The Noob Persistent Threat

so our talk is about the new persistent threats and uh the original title was um

for Fun and Profit but Brandon objectives and I don't understand why yeah I really didn't want to Encompass the first Google result for my name maybe females can get away with that but not so much but uh yeah so who are we so I'm a security consultant I do pen testing and incident response I'm also a host on the hall.com podcast if you are at best last year also a lot of people have been asking me yes I'm the person that messed up the Cynthia thank you for tolerating my Shenanigans and uh if you see Ming give them a hug for me tell him I said hi and

you can figure it out yourself who it is I think malware vulnerability analysis as well sort of on the side I wear a lot of hats right now um a lot of my research is independent I do not represent uh the company that I currently work for uh and I'm happy to be sent certified as a code cluster but I don't actually do anything involved with that so yeah this stuff has nothing to do with my day job either this is just all made nothing to do with my company so uh what is the new persistent threat Bottom Feeders of the currently accommodate well yes but what we found were that they're often American citizens

um they're often pretty vocal on hacking forms and they have really really pissed poor opposite uh and we'll show that off very soon and if you guys have read any of the craft stories we'll see where we're going with this these are generally the lowest of the low kids who will sell or buy deed officers who will buy rats to mess with their friends uh you're looking between the ages of about 14 and 18 are are a big subset RuneScape is a big feature for these kids it's actually pretty interesting you don't see a whole lot of World of Warcraft you see mostly RuneScape some Shooters things like that it's an interesting little uh section of with something that you're

good um I'd be interested to see economic demographics of this group as well we have some numbers later um so the question was um economic uh demographics of this group it's very difficult to tell without uh without survey without surveying and obviously the target audience is certainly unreliable um so you can make really large scale assumptions based on um just behaviors things like syntax and stuff like that you can tell whether someone's a native English speaker or not you can tell generally by age just by their interests and things that they post about but it's definitely pretty difficult to tell to make a full pledge assumption on economical income yeah based on the few people that we've been able to track

down um there is kind of a pattern a lot of people are us and EU citizens they're actually upper middle class ish um Caucasian yeah and almost entirely male um when we tracked down people's home addresses uh often we see upper scale neighborhoods that they live in um so that's a good indicator so these people are not doing this to survive they're doing it for other motivations well not age group yeah so if you're thinking to yourself you don't have anything worth stealing this is from a RSA report uh released in 2012. pretty good white paper uh these slides will be released at some point and unfortunately the leak is cut off at the bottom but uh it is actually down

there so uh if you have any or all of these things yeah someone's going to try to steal it from you and depending on who they are they might be pretty good at it fortunately the kids we were dealing with were mostly focusing on the last one um and the PayPal accounts but you can find pretty much all this stuff anywhere so uh the New Renaissance so uh imperatively is a pretty awesome report uh two years running it's called The Hacker intelligence initiative so in 2011 they surveyed a fairly well-known site and if you had visited that site because you can pretty much surmise what the background is um so it's pretty this is a pretty

interesting breakdown of um really in a year the transition from a slightly more focused discussion to a much larger uh group of tutorials new friendly behaved new friendly guides um YouTube videos media guides um really on a very large scale of topics and these are far less technical than they would be about a year earlier um again like some reports are at the bottom unfortunately but they're also a way to go in Provo I actually found this as we were preparing for the slideshow um and uh it provides some really awesome statistics for us so uh let's do the services are offered so we're just gonna go through the list um first of all there's Hooters so he

does for higher sites these are the ones that will feature in perhaps articles basically they're web applications that automate selling vdos services you give it money and then you issue an attack and say hey let's DDOS this website for these many seconds using this method and yeah if assuming it works um but if it does then it can launch a DDOS attack for you and you have you don't need to demonstrate any type of skill whatsoever um basically uh and oftentimes fooders have strike main IP resolution services on Cloud Player resolvers and things like that that help you find the IP address of your target there's also cryptors which are used in combination with malware to make them undetectable by

