run service the win any files uh the windows uh any files was the less known method which was basically or actually sorry the system in file which which would basically had a line in there that said explorer.exe you put a space after it and just put you like your server name like server.exe or my.ex and that would basically execute anytime that that person booted up their computer that server was running this the not known method which was one of the first of its kind that screwed a lot of people up because antiviruses once they started picking up sub seven it would delete that server.exe so when you went to go boot up your computer it's looking for