Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Cracking’ Category

Из России с любовью

leave a comment »

DFPKSUCPTSWXMPF

Exposed.su

exposed.su_links_inout

A site popped up with the domain name exposed.su and within the pages (other than malware lurking for an IE exploit) sits all kinds of personal financial data for famous people. Among the people hit on this site were the likes of Hillary Clinton, Al Gore, FBI Director Mueller and others. The data on the site seems to be somewhat legit and soon after the page made a splash in the news the DOJ (FBI) Secret Service (USSS) and others had the governmental people’s links pulled off of cloudflair’s servers. After looking at some of the data myself before it was pulled I thought I would just have a look-see at this domain and what I could gather as to who was doing it. After some Maltego (RADIUM) work I began to realize that this all seemed to be emanating out of Russia. The domain was registered using an email address for “allperson.ru” which upon further searches turned up a den of sketchy sites.

Domain Data:

domain: EXPOSED.SU
nserver: dave.ns.cloudflare.com.
nserver: fay.ns.cloudflare.com.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: exposed.su@allperson.ru
registrar: REGTIME-REG-FID
created: 2013.03.06
paid-till: 2014.03.06
free-date: 2014.04.08
source: TCI

Last updated on 2013.03.14 17:21:38 MSK

I then followed up with searches for allperson.ru email addresses and attendant domains attached to them. What I found was a pattern of behavior showing that most of these email addresses were for scam sites, free MP3 or video sites, and one forum for all kinds of coding and what looks to be scam techniques. Basically, I think that whoever set up this exposed.su site is affiliated with allperson.ru and or Legato LLC (scammers) and the information and connections you will see below. Of note though is that in the case of the exposed.su site there is nothing that directly ties it to anyone in particular. However, once you start digging around you can make connections between individuals and groups including addresses/persons involved in the ZEUS botnet.

Allperson.ru

allpersonRU_

domain:        ALLPERSON.RU
nserver:       ns1.tuthost.com.
nserver:       ns2.tuthost.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Andrej V Punegov
phone:         **********
e-mail:        an@kazancity.net
registrar:     REGTIME-REG-RIPN
created:       2007.09.25
paid-till:     2008.09.25

Allperson.ru was a service/site that had about 5 email servers and was originally registered back in 2008. As you can see from the above domain data it was registered by a “Andrej V Punegov” Searches for Andrej give up a laundry list of sites and data that he has been affiliated with in the past. Not much more comes up in the “Googles” so I will leave it at that for the moment. The list of sites though that he has registered is long so it is likely that this is another player who has moved on to bigger and better scams… If that is a real name at all. The email address provided also gives up some interesting hits including an IRC site which I will leave for another day.

Another interesting email address in the allperson.ru set was demand.su@allperson.ru This address was directly tied to the ZEUS botnet that was taken down by M$ and is listed in the plaintiff filing  So here we have a direct tie of this allperson domain to Zeus and only a handful of email addresses. Could it be that this is all tied together? In fact, look at the email name “demand.su” the same format as exposed.su … Coincidence?

dema ndsu_ZEUS

wml.su_forum

Проверка домена
e-mail: wml.su@allperson.ru
e-mail: evgenij.w@gmail.com
e-mail: wml.su@mail.ru
nserver: ns1.wml.su. 62.149.12.117
nserver: ns2.wml.su. 62.149.13.81
created: 2006.06.29

wml.su

wml.su_fraudster

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registration date: 2007-11-02
Last updated: 2012-02-11
Expiration date: 2013-11-02
Owner, Administrative, Technical Contacts:
Email: evgenij.w@gmail.com [4 domains use this email]
Name: Evgenij Ermolenko [4 domains use this name]
Phone: +3.80976061100 [4 domains use this phone]
Address: Katyuzhanka
Katyuzhanka
Kiev Oblast,07313
UA
WML2.COM IP: 62.149.13.81
The IP belongs to ISP COLOCALL LTD
ISP domain: COLOCALL.NET

Then there is wml.su@allperson.ru which has an interesting history and present. It ties to a domain/site forum.wml.su which happens to be a little forum for what looks to be warez and other illicit things as well as possibly a hub for site design and programming. The owner of this site also listed evgenij.w@gmail.com as an alternate email address. Following up on this address we get information that shows this email was used on 4 domains and within that you get a new name: Evgenij Ermolenko who has quite the digital breadcrumb trail to follow. Now Evgenij’s site wml.su has also been shown to be a site for infecting phones with trojans (see above) and seems to be quite the player here in the world of malware and scams.

Evgenij… Time to worry a little I think. Probably not much as you are located in Oblast, or Moscow, or.. Who the hell knows. The fact of the matter is you are one of those Russian bandito boys that pretty much never gets caught by the long arm of the law right?