antiviruses there's a pretty big market for that on hack forms hosting services and vpns usually they're advertised as bulletproof hosting most of these are kind of unprofessional shops that are offering hosting they they don't last very long for the most part and they're probably mostly scams yeah well pretty much anything on this is it's all really shady and there's a lot of scams um there's also rats remote Administration Trojans black shades and dark comment are some of the biggest ones on hack forms yes we found the author to two uh black shades and uh it's kind of a groomer we've also got exploit kit sales paper will pay money to get their rats installed on random machines on the

internet so there is definitely a market for that credentials for identity theft we see this lesson on hack forms and more on been more hardcore hacking forms because hackforms does not actually allow sale of credit cards question um yeah like what percentage would you say rats our back doored people so you asked what percentage of the rats that are sold on hat forms have a back door in them uh I can't answer it because we didn't actually look into that but we hear about people getting scammed all the time so I would suspect a large majority of them some functionality especially with the allow for persistence on a Target I'm sure there's fairly confident there's going to be a covert channel for

communication from a botmaster see what else have we got here um selling accounts is a big thing um let's see Netflix passwords Minecraft accounts are another big thing so uh it's interesting reputation is actually pretty important on these worms as you imagine getting credibility with other criminals is a kind of odd people oh it's sort of a uh it's doomed to fail from the beginning but they certainly try um pretty interesting tidbit the uh if you can see the HF lead tag it's basically a tag that says hey I played 20 bucks to get this tag that's it it has no indication of legitimacy but uh oh actually sorry that's the eight that's the age of uber attacking the lower left

the eighth one that I think is for what a number of sales or something um I have no idea but uh one minute but one big thing is that the people on these hacking forms they try really hard to be anonymous but on the other hand they also have to stick to one identity so that they can build credibility so this is kind of like conflicting needs that they need to fulfill in order to do their illegitimate business and this actually makes them a lot easier to track down because if they dump an identity they're also dumping all the credibility they built up and even better they like to associate themselves with groups so it makes finding

multiples multiple members uh that are taking part in the same activity relatively easy

did we look at the tour hidden services and no we haven't looked at that yet we've actually kind of uh kind of hit a lot of low angle fruit because uh it was the funniest mostly because

like millions of credit card numbers uh more we hit this stuff more because it was easy and we can track them down yeah so uh one of the lower end Services is the homework service um it's pretty obvious what it is it's basically paying that that kid to write your essay um probably not illegal it's fraudulent pretty stupid uh but we'll go through that pretty quickly because uh the next slide is terrified it looks wonderful yeah so eh boring um they will sell picture packs of naked women and then the customer can pretend to be that naked woman and sell pornographic services on the internet even though they're male so so it pretty much requires zero

technical skills it's an exercise in Social Engineering you are essentially mimicking your um a reaction a interaction with a Target in order to get them to buy our services in terms of legitimate social interaction so when you see these uh spam ads saying people like Pamela being here want to meet you and talk to you that's part of this ehorn they really don't want to be chili fun no they're probably not Pamela Anderson either so uh let's see right cash for sale in the card fraud um there are huge markets on these hacking forms for stolen credit card numbers and if you know where to look there's a lot of information that's basically available to the general public all of

this stuff is not really much farther than a couple clicks away from a Google search so this one I believe is from Albert yeah so there's a forum called albarek and there's a lot of identity theft that goes on on this one uh yeah we found out actually it overlaps quite a bit with some of the other events that are that were sold on Highway homes and uh as we came to this school we realized hey it's definitely not um English-speaking is primary languages mostly Middle Eastern but this was much heavier uh in financial fraud um so by bank accounts applying and paying power accounts and balances selling massive dumps and credit cards so um also if you know where to look you

can find a lot of credit card details that are just sitting out there on the internet so this one is from IRC um I got to this chat room by going to the Undernet IRC Network and then I went into some of the credit card oriented channels like CCR I think in one of them and when you join these spam channels Bots will automatically message you with invites to other credit card fraud channels so I followed that path and I found some IRC networks that had basically no rules at all and I believe that one is called God Munich or something and there were channels where you could just sit in there and they'll spam credit card details and the purpose

of that is there are IRC bots in there called check Bots and you spam you put in credit card credentials in a certain format and they'll check to see if the credit card credentials are valid which is a useful operation if you're trying to determine the validity of a dump of credit cards so I know it looks like the CIA has gone through that but I've tried to blank out all the identifying information although of course it's long in invalid usually burned with another couple hours oh within two seconds I'm sure also uh hasten is a great place for credit cards spam uh there's a lot of this stuff um my unscientific survey shows that

