Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Lulz’ Category

Team Inject0r: The Multinational Connection

with 6 comments

The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server. A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.

This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements) Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?

… Maybe the PLA? Maybe the FSB?…Some other political orgs from Gaza? or Turkey?

Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.

Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking. This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access. If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.

Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.

Teams and Members:

In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3″ The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath. In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.

Team Inj3ct0r: http://77.120.120.218/team

Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (mr.r0073r@gmail.com) My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337″ quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” Someone’s a fan…

Team Inj3ct0r

r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: e-c-h-0@mail.ru

  • The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
  • The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
  • The domain inject0r.com was hosted in China  61.191.0.0 – 61.191.255.255 on China net
  • Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
  • Another alias seems to be the screen name str0ke
  • Also owned www.0xr00t.com

http://www.inj3ct0r.com domain details:

Registrant:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151
Creation Date: 13-Dec-2008
Expiration Date: 13-Dec-2013
Domain servers in listed order:
ns1.suspended-domain.com
ns2.suspended-domain.com
Administrative Contact:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151                     
Sid3^effectsr
4dc0reSeeMe
XroGuE
gunslinger_

indoushka
KnocKout

  • knockout@e-mail.com.tr
  • knockoutr@msn.com
  • Alleged to be Turkish and located in Istanbul
  • Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011

ZoRLu
anT!-Tr0J4n
eXeSoul
KedAns-Dz
^Xecuti0n3r
Kalashinkov3


DIS9.com:

DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of yeailin225@126.com also a domain registered and physically in China.

A Maltego of this data presents the following interesting bits: A connection to the site http://www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 )  vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of jwlslm@126.com and listed it out of Hunan Province.

The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”

DIS9 Team:
Rizky Ariestiyansyah
Blackrootkit - 
Kedans-Dz

: Team Exploit :

Nick
Kalashinkov3
KnocKout
K4pt3N
Liquid
Backdoor Draft

h4x0er.org aka DIS9 Team

Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.

Other Teams within the DIS9 umbrella:

In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.

More when I have it…

K.

BlackkatSec: The New Kids on the Block Who Allege They Took Down Al-Qaeda

leave a comment »

From GamerCrypt

Last week, the AQ site shamikh1.net was taken down by unknown persons and their domain suspended by Godaddy for abuse. Evan Kohlmann of Flashpoint Global was making the rounds on the media circuit pimping that it was in fact MI6 or the like that took the site down. However, Evan had little to no evidence to back this claim, and frankly, the media just ate it up evidence be damned. I came to the party after hearing online the previous weekend that the site was under attack and going down from an unknown type of attack. However, I knew from past experience that the site was likely being attacked through some SQLi or a DD0S of some kind. The reasoning I have had is that the site was vulnerable to attack in the past and as far as I knew, the admin’s at Shamikh1 had not fixed the problems.. Not that anyone was goint to tell them that their site was vulnerable.

As time passed and more stories circulated, Evan’s tale changed slightly to include the fact that he thought there was a domain hijack that had happened. There is once again no evidence of a domain hijack at all, but, there still lingers the idea that the site was taken down by someone other than skiddies out for a good time. Once again, there was no evidence to back up any claims, but the media is.. well the media.. They will buy anything if it gets them attention. So on it went, and on Saturday the back up site that AQ had registered in May (as I surmised that it was the backup in my earlier post) was back up serving the main page. To date the page is not fully functional and once again Evan has made a claim on the news that they are back up for registration, another false claim as they are not taking submissions.

Either way, the site is online (mostly) and seems to be getting back into the swing while a new dark horse has entered the race as to who did it and perhaps why. @blackkatsec or BlackKatSec, is a new splinter group of LulzSec/AntiSec/Anonymous that has turned up quietly making claim to the hack on shamikh1. They so far, have not said much on why never mind how, but, it would be interesting to hear from them on the pastebin site as to what data they may want to release on their hack. If indeed they used SQLi attacks and in the end rm -rf * ‘d the site, then I would LOVE to see what they got out of it before they did so. If on the other hand, they just attacked the site and the admins as well as Godaddy took it down, then I would like to know.

