Ciekawa rozmowa z koderem malware i właścicielem botnetu

[OXYGEN THIEF]

Do poczytania, trochę tego jest.

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

TeaBleezy 30 punktów 27 dni temu

What anti virus software free/paid for presents to you the biggest obstacles?



[–]throwaway236236 41 punktów 27 dni temu

Kaspersky was the most challenging at first, Kaspersky is paranoid as fuck! But it has an exploit in KIS, KAV and PURE, allowing to start malicious code in the memory context of a trusted system process unnoticed. Kaspersky won't interfere if it thinks it's the system process doing changes to the system.

119 punktów 27 dni temu

If the attachment is ending in .exe and pretending to be something else, it's malware for sure. If it's a .pdf it can only infect you if you haven't patched your Adobe Reader (Is now done automaticly). Cybercriminals use 0day exploits only on valueable targets like Iranian power plants or companies with intellectual properties and fucking lot of cash.
Facebook friends don't share funny cat pictures on randomly generated domain names.
If your AV says it's clean or even if Virustotal gives you 0/43 it can still be malware, been there, seen that. Srsly, don't trust your AV.
Use HBCI or similiar for online banking, it costs 30$ and is military grade cryptography (private key signing), only open source cryptography on signed hardware is 100% secure.
Windows updates, yes, do them. If you have a pirated copy, just buy that shit or use linux.
If you are super paranoid, buy a netbook and use a LiveCD or similiar on it whenever you put your CC information in.
Banking on mobile phone, it's stupid, but atm 'not that dangerous as it seems', because 99% of cybercriminals can't code and there is no (serious) android or iOS malware yet on the market.

Frantic_Child 15 punktów 27 dni temu

What do you use to spread?



[–]throwaway236236 38 punktów 27 dni temu

Automaticly backdooring warez and uploading it to one click hoster and usenet. It's funny that even govermental agencies use warez, I found faa.gov credentials. My momma always said, "A botnet is like a box of chocolates. You never know what you're gonna get."

Speaking of your "momma", how would you feel if your "momma" had her card details stolen & her money spent & she was left with nothing?



[–]throwaway236236 44 punkty 27 dni temu

My momma uses old school bankwire to pay bills, in our family we never used credits to buy stuff, you should never buy with money you don't have. I don't know what's up with americans, buying buying buying although they have no money. That's why a US credit card costs 2$ on the black market and a UK starts at 60$, americans are all in debt.

101 punktów 27 dni temu

It first started as a challenge to circumvent AntiVirus systems, but then I realised all AV suck at detection and it's easy to make money with it.



[–]raarky 12 punktów 10 dni temu

how about making a better AV detection system and profiting off that?



[–]ohdeno 20 punktów 10 dni temu

AV is a completely wrong approach to security. If you need AV to feel secure you already failed.

S] 27 punktów 10 dni temu

It is possible to create a perfect protection, trusted boot, rootkit hooks on all system calls and looking into not WHO changed something, but WHAT was changed in the system. Some application added an autorun? That's a paddle. Some application tried to fuck with the memory of another application? That's a paddle. But then you would only need to buy the protection ONCE and not a recurring 50$/year for some shitty signature updates every hour. AVs leave protection holes on purpose to make money! (Or the whitehats just suck. Unlikely, because their blogs are awesome)

With that said, have you ever coded your own security software? I find it funny you mention things like checking the autorun scripts for entries but if a program is capable of modifying the boot can it not modify any logs/backups of "legit" boot sequences to hide its own doings? With computer security its always a cat & mouse with "white hats" being on the cat side. If I can write an app that checks the boot media for modifications you can write an app that nullifies the cached copy or worse, acts in a MITM fashion and falsifies the report, no?