most of it is Vietnamese people expanding on pay spin for credit card stuff a lot of bad English sometimes these emails match up to Facebook accounts and almost all of them are Vietnamese which is kind of a bad idea if you're spamming religion legitimate services to have a social media profile play to the same time yeah there are so many like we Harvest emails from all of this stuff and every single time I see an email Target on Facebook and a surprising number of times you'll get a Facebook account attached to email may may or may not be real but it's there and it's very interesting sometimes question is that um because there's no prosecution happening

um he asked uh is that because there's no prosecution happening and they can get away with it and the answer is unequivocally yes um because one a lot of these people especially involved in credit card fraud live in other countries so they don't have to follow us laws

days um and uh so they don't have to comply with U.S law and it's very difficult for the United States to arrest people in certain countries because the governments don't cooperate with extradition and investigation and stuff what's been up on some of the credit card prices so your Visa card that's in that's probably sitting on your wall is about three dollars full date of birth is about fifteen dollars all the information that I would want to steal your identity is twenty dollars like with the social security number uh credit card information phone numbers associated with a credit card anything and everything I want it's about 20 bucks and uh that's from the paste in post as

well he posted samples a lot of these credit cards spam include samples so that they can show off the quality of their data and uh so yeah yeah as you can see there actually are standing with social security numbers with uh date of births with uh security private security questions uh and PIN codes and passwords oh yeah certain passwords are always fun credit card number expiration date cbv and address also for pin code is one two three four

I know it's a great combination for luggage so harder shops are a when you're trying to sell a lot of stolen credit cards you're going to want to automate that as much as you can because you know more efficient uh so there are a lot of Carter shops actually if you do a Google search say buy CC CVV just put that in a Google search all the first results will be Carter shops and you can sign up and give them money and Buy credit cards and you can actually like add them to your shopping cart just like any shopping application and do a checkout um I'm not selling them sorry someone else is selling them not me so

um this one is a site called carter.us I found it last year actually through a somewhat circuitous path there was a child that put a black shades rat on one of my clients machines oh check out the process work on these sites say again how does the checkout process work on these sites how do you pay um pay with Liberty reserve or or sorry he asks how does the checkout process work on these sites and how do you pay so obviously they don't take credit cards actually some of them do and they don't accept Paypal but um you pay with these services like Liberty reserve and the eagle these are payment services that are supposed to be

like less regulated than our typical payment services it's like digital cash no chargebacks no refunds uh and like the services themselves are legitimate but they are almost entirely used for crime uh so anyways the way I got to the site was uh somewhat secured his path there was a child that put a black shades rat on one of my clients machines and uh I I found out that it was a child because I the who is data in the domain that it's own home to has it yeah it was his info and his hacked forms username and his email and I followed that path and I was like reading his hat forms posts and all

his personal life BS and looking at his Facebook uh and it's like this it was at the time this 15 year old in the UK and he's still running free I mean he was my I totally sent the information to the authorities and he's still running free um but anyways on his command and control server he had like a whole bunch of files laying around and uh one of these files was the source code for carter.us because the owner was trying to sell it on a hacking form so this child downloaded the source code and so I had source code in carter.us question when you sent this information to the authorities

I've never tried to call any of oh I mean the question he asked was uh when you sent this info to the authorities did you see his mother um so I'm never actually tried to call any of the phone numbers um Brian kremps did call the phone numbers but yes um I I probably could have gotten him grounded computer's being taken away for two weeks so anyways I have the source code at carter.us and I was as I was looking through web application uh and I found out that it was recording all of its access logs to a text file in the web group and so you know a DOT txt file with no password protection at all so we

had all their access logs for a period of several months and this is still no that was past accidents launch right yeah this was last year between I think it was like July or June and September or something like that uh and we had all our access logs until they wiped the site and replaced it with some other software um and actually I have a data dump that I'm going to make available at the end of this talk and that includes the carter.us source code access logs and um litter source code as well so you can dig through it if you like it's a whole lot of fun stuff yeah that's a fun stuff