Speculation is.. Well it’s mental masturbation really. Good for the media, bad for those who really want to know something.

So, dear BlackKatSec, if you feel so moved, please do drop me some data.. I will make sure its used to cause the boys from Shamikh1 more heartburn. Otherwise, please do keep us up on your attacks as I do not look forward to hearing all the damned speculation that comes out of the spinning media heads like a certain someone who I mentioned above. Of course you could just be trying to claim the hack for whatever reasons and not done it… But, the lack of trumpeting it to the world says to me that maybe you were involved…

Say.. You guy’s aren’t MI6 are ya?

HA!

More when I have it.

K.

Asperger’s: The New Insanity Defense for Hacking?

with 4 comments

Asperger syndrome or Asperger’s syndrome or Asperger disorder (play /ˈɑspərɡərz/[1] or /ˈæspərɡərz/[2]) is an autism spectrum disorder that is characterized by significant difficulties in social interaction, along with restricted and repetitive patterns of behavior and interests. It differs from other autism spectrum disorders by its relative preservation of linguistic and cognitive development. Although not required for diagnosis, physical clumsiness and atypical use of language are frequently reported.[3][4]

From Wikipedia

Since the Gary McKinnon case, the use of the diagnosis by a defence team of “Asperger’s” seems to have become a go to position, at least that is presently in the U.K. justice system. The recent arrest of Ryan Cleary for cracking and DD0S attacks on sites such as SOCA also seems to be showing a penchant in the UK legal system toward launching a kind of an “Insanity Defence” by proxy of a declaration that Ryan is a high functioning autistic (Asperger’s) and that because of it, he may have not been able to stop himself.

While this theory may be in fact be the case in with both of these defendants on some level, the LEGAL aspect of this is this;

“Did they know they were committing crimes? Furthermore, can it be proven without a doubt that they both suffered to the extent that the compulsive behaviour was inescapable?”

If the answer is definitively that they had no control, then they should be treated and perhaps NEVER allowed access to the Internet again. This might be the way to punish them as well as keep them out of the penal system (even the mental health facilities therein) as opposed to putting them into the general populace in prison. However, I do not feel that the diagnosis of Asperger’s can really allow for their innocence of the crimes that they are charged with. Both of these guys are functionally capable of interacting with others around them and certainly capable of holding technical knowledge and acting upon it for their own ends.

The one point that the lawyers will make though is this notion that Asperger’s sufferers display obsessive behaviours concerning specific things that interest them. Some collect things, others memorise things. In the case of McKinnon and Cleary, they both obsessively hacked into things and stole data. In the Cleary case though, he was caught in the act of DD0s’ing a UK police site when they caught him. As far as I know, this is not necessarily a known Asperger’s syndrome effect or behaviour. (see below)

People with Asperger syndrome often display behavior, interests, and activities that are restricted and repetitive and are sometimes abnormally intense or focused. They may stick to inflexible routines, move in stereotyped and repetitive ways, or preoccupy themselves with parts of objects.[24]

Pursuit of specific and narrow areas of interest is one of the most striking features of AS.[3] Individuals with AS may collect volumes of detailed information on a relatively narrow topic such as weather data or star names, without necessarily having genuine understanding of the broader topic.[3][7] For example, a child might memorize camera model numbers while caring little about photography.[3] This behavior is usually apparent by grade school, typically age 5 or 6 in the United States.[3] Although these special interests may change from time to time, they typically become more unusual and narrowly focused, and often dominate social interaction so much that the entire family may become immersed. Because narrow topics often capture the interest of children, this symptom may go unrecognized.[7

From Wikipedia

So, basically we have the lawyers in the UK trying to say “You can’t put Rainman in jail!” My question is just how long will it be before the US legal system catches up to this defence tool too? Can you imagine the next cases in the US being tried and the legal team for the accused finding a shrink that will testify that the cracker could not help himself..