Legato LLC

legato_llc

.

geo

Then there is Legato LLC. This is an interesting little corporation out of Oblast (coincidences coincidences) that has had it’s share of run in’s with illegality. Under private ownership it is alleged to have been created in 1970? It’s *cough* businesses cover anything from advertising to email and information technology. Hmmmm one wonders if they had a hand in the creation of allperson.ru and maybe still have some email servers that are being pointed at? Either way, it seems that Legato may have also been involved in the ZEUS botnet as well because the players here all seem to be connected by their digital trails as well as penchants for naming conventions. One of the scam sites was geo electronics and it seems that they were in the business of straight out fraud as well as money laundering and mule recruitment. Oh yeah, it’s getting deep now eh? It would seem that this rabbit hole goes on further but I am getting claustrophobic in it so I will leave off here with the detective work.

Conclusions:

Ok so what do we have? Well, we have a constellation of sites tied to an old defunct email system that seems to have ties to Legato LLC and to Zeus as well as money laundering and such. Why then does this site pop up and start dumping data on famous people’s credit histories? Histories and information that may not in fact be correct to begin with? Even though the USSS and FBI are looking into this I have to wonder if the data was correct. I am hearing that some of the phone numbers were not right at all and that this all really ties back to some hack on credit services this week. What is the motive here? Well, the Twitter feed and one of the links seem to point to someone with a grudge against the LAPD (re the Dorner affair) and the police in Russia. Since the twitter feed is down I missed the tweet that mentioned that but meh, I am not the caring at present.

Could this be an Anon motivated kind of thing? Well, the imgur picture of the girl on the page does come from an anonymous tied/named site but that is really tenuous to start but it could be. Overall though this site and the data seems to have rankled the feds a bit so maybe it was just for the lulz. Could this person just have access to the site data and used it to make this site and make it look like it came from Russia? Maybe.. But overall the feel of it and the acillary data seems to show that it was someone involved in the Russian sites including Zeus. PERHAPS they are just pissed off that their money making scheme vis a vis ZEUS got shut down?

That’s a lot of maybes huh? But hey, them’s the internetz kids. Your mileage may vary but keep an eye on this one because I am sure there are more than a few subpoena’s going out to Cloudflair where this is all hosted. One of the funniest things about this site though was that one of the links was to a credit dispute site. Now that’s cheeky!

K.

Written by Krypt3ia

2013/03/14 at 18:02

Posted in Blackhat, Cracking, crime

Yes Virginia, There Are Hackers and Spooks On Militant Boards…

leave a comment »

A prominent poster on the elite password-protected jihadi web site Shumukh has told fellow forum members his account on the site has been hacked to send spyware to fellow forum participants.

The user, who goes by the handle “Yaman Mukhadab,” posted on August 28 that “it seems that someone is using my account and is somehow sending messages with my name to the members,” according to Flashpoint Partners, which translated the discussion for Danger Room. Shumukh uses software from vBulletin, which allows members to send private messages to each other.

Mukhadab’s handiwork has attracted attention beyond the forum. He was one of the contributors to the site’s lame recent attempt at creating a fantasy target wishlist comprised of American security industry leaders, defense officials and other public figures.

From Wired

Yeah, yeah, yeah, once again Wired got a little tidbit from Evan Kohlmann to keep his Flashpoint company relevant and in the news. Blah blah blah. Look, Adam is it? Yeah, Adam, there is much more that goes on on this site and the myriad others that Evan isn’t telling you. Sure, this guy Yaman got a little twitchy and he is right to be so lately. There has been A LOT of other things going on on both sides of the fence lately that ol’ Evan hasn’t let you in on, or more likely, has no clue of.

  • There are hackers, both at the behest of the government and those not avowed going at these sites. Some are just knocking them down for periods of time (Jester etc)  Some who are auditing the sites and actually interacting at times with the players after owning them, and SOME who are just hacking the shit out of the sites and wreaking havoc. The latter was seen back a month or two ago with the take down of Ansar. They just RM’d that sucker, but, the jihadi’s had a backup and they were online within days. (which you mentioned.. good)
  • Most of these sites have sections where the the newbies are being taught hacking skills. Some of these tutorials are low level (like the lulz types we saw not too long ago *protect your MACIP’s) Others are quite well versed in hacking and have tutorials on the level of something to worry about. In fact, some of these sites contain the works of friends of mine in the security community that they have posted as research. Within these sections we have areas where the jihadi’s have an assortment of upload/download sites for malware (mostly these are older packages) but some of the newer posts have malware and creation kits that are up to today’s standards (which you failed to mention)
  • The version of AQAP’s “Inspire you talk about was tampered with *cupcakes* as well as one version did in fact have a trojan. (which you failed to mention)
  • The list of targets wasn’t so much lame as it was a new call to the “lone wolves” on these boards to act on it. There is a change in the way these guys are waging jihad that is not really covered by Evan and you. Did you know for instance that there is a Facebook Jihad (propaganda war) that is ongoing? As well as guys like Abu Hafs Al Suni Al Suni are advocating for a ‘stealth jihad’ ? Yeah, they are, and they have been busy trying to propagandise and get the word out to those lone nutjobs that might in fact try something like say, pick a name off of that ‘lame’ list as you called it. It wouldn’t be so lame after they actually whacked someone would it?