because uh they're probably the most interesting they're uh DDOS for higher sites uh like we explained earlier pay money get access uh paper one of a myriad of uh later for later seven techniques an attempt to DDOS your target offline um it tends to be big for Xbox live steam competitive Gamers um basically anybody that's a angry 15 year old gets mad at on the internet yeah Buddha shells for the most part are used to Target gaming related websites and fellow Gamers um based on a lot of analysis we've done on dump databases from Buddha shelves we really haven't seen a lot of major sites Target and the biggest reason for this is these scooter shells don't

necessarily have the power that one would need to take down a major site however if you've got a small server running or a home internet connection this can probably wipe it out yeah this will this will know anything about probably the highest

assuming it works yes a lot of them don't work very well so uh one of the interesting one of the um one of the really common threads is uh a lot of these voters a lot of these site Proprietors uh rent Alcatel servers offers they'll rent probably five or six of them and they'll use that to amplify it to uh to state your entice they're not usually compromised web servers like you'd see in a large scale attacks like um okay no problem bro uh the stuff that attacked the banks back in what September uh so these are actually servers that they're paying for that they're using for a legitimate purposes and usually we're looking at about half

a dozen servers this is the scale of DDOT syntax we're talking about but the servers themselves are rather Hefty usually costing around one to three hundred dollars a month kind of bandwidth and each Booter has their own brand name as well which is kind of interesting uh I don't think this is Disney authorized merchandise and I don't think that's authorized as well but you know this next one this has got some pretty prices brand placement I I promise I did not alter that image at all that is a screenshot from the top of the ad on hack forums and uh they accept the PayPal like like a lot of them do actually 100 of booters

that we surveyed accept PayPal in my survey we made we actually have them well I mean if you if you log on to the site and create an account and pretend to pay you have to get to a Paypal payment page in order to do it so um we got a lot of information about that actually so there's a lot of Booter source code floating around uh when script kitties set up websites to do script getting type attacks they tend to get attacked because uh fellow script pennies love attacking each other and uh yeah a lot of script painting websites get hacked and source code ends up getting leaks and floating around the internet and then that source code gets

picked up by other people recycled modified used vulnerabilities may or may not be fixed and the cycle begins anew

you have in our uh very large number eventually uh is the rage motor leak from 2012 and the remember that name range yeah this is the one that was featured in the most recent Krebs article a couple days ago um yeah this guy this is in platform's username that he tattooed on his back and he's dead from that point yeah he uses that username a lot when he's dealing with computer stuff and for some reason he thought that's this was a good idea do you want to talk about your new invention of the hunger [ __ ] no no yet okay

so um this guy is pretty weird so after getting banned from hack forms which was apparently a soul um he did this whole I guess almost real G for himself to re to be reborned as legitimate businessman um you know detailing his skills especially not 21 but he's still 20. um sorry no Robert uh he actually does have some interesting skills and he did have a job but I don't think he has that anymore so I'd kind of like to point out if someone else I should do is over there this part the Buddha we go because that's actually a kind of Common Thread um a lot of these people will try to clean our Market

um I mean it's not necessarily a huge market so if you knock everybody else out um you're gonna get all the business I mean it's not a lot of business which we'll show you in a few but it's still pretty interesting okay uh but yeah so um he posted this in what 2012. um as of this date he's still running a good an active router website so clearly his business model did not take off actually as of a few hours ago he might

so um yeah this was taken from his Facebook his Facebook was a gold mine economy comedy for a month yeah and all of his posts contain some kind of stupid drama in his personal life okay so I don't care about pot or marijuana that's one that's a lot I'm gonna call BS is

uh that's a lot I mean based on his behavior it's not really that out of the route I mean maybe the managed to say I I don't know he does kind of crazy stuff sometimes yeah he basically behaves like an 850 now pretty much most of the time so anybody that crosses path to DDOS but well it's fun to make fun of people you know it's not really that nice so oh wait that's some stuff um so pretty basic PHP um we saw about 400 attacks per day when we were watching it um he posts updates every so often this was as recently as Monday at the development yeah it's still interactive development um so you know one of one of the big theme