[–]throwaway236236 12 punktów 10 dni temu

I would like to work at the security industry and get a chance to do things right, but if you you put 'Proud operator of the xxx botnet' on your resumee you leave the job interview in handcuffs. Why not "lock" the boot sector once your security product is installed? BECAUSE IT IS SO FUCKING INCONVENIENT TO PUSH AN ADDITIONAL BUTTON ON THE HARDDRIVE AFTER INSTALLATION, haha, sorry for upper case. Put a watchdog on a read only sector of the drive and force it to boot. Make this watchdog monitor any changes on the operation system and let it communicate encrypted via asymmetric keys with the OS backend. At the current state malware can overwrite the MBR really fast and make a BSOD to force reboot. Now a rootkit is forced even into a 64bit system, redirecting MBR request to a copy of the original MBR and hiding malicious stuff. The antivirus is now officially blind to anything, because it allowed an application with an unknow signature to write to the MBR. Locking the MBR for the end user like UEFI is now planning is not the solution, this angers the customer and will soon unleash the 1984 Kraken. Make the MBR only unlockable via physical presence, malware can't unscrew your case (yet).

I meant the MBR to be write-lockable, you only need to access it at installation. The rest of the drive should stay writeable otherwise it would be unbearable in the usage. Also there should be a good rootkit from an AV vendor, loaded by the new MBR, which hooks all system APIs and is very suspicious when adding any kind of startup or adding .dlls . If the enduser gets a message: "The following program wants to put a startup to the system, if you are currently installing a software you trust you can allow this operation", resilient malware has no chance.

Most "hacker-folk" kinda work at AV companies already. There is already a company going the "elimate it at the root" approach:

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

. But it's not that easy, the big companies have the moneys, Symantec has the colorful commercials, McAfee has the govermental contracts for voting machines AV (Mr. McAfee has btw the same lifestyle as your average Russian Spam King: 66 years old, huge house in a tropical country, 17 year old girlfriend, lots of unregistered weapons lol). It's not about the product itself, it's about power and influence. Read about the "HBGary federal accident" or watch the Defcon 19 video with "Aaron Van Barr (totally not Aaron Barr, because he wasn't allowed to be there )". Changing the security industry is like changing the copyright system.

HungryHippocampus 4 punkty 26 dni temu

So... "Best" free AV? I run MSE. How much of a mistake is that?


[–]throwaway236236 15 punktów 25 dni temu*

No AV will save you. The majority of my bots uses MSE, but its not because its worse but because more popular. AVs however will protect you from the usual trash, like 2008 conficker virus and "stealers" from 14 year old hackforums scum.

S] 7 punktów 10 dni temu

Every major AV system in a default installation vmware for testing. There are enough ebooks around, if you know the winapi and some native language you can immidiatly switch profession to malware coding. If you are interested in exploitation, read some security researchers blogs, like

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

Where do you NOT find the sourcecode of ZeuS? The sourcecode is well written and very structured so it's easy expandable. However you need to understand the WHOLE sourcecode at first before you can safely include changes. (Took me some weeks reading and understanding). Before posting something on the net or even surfing I check every possible conclusions that someone could get from my informations. I always expect that everything is recorded and investigated, call me paranoid. I own the server myself, of course not registered on an existing name. No, that feature is called "hidden service". Because they are full of pubescents sharing emo pics of their trojan victims and code C# shit malware, because they were forced to learn it in school.

Questions:

What is your method of infection? Drive by, torrents ect...
Getting pissed at all the haters in this post?
Method of making your malware FUD?
Do you hang about on any online forums? (Please don't say hack forums)
Ever had a takedown? If so how big was that net?
Do you run multiple nets? If not you should as if one gets taken down you still have the back ups and the $$ still rolls on in



[–]throwaway236236 16 punktów 27 dni temu

IRC is easy to maintain and is just as good (I modified UnrealIRC to save traffic, so bots don't recieve PRIVMSG from other bots), but I'm thinking about some own direct connection protocol.

P2P isn't that great, see Waledac, Stormbot and others. P2P has some fundamental flaws. TOR is pretty safe as long as you don't use exit nodes, which I never do, because everything is inside hidden services. Hidden Service guarantees the traffic is only readable at the actual server, the magic of private/public key encryption.

Warez, thinking about studying heap overflows for drivebys, but I can't imagine so many people are still driveby'able
I expected the haters
Randomness is your friend, make your own crypter and make it so fucking random on every compile, that AV reverse engineers kill themselfs (HINT: randomize the crypters sourcecode using perl scripts)
Opensc.ws, but all the hack forums scum now registers there
Never got a takedown, always used tor hidden service, I can easily move my botnet just using the hidden service private key
Redundancy is a must at bigger nets

QueueNX 1 punkt 9 dni temu

NAT is not a firewall. Anyone who is competent in networking will tell you this and I've successfully penetrated networks that had nothing more than NAT. Don't by into the bullshit that NAT equals a firewall.

permalink
rodzic

[–]throwaway236236 1 punkt 9 dni temu

You are right, NAT is even better than a firewall, something unreachable is more secure that something that was specificly blocked. I guess you have 'penetrated' because the network accepted unauthorized UPnP forwarding. If a company does that, an expensive firewall wouldn't have saved them anyway.



[–]FusionX 3 punkty 10 dni temu

So you did all of this just by one year of programming? Did you have any programming experience before that? Which was your first language?

I consider myself much more aware than a average user and constantly keep a check on running processes and startup programs with msconfig. MSE is what I have atm. Should I be worried of any such malware on my system? Where do most of them come from? Also, do you guys care about cc from countries other than USA/UK (hint: asia).

Btw, on behalf of all the asshole redditors, sorry and thanks for the AMA. Not that I approve of the slightest of what you do, but you do indeed make some good points in some of the comments.



[–]throwaway236236 3 punkty 10 dni temu

msconfig and regedit won't save you from a ring3 rootkit (the easy ones). use something more low level like GMER. Most malware comes from exploit packs (browser driveby), because a steady amount of 10% of the traffic still uses unpatched ie6, resulting in instant infection. It's the most economic way. I'm also interested in trying worms, because conficker (yes, the vintage 2008 worm, that abused the PATCHED MS08-067 exploit) is still alive and has 2mio infects lol. Good Guy MS08-067, always works lol. Asia doesn't use CC that much, they are more into domestic e-money systems, reloadable using prepaid cards etc.

4 punkty 27 dni temu

Just don't use credit cards, bank from a LiveCD, it isn't that hard.

IamatworkSWAG 6 punktów 27 dni temu

What's the best way to avoid your bullshit? Or, rather, what shouldn't I be doing in my daily internet activities to best avoid having malware get on my computer?



[–]throwaway236236 32 punkty 27 dni temu

Trash your AV
Deactivate your firewall (you most likely have NAT on your router anyway).
Check your autostart entries every now and then from a boot disc. Autostart is the most sensitive spot of every malware, every malware needs to start with the system, yet it is just a fragile registry entry...
Use GMER (

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

) every now and then when your spider sense is tingling. Srsly, you can't fool GMER, it scans from the deepest possible point in your system, at ring0 and is impossible to fool, there is nothing deeper than ring0 on a usual PC where malware can hide stuff from. I always wondered why other AV vendors don't do it like GMER, it can detect all rootkits. But when a AV can detect everything, who will pay 30$ a year for signature updates...
Scan your traffic while your PC is idle and see if you find something suspicious (You should do that using a transparent proxy, but I haven't heard of rootkits filtering traffic lower than WinPCap drivers, so Wireshark will do)
Most important: Try to step out of your consumer role, think about how malware works, the core functions of malware all work the same and are very fragile

skierCT 3 punkty 27 dni temu

How do you feel about mac users? How easy are they to do your many evils to? I am the only mac user I know who doesn't have 100 things on their desktop. I'm not stupid with their computer. Any thoughts on how to protect a mac?