Sure, a good deal of this and the other jihobbyist sites are full of dreck, but, there are pockets of true believers, and your little piece in Wired downplays it all.

For more:

GCHQ/SIS AQ Media PSY-OP: Messin With Jihobbyists

Also try this little Google Search for spyware posts on the board. They have been busy.

As a side note, the Jihadi’s also went further and opted to go after the MEMRI organization as well. In a later post by Yaman, they list out the leaders of the org as targets as well. What makes me wonder is which one of them has a log and pass for MEMRI (hint hint MEMRI check your logs)

 

 

 

All in all, another bang up job Wired… *sarcasm implied*

K.

Asperger’s: The New Insanity Defense for Hacking?

with 4 comments

Asperger syndrome or Asperger’s syndrome or Asperger disorder (play /ˈɑspərɡərz/[1] or /ˈæspərɡərz/[2]) is an autism spectrum disorder that is characterized by significant difficulties in social interaction, along with restricted and repetitive patterns of behavior and interests. It differs from other autism spectrum disorders by its relative preservation of linguistic and cognitive development. Although not required for diagnosis, physical clumsiness and atypical use of language are frequently reported.[3][4]

From Wikipedia

Since the Gary McKinnon case, the use of the diagnosis by a defence team of “Asperger’s” seems to have become a go to position, at least that is presently in the U.K. justice system. The recent arrest of Ryan Cleary for cracking and DD0S attacks on sites such as SOCA also seems to be showing a penchant in the UK legal system toward launching a kind of an “Insanity Defence” by proxy of a declaration that Ryan is a high functioning autistic (Asperger’s) and that because of it, he may have not been able to stop himself.

While this theory may be in fact be the case in with both of these defendants on some level, the LEGAL aspect of this is this;

“Did they know they were committing crimes? Furthermore, can it be proven without a doubt that they both suffered to the extent that the compulsive behaviour was inescapable?”

If the answer is definitively that they had no control, then they should be treated and perhaps NEVER allowed access to the Internet again. This might be the way to punish them as well as keep them out of the penal system (even the mental health facilities therein) as opposed to putting them into the general populace in prison. However, I do not feel that the diagnosis of Asperger’s can really allow for their innocence of the crimes that they are charged with. Both of these guys are functionally capable of interacting with others around them and certainly capable of holding technical knowledge and acting upon it for their own ends.

The one point that the lawyers will make though is this notion that Asperger’s sufferers display obsessive behaviours concerning specific things that interest them. Some collect things, others memorise things. In the case of McKinnon and Cleary, they both obsessively hacked into things and stole data. In the Cleary case though, he was caught in the act of DD0s’ing a UK police site when they caught him. As far as I know, this is not necessarily a known Asperger’s syndrome effect or behaviour. (see below)

People with Asperger syndrome often display behavior, interests, and activities that are restricted and repetitive and are sometimes abnormally intense or focused. They may stick to inflexible routines, move in stereotyped and repetitive ways, or preoccupy themselves with parts of objects.[24]

Pursuit of specific and narrow areas of interest is one of the most striking features of AS.[3] Individuals with AS may collect volumes of detailed information on a relatively narrow topic such as weather data or star names, without necessarily having genuine understanding of the broader topic.[3][7] For example, a child might memorize camera model numbers while caring little about photography.[3] This behavior is usually apparent by grade school, typically age 5 or 6 in the United States.[3] Although these special interests may change from time to time, they typically become more unusual and narrowly focused, and often dominate social interaction so much that the entire family may become immersed. Because narrow topics often capture the interest of children, this symptom may go unrecognized.[7

From Wikipedia

So, basically we have the lawyers in the UK trying to say “You can’t put Rainman in jail!” My question is just how long will it be before the US legal system catches up to this defence tool too? Can you imagine the next cases in the US being tried and the legal team for the accused finding a shrink that will testify that the cracker could not help himself..

He has Asperger’s after all!

This does not fly with me and I don’t see the court system or juries buying into it either, but you know they will try. Presently, the cases in the UK are being spun up and in the case of McKinnon, he has been fighting extradition for quite some time for hacking NASA. All the while his people have in fact been fighting the case in the media playing up that he is mentally unstable in the hopes that pity will prevail. The very same thing seems to be shaping up already for the Cleary case with videos (him stoned off his ass from huffing glue or perhaps just 420’d) showing up online and the diagnosis making the front pages of many news outlets.

Sorry.. But I don’t buy it. Sure, you may be mentally ill Ryan, but, I still think you knew what you were doing and are high enough functioning to be put in the pokey for it. Which brings me to another statement that is sticking in my craw;

LulzSec disbands: Hacking group LulzSec announced