recurring themes about these booters and stretchers is that this is legitimate service right you know this is only for people to test on their own authorized servers and stuff like that but when you go posting things about you know how an Xbox live resolver in order to find a Target to attack is not feasible that kind of defeats the purpose of pretending yourself because I'm pretty sure most Xbox Live people are not so uh this happened after um Mr Krabs posted an article yesterday and this was the first picture is a data dump of his database the next picture is uh what it looks like immediately afterwards and then the next picture is hey the site's back up and running again

and he's first database this is not the first time but yeah second time this week that he's done this so yeah sorry so um I did the technical analysis of ragecooter and I was able to uncover some of the commanded control structure this can give you an idea of how the process works if you were to use a Buddha so it starts out with the malicious attacker or the user on Range Booter initiating the attack and it's basically using the web content to say hey Target this IP you can use this method do it for these many seconds and then press start and that's how difficult it is to launch a DDOS attack and then your request is filtered

through the cloudflare DDOS Protection Service which ragebruder uses in order to protect it from ddos's and then once Cloud primer yeah once you may laugh about that but money equal what 70 over 70 percent of those two of the booters that we've seen use cloudflare and cloudflare basically protects the Buddha Market from itself so after the request is filtered through of there it is received by the range Booter web front end which is basically PHP script and then it's sent to the next available attack server in round robin fashion I was able to uncover the IP addresses of all the attack servers because of the next step if you're running a layer 7 attack if you are

familiar with the way that PCP works when you are trying to make a connection over TCP you can't spoof your Source IP address because it sends packets back to verify that it's you so if you have a server and you're trying to run a DDOS attack and you're trying to look like you have or if you're trying to bypass any kind of blocking that might be going on you're probably going to want to use a proxy so I so you run some like layer 7 attacks and then the attack server will send a lot of requests over a large number of open proxies and I mean it keeps this list of open proxies uh and it retains them over

time there's a lot of automated services that will scan for open process for you can you go back a second uh and it's really easy to get lists automatically uh and then the requests are set from the open proxies to the victim now the reason I could get these IP addresses is because a lot of these proxies pass along the x-forward and four header which if you're not familiar with it contains the IP address of the server that sent the request to the proxy so here's some sample blood packets from range Rooter uh there is at the top there you see a post flood which is a layer 7 attack it basically makes a post

request to the victim and if you look at the bottom there it says test one two three uh it actually sends the username of the attacker in the packet so say I registered a account array Hooter called test123 and then attack someone they could just look in the in the traffic and say oh hey that was that was test doing that and then you can see the ex forward import leakage as well oh and um sorry the other packet there with all those range headers uh that one's called the Army attack but you might also know it as cve 2011 3192 or apachealers score yeah it's a Apache memory exhaustion attack pretty short on time so do you want to

see holy crap okay children and accepts PayPal next this is their earning report in 2012 they made twenty three thousand dollars split between the owner and several staff uh and that's a maximum amount uh the database didn't record any chargebacks or frauds so the actual take-home pay is probably a lot lower uh so conclusion you're better off on welfare next um okay so I did an analysis of the customer base when you pay with PayPal they save your PayPal email address and I just took all those and plug them into Facebook uh and also Google and everything um I I'm not gonna release any of the emails because I didn't do 100 positive identification I don't want to accuse

anybody falsely uh but there was a clear pattern there were a lot of gaming server admins self-described Gamers uh very elite hackers and I also found one that was connected to a police officer in Florida I don't know what to make of that but I just found it interesting so uh one is a cloudflare resolver and this is pretty common if you go PHP at all which I kind of do you can see that it's just uh this script it's built in an admap it's a DNS food script all it does is look for any additional sub domains that may not have been registered on the Cloud Player it's pretty cool so the Skype resolver this was a story

that was released a couple months ago essentially a modified Skype Library sits on avps a PHP request is then sent to that to that UPS which contains a username that modify binary actually makes a request to a Target getting the contact card information that information is then stored locally in a non-obiscated text file that file is parsed for the IP information for that Target boom you've got a Target so unfortunately a lot of people do use Skype for this this is a pretty big data linkage and it's been around for about four or five years and uh everybody knows about it building so uh these are these are the pretty easy instructions uh hopefully whenever