He has Asperger’s after all!

This does not fly with me and I don’t see the court system or juries buying into it either, but you know they will try. Presently, the cases in the UK are being spun up and in the case of McKinnon, he has been fighting extradition for quite some time for hacking NASA. All the while his people have in fact been fighting the case in the media playing up that he is mentally unstable in the hopes that pity will prevail. The very same thing seems to be shaping up already for the Cleary case with videos (him stoned off his ass from huffing glue or perhaps just 420′d) showing up online and the diagnosis making the front pages of many news outlets.

Sorry.. But I don’t buy it. Sure, you may be mentally ill Ryan, but, I still think you knew what you were doing and are high enough functioning to be put in the pokey for it. Which brings me to another statement that is sticking in my craw;

LulzSec disbands: Hacking group LulzSec announced it was disbanding Saturday, 50 days after its first publicised hack. A member of the group told The Associated Press that the group was “bored” and denied that it was stopping its public attacks because of pressure from law enforcement. The LulzSec member did, however, say that some of the chat logs and information about hackers’ identities was correct.

From The Washington Post

Bored? BORED? Really? How about you go out and get some exercise or maybe read a book? Bored, I know that this likely is just a ruse in this case as the Feds are investigating all those DOX put out on you all but really, bored. This does though make me ask why they are doing this, and just how do they all rationalise in their heads about the right and wrong of it.

Does Lulzsec have Asperger’s en toto? Or have we raised and are we will raising generations of sociopaths with computers I wonder? Looking at 4chan, one can see where the Lulz came from and frankly, while some of it is damn funny, other things there are a bit disturbing. The conventions of society seem to have been stripped in the digital world and it is anything goes… AND this is the crux of the issue isn’t it? After all, now the hacking and the cyber bullying etc have begun to manifest real life physical outcomes today because we have networked our lives so much.

The Lulz actions to date really did not amount to much in the sense of destroying lives as far as I know of. However, they have broken many laws and thought themselves to be outside of their dominion. I am pretty sure that some, if not all of them, are about to find out otherwise, but, it is a disturbing trend isn’t it? Because the internet is so new and the parents of these kids likely have had little interface with it, they have not even thought about trying to apply the norms of how they should act in the real world and society to the digital world.

That is the problem.

It’s time to give out the digital spankings.

K.

Written by Krypt3ia

2011/06/27 at 18:19

LulzSec’s Pre-Pwn3d AT&T USB Image

with 4 comments

It seems that the Lulz just keep on coming from the LulzBoat, even if they have sailed into the sunset. Upon investigation the USB bootable file from AT&T has malware within it. The winrar.exe file that is on board is a trojan as you can see in the capture above. It now remains to be seen whether or not this file was pre-pwn3d (i.e. the file was already corrupted with malware when they stole it) or, that someone was being smart with us all from Lulzsec and seeing just how many fools would make an iso and run the bootable then install the handy winrar.exe pre packaged with it.

Either way, you kids out there who have downloaded the v1 of the torrent, be careful not to pwn yourselves as you play!

Have fun!

K.

Written by Krypt3ia

2011/06/27 at 00:19

Posted in Lulz, LulzSec, Malware

The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!

leave a comment »

That’s it? All we get is this stinkin garbage file?

Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.

Within the torrent file the following parting words were sent:

Friends around the globe,

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.

Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.

So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.

Let it flow…

Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?

The Files:

So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.

Whoopee.

All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?

Not that I have seen.

In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.

Leaving So Soon?

So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.

You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.

However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.

Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.

Your Legacy:

Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.

Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’

So where was I?… Oh yeah..

In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.

So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.

Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.

… And those lulz will also be epic fail.

K.

Follow

Get every new post delivered to your Inbox.

Join 117 other followers