[–]throwaway236236 7 punktów 27 dni temu

atm small market share protects mac users from sophisticated malware attacks like rootkits, process injection and formgrabbing, because it takes very long to code new decend malware. This will change soon, because Windows is nearly exhausted (malware even targets other malware already) and mac is a fresh new target audience. I would recommend you to get familiar with some diagnostic tools (I don't know any for macs, never used apple stuff), if you know how your computer is beating inside, you are hard to fool. If you wanna go the easy way, use some restricted embedded hardware like iPad. You will be cut in your possibilities, but it's a secure sandbox if you keep it up to date and play "by apple's rules" (no jailbreaking). It's still not 100% secure, developers get robbed their certificates, allowing to put trusted malware directly into the market, but less common.

SRTheCzar 2 punkty 27 dni temu

Very interesting. Thanks. How do you feel about running linux? Safer for an average user? You mentioned reading forums for more info care to give examples?



[–]throwaway236236 13 punktów 27 dni temu

Linux is only safe because it has smaller market share and every distro is different in its structure.

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

and

Spoiler: pokaż

Zaloguj lub Zarejestruj się aby zobaczyć!

are pretty decend forums. Don't visit a forum, that has leetspeak in their domain and you're good. If you are not sophisticated in coding I recommend AV Vendor blogs. Even Symantec has a nice blog, although their products are a big pile of shit, that gets marketed just like rogue AVs.

droveby 3 punkty 9 dni temu

Bank drops

What're 'bank drops'?
[–]throwaway236236] 1 punkt 9 dni temu
A bank drop is a bank account that wasn't registered on your name, but you still have a card+pin to withdraw cash from the ATM. Don't forget to wear a motorcycle helmet and gloves when cashing out kids! Protip: use glue on your fingertips, no prints, invisble and perfect grip.

1 punkt 9 dni temu

Since when does a firewall block raw disk access? If you wanna block raw disk access you need to disallow 3rd party drivers. The problem with software firewall is, that it still needs to allow some programs like your webbrowser. The malware injects into your browser and sends the passwords via https, the firewall will never know what was inside that packets. Of course you could whitelist domains, but then you had to synchronize domains with the ip list. Trust me, software firewalls will always be evaded and hardware firewalls/enforced proxies are a pain in the ass to properly configure.

11 punktów 27 dni temu*

If you rely on signature based detection you loose. Use read-only harddrives (the ones with hardware locks, not the snakeoil software ones). You can overcome software "write-blocks" using your own low level harddrive driver. If your coworkers need to save data, use network shares like samba and blacklist executable files there. PDFs should be scanned all the time, AVs are 'ok' at scanning generic PDF exploits, but you better have a record who wrote which PDF.
One does not simply "monitor" https, you can't sniff https unless you do some mitm with your own people, that's not how a secure connection is suppossed to work. If you whitelist domains and ips it's decend.
AVG is pretty bad antivirus, but doesn't rape performance as Kaspersky does, it protects you from mass sent and therefor known malware, but not from very fresh or targeted attacks. Once one system is compromised it might get updated to a new signature of the malware, maybe even a unique one, the antivirus will never find it.

I assume your company has atleast someone who can code scripts like perl or python, if your admin doesn't have a minimum of coding experience you are gonna have a bad time.

Edit: If you are targeted by custome malware there are lots of funny ways to tunnel traffic outside. DNS tunnels for example can even tunnel from computers that are not connected to the internet, but to the intranet. Some firewalls know about such tunnels.

[–]choleropteryx 1 punkt 7 dni temu

Don't go to Kaspersky, unless you fancy working for FSB aka KGB. They are in fact pretty good technically (duqu was a fuck up on their part), but they are an FSB shop, almost officially.

[Busanjin 1 punkt 10 dni temu

What do you think about setting up a user account in Windows 7, using the computer strictly under the user account, and giving the admin account a strong password? Would that help against typical malware as long as one does not type the admin password at the time of an infection?


[–]throwaway236236 1 punkt 10 dni temu

The malware will run as the user account and will only be able to hijack information that is run in the user context, meaning everything that was started while using the same user account. If the malware is made well it won't even trigger UAC and even if, there is a way to bypass UAC completely, because you can inject your malware into a trusted process (explorer.exe, there is a whitelist somewhere on the net) that autoelevates UAC. Only on a guest account it will be though to install malware, because guest usually only have temporary write access in windows 7.



[–]kovert 1 punkt 10 dni temu

Are you telling me that running as a regular user you can inject code into explorer and wait for UAC to be triggered? Eventually elevating the code? If you can do that then that and wait for an administrator to come by then there is no stopping you.


[–]throwaway236236 1 punkt 10 dni temu

No, you don't need administrator at all. You need no admin rights to install malware on your system. If you however want to make system wide changes (like installing malware to all users on the system) you need admin privileges. If you are a regular user and are allowed to get admin rights tru UAC, you can simply inject into whitelisted processes to not trigger the UAC popup.
/quote]

]kovert 1 punkt 9 dni temu

I was worried as a limited user that needs a password for UAC to succeed, you could inject code into explorer.exe and wait until I needed to say...view a directory I didn't have access to. After UAC was successful, the code that was injected into explorer would be elevated with the rest of the process (assuming UAC elevates explorer.exe to view that directory). The process then could do other things and completely bypass my software restriction policy.

I'm paranoid, I run as a limited user and use a Software Restriction Policy (not AppLocker though they are similar) on Windows 7. To do administrative things I use runas. I use the default SRP extensions plus I block JAR files. To exploit my machine you have to exploit something that is already installed on my machine (not that hard though Adobe Flash/Adobe Reader/Java). I'm ruling out possibilities of something new that I've downloaded and needs administrative privileges to install or be used. It is unlikely that I would be getting something that wasn't from a well established place. I don't download pirated software. If I did I would get a legit copy and use a keygen. I'd never run a keygen as admin. I'm assuming the things I've already downloaded from trusted locations aren't inherently malicious. I use Secunia PSI to make sure my programs don't have any security advisories or need to be updated. Regular full anti-virus/malware scans are done as well. I used to reformat my PC a lot before Windows 7.

Assuming you could inject code into UAC and wait for the privileges to be elevated getting to that point would be difficult. You would have to have an 0-day for one of my already existing programs like Adobe Reader/Java. Your exploit would have to run in memory without starting another EXE from disk (SRP would block an EXE from say the TEMP directory if the exploit downloads a dropper) to inject Explorer. As far as I know there is no common directory that you would know ahead of time that allows executables to be run by my limited user account. Assuming by default I didn't add the JAR extension in SRP it would be a better choice for a Java dropper if Java was detected on the system. Directly injecting into the Explorer process from the exploit would also work too. Then you would have to be lucky that the process you injected would be elevated.

The absolute worst case scenario I can think of would be two exploits. If you had an exploit for say Adobe Reader that exploited another SYSTEM level process that resulted in privilege escalation I wouldn't be able to block it. Sadly, nobody could since SRP only applies to users/administrators and I can't lock down what the OS does. At this point we've exhausted all of my (and anyone with Windows) built-in preventative measures against malicious code in a persistent environment.

Now I have to use signature/heuristic based methods to help anything that gets past this point. If anti-virus worked like that Triumfant website you posted to aid detection, also OSSEC. Sandboxie could help with any of my userland programs preventing is from spreading to the system.

I worry about malware that can hide it's so well that I have to use a boot CD to scan the host. Some kernel level goodness. PARANOID PARROT AIN'T GOT SHIT ON ME!

TL;DR I'm paranoid when it comes to PC security. I'm well protected but I've mentioned hypothetical ways you could still pwn me or any user that would be unstoppable using all of the built-in Windows defenses.


[–]throwaway236236 2 punkty 9 dni temu

Sandboxie will protect you from system changes, but malware could still read for example your saved firefox passwords and send it to me. Malware that doesn't even write to the disk exists in the wild, but a botnet will be impossible to install without a exploit or custome driver to write to the disk directly (impossible in x64 without a stolen certificate). As I already mentioned at some other comment, a UAC bypass doesn't magicly gives you admin rights, it simply triggers admin rights, that you could already get according to system policies, without triggering the UAC popup.