you want to set this one up so but uh this is actually a new parsing script for the Playtex log uh that comes up oh wow this one's interesting we don't even have enough time okay so TW Booter is another Booter that was featured on crabs and got hacked from the database it's shown that in less than two months time so the site was used to launch all those uh well 48 000 attacks in under two months um which is pretty significant next oh okay um so gamertag jacking is kind of an interesting thing uh when Brian crimes got swatted the guy that did it was in a community that does this um so what this is is basically you pick

a gamer tag that you want that might be like a dictionary word or one letter or something like something that's really cool uh and you say Okay I want the gamertag f with just the username letter F so I'm gonna find out who owns it and then I'm going to use various methods to find out their personal information name address social date of birth and then I'm going to call Microsoft and reset password I'm going to say hey I'm Joe I own F and I forgot my password my social security number by the way just in case you guys yeah and uh this technique is actually really powerful it can be used against any company to abuse their

customers and this is also how when Brian Krebs got swatted somebody paid like three thousand dollars in fraudulent money to his ISP uh I guess they wanted him online forever yeah they wanted him to have a lot of Internet uh and this method was used so uh social Brian Crips is coming with us he got swatted he found out everything we kind of helped a little bit and then the the Mr phobia and Ron Stevenson was now in federal prison so I don't know if he's improved or not but there was a SWAT team involved there was a SWAT team you know what SWAT teams are cool a lot of the information that is there

has been deleted since yeah so if you're doing cool stuff take screenshots yeah so if you uh so I mentioned calendar Motors before and this was a service uh attempting to quarter the market and if you look at the keep an eye on these contributors because uh coming up real quick all superbads are wild sec also known as Nautica was awesome uh actually these are out of order but um this is how we tried down this to Justin Holden this is the range Booter admin and this is his old all the stuff he left around this is all of your little digital artifacts that are left everywhere if you have social media profiles coming across contaminated

if you like to tweet your dating profile on your professional Twitter account or although do not be alarmed if his picture is a little bit different no we don't have as much of it so um if you guys remember origin dv1 came up and they were running an anti-hooder site but we're also running Motors at the same time uh and uh this is also some pretty easy open source Gathering um also Mr Beanie one shout out he's also the proprietor slash seller of black shade streaming so uh really this all comes down to the only reason why these these Services exist is they have used legitimate Services well specifically booters well okay sorry so cloudflare protects booters from each

other since it's kind of an occupational hazard when you're running a DDOS service your competitors are going to pay it off you cloudflare alleviates a lot of those problems and in our survey of booters over 70 used Cloud play and then PayPal is a very convenient way to take payments and in our analysis of the dump databases the vast vast majority like above 100 of the transactions were PayPal and not Liberty reserved and not Bitcoin um so and also in our analysis of the customer base a lot of them were what you would consider casual D doctors they may not be willing to make the transition to Liberty reserve if Hooters were of course to use that

um so the fact that cloudflare and PayPal don't suspend the accounts of Hooters this one might be getting better but I just need some cloudflare it's basically a bulletproof post um I know they don't host the content but in all the hacking guides they always recommend a combination of a bulletproof post and Club player and uh well we already kind of together kind of and uh there you go we probably have limited or two for questions um if anybody has a couple of questions but just to remind folks um they're going to be doing uh probably an update to this talk at besides Rhode Island next month June 14th and 15th so if you feel like there's a lot more info here

that wasn't covered just because we ran out of time um we'll also have a chance to do it again on June 14 15 in Providence and you can continue the discussion down the hallway in the speaker room so we do have time for one or two questions better than we should wrap it up okay

so he was asking if a if a Booter could be used against a smartphone so basically Wi-Fi connected smartphone oh 3G Connections in theory yes in practicality not so much there was a we did try out the SMS bomber oh yeah there was an SMS bomber function on Range Rooter but it didn't work much like half of that site um more than half uh but I'm not sure if that's possible uh because if your phone is like behind a proxy and many other phones are using the same IP uh then at best they could maybe take down whatever uh proxy is serving all the phones but if phones work like home internet connections where it's one IP pair with

machines then maybe it can work I don't know how that works so one more question please okay I have business cards in here if you want um

thank you