Monday, December 30, 2013

ZeuS C&C - bestbuyautotransport.com.au

More work done on command & control servers listed on ZeuS Tracker

bestbuyautotransport.com.au
203.170.86.145
netname:        austdomains
descr:          Internet Services Network
descr:          Global Telecommunications
country:        AU
abuse@syra.net.au

ZeuS Tracker details:

Config:



Login:


I cant get on this way, so I try something else. 



1. Drop a shell on your sandy seashore.

2. Grab mysql auth from config files. 

3. Look around (so small, sorry buddy)


4. Change admin password. (and get proper username) 




Lets try again.
Ok. Now we're in.

Confirmed. You have a small useless botnet (and penis).


Some OS statistics for Science:

Useless bots:


Some reports:
 No banking.






so silly. 

Sunday, December 29, 2013

Citadel C&C hosted on 173.242.112.135

Doing more work on the botnet command & control servers listed on ZeuS Tracker.

Citadel C&C
173.242.112.135 - VolumeDrive US
Citadel bot v.1.3.5.1
90% of bots located in India.
Evidence of stolen banking credentials.

This server panel is offline now, and its been removed from ZeuS Tracker now, so its ok to publish details about it.


Original ZeuS Tracker page:



Admin panel login:
http://173.242.112.135/office/obi/server/cp.php?m=login



and kick the door down..


Summary:


205 bots
(143 India)


first page of bot details: 
(is that your IP?)


Evidence of stealing credentials.
Facebook.com
ebs.ca-egypt.com (Crédit Agricole Egypt - Online Banking ePayroll System)





Here are some OS statistics to show what systems get infected.
XP, Win7, Win7 x64 and Server 2008 x64

Fun fact:
AntiVirus software is commonly seen running in memory alongside the bot exe.   :-)



Some options:
encryption key: obi





The guy was in the process of updating when I broke in. Oops, sorry about that.



user_execute hxxp://142.0.36.226/office/nh.exe 

(volumedrive again, US PA - get your shit together)

more details on this host later..142.0.36.226

nh.exe - cf2cfc5354b62dc0d9bf42a0a3841437
Virus Total detection 5 of 48

malware phones home to:
185.24.233.5 (Ireland)
but the server has already been seen..https://zeustracker.abuse.ch/monitor.php?host=185.24.233.5

Interesting ports on 185.24.233.5:
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1720/tcp filtered H.323/Q.931
3389/tcp open ms-term-serv

Win2k8 R2 Std
Home base for this h4x0r fucker..more on this detail later.


Saturday, December 28, 2013

ZeuS botnet - powdereddoughnut.com

More work on the ZeuS Tracker C&Cs 

powdereddoughnut.com - hosting small ZeuS botnet
199.204.248.103  - JumpLine, US, Ohio
Domain has Whois protection

Targets include VN and AE .gov sites
POP3 and HTTP credentials, no banking credentials seen



Config f8e2d5d42364f80332c7661dd5fbe4a3



ZeuS C&C login:



breaking...



Summary:
42 bots - why you so shitty and small?


OS Statistics to show what systems get hit.
note: Win7 x64


Someone left a sandy sea shell on your sea shore...


Shared hosting - wtf, really? 



$ uname -a
Linux cpanel03.myhostcenter.com 2.6.32-358.6.2.el6.x86_64 #1 SMP Thu May 16 20:59:36 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

$ id
uid=33351(powdered) gid=33355(powdered) groups=33355(powdered)




bot_uninstall



Reported abuse to:
postmaster( a t )myhostcenter.com
compliance( a t ) opensrs.org

Chinese Food - TrojDropper:Win32/Swisyn (etc)

TrojDropper:Win32/Swisyn (etc)
hosted on:
61.147.112.88 (China Telcom, Beijing)



This HTTPFileServer seems to be a popular choice for the Chinese to host malware on Windows servers.

I was downloading samples and the server went down for a bit.

While I waited I sent them through malwr.com to get a quick analysis.

232.exe
(21.exe)
4a92ffcb4f35ab8e7daf4215e09b58f1

330.exe
4e8a0bed5ee626f202fcdcfa28b3176c

0308.exe
88ccbe2772f4a07f0a7f5925b1a366ac

3.exe
d9443a02281d495ab3ac1eea6a97d0d5

338.exe
776166289f8bce8312b85ffd0a375c01

55555
49d206f98b44ef9c58b711cd29b6c073
ELF executable

8G.NETBOT.CC.zip
9b71e5d676d005160f9096a618d33862

3306nodeJR
938a3ceb3691ca92734dcce7547ef394


C&C
8g.netbot.cc 100.42.235.28
kk.netbot.cc 190.115.20.14
33.netbot.cc 190.115.20.14

190.115.20.18
190.115.20.14

i-buy.gr hosting ZeuS botnet (now offline)

Working on the ZeuS Tracker C&Cs today.

New server added yesterday 27 Dec hosted on http://www.i-buy.gr 





Control Panel login:



and now for a little B&E action..

boom





Summary:
very small botnet


 Some stats about what OS are getting hit:

Another shell.




Contacted them...and ISP




Control panel now offline.

:-)

Personally, "I-will not-buy.gr" anything from these guys.
This box was ransacked..there were no auth logs, multiple shells, etc.
They obviously need to get their shit together.


Friday, December 20, 2013

Rscator.la - carding shop selling stolen cards from Target breach

In December 2013, millions of consumers' credit card information was stolen by hackers from the retail giant Target.

Brian Krebs wrote an excellent article explaining how these stolen cards are 'flooding underground markets'
http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/

This post is a look inside the carding shop that is selling stolen credit card information from the Target data breach.

It is a usual shit carding shop, buy CCs and dumps, bin lookup, checker, etc.

One interesting thing about this shop: it features an automated WU and MG account crediting system. If you want to fund your account and make a purchase from this shop, you must reserve a 'drop' person to wire money to in Lviv, Ukraine. Nice.

Here we go...

Lovely login screen for a crook shop :-)
3 admins


Support:
JID: trayan@lampeduza.org   
ICQ: 100845
JID 2: flavius@lampeduza.org
ICQ 2: 17700
JID 3: rescator@lampeduza.org 
ICQ 3: 10576

Senator Rescator is some asshole hacker on the underground forum Lampeduza..thus Rescator.La is his. You can see he is listed as the 3rd admin.

After login page, News

Adverts for Kaddafi.hk on site - a related carder shop


News page, recent activity, active shop. 



Dumps

Note: over 199k out of 200k dumps are from America.


CC and Dumps pages:


Bin Lookup

Checker 




Ticketing system for support



Add money:



This is the interesting part - in order to fund your account on this shop, reserve a 'drop' and wire them the cash..

Lol at this:
P.S. Please send your transfers in non-exact amounts by adding 1-2-3-4-5-6-7 dollars. Meaning, when you want to transfer 500 dollars, please send - 508, 506, 503, 504, 505. That will help receiving funds much, much faster. 

Add money, reserve drop:





And Lol at this:
Send all your transfers to:
City: Lviv
Country: Ukraine



Friday, September 13, 2013

Who is behind BestRecovery

The Pakistani copy/paste admin of BestRecovery key spy service

 Xenon Cool


 I emailed this coward and he deleted his twitter account.


We can see from the youtube channel (pro2comp) that he is commenting on many videos about how to make VB software, how to avoid AV detection, crypters, etc.

can u make video how can we make rat like dark comet and cybergate i hope u will make i love ur videos i have sub to ur channel sir i am inspired and ur role model for me

Wow. This is sad..but really funny. 

Anyway..shall we continue?






The admin of BestRecovery posted a video about the keylogger service using the youtube account Affan Majid (hacked) / Pro2Comp - http://www.youtube.com/watch?v=csiZMBhRJGw


Published on Aug 6, 2012
xenon.cool@yahoo.com



Connect the dots.

ainey_cool aka xenon.cool@yahoo.com
http://hamarakindking.com/Builder.exe
http://achanbhai.com/bai.php
http://wirelesstecho.com/achabai.txt
http://aineyhosting.com/web.php
http://www.financetasksforce.com/ht.txt



The twitter account https://twitter.com/affan546 has a picture of Xenon - the Admin of BestRecovery.
(this account has been deleted. see screen shots)



Notes
mybestrecovery.net 14152 IN A 85.195.87.18
mybestrecovery.ws. 14362 IN A 85.195.87.18
cmmsol.com. 14085 IN A 85.195.87.18
sendsmsfree.co.uk. 9095 IN A 85.195.87.18
WHOIS mybestrecovery.net

Name Servers:
ns1.sendsmsfree.co.uk
ns2.sendsmsfree.co.uk
DNS records
ns1.sendsmsfree.co.uk. 14400 IN A 85.195.87.18
ns2.sendsmsfree.co.uk. 14400 IN A 85.195.87.18
mybestrecovery.net. 21600 IN NS n2.sendsmsfree.co.uk.
mybestrecovery.net. 21600 IN NS ns1.sendsmsfree.co.uk
DNS checks
# dig ns1.mybestrecovery.ws 
mybestrecovery.ws. 1800 IN SOA ns1.sendsmsfree.co.uk. ainey_cool.ymail.com.
and again on the other NS
# dig ns1.cmmsol.com 
cmmsol.com. 1709 IN SOA ns1.localdomain.com. ainey_cool.ymail.com.
Wait....WTF!?!?
You left your email address in your DNS record? Ok..
That email address was plastered on the front page of BestRecovery. 

Busted!

he is in pakbugs.com db dump:

http://archives.neohapsis.com/archives/fulldisclosure/2009-09/att-0197/pakbugs.users.html

I wonder if this guy is Pakistani..?

he registered

betercalls.com 
facebook page:
https://www.facebook.com/xenon.cool.9?fref=ts

(note the Vampire avitar from his Vampire Crypter)
via Xenon Cool (source)





Best Recovery-The Best Fud Keylogger
xenon.cool@yahoo.com

He posted screen pics of him using DarkComet on people and claiming they have $ in bank accounts.

He is also selling access to poeple bank accounts on FB - what a fucker.



 He has a link on the FB account claiming to own the 'FUD' keylogger and video for BestRecovery. 
Uber 1337






Summary 

Im thinking his name is Ainey Bhai? of Lahore PK

He definately lives in Pakistan, and I believe he is or recently was a student. He used the school computers to spread the malware.

Someone will recognize this guy.
ainey cool
xenon.cool@yahoo.com
@affan546
born 27 December 1989

Its all just so pathetic.

Get a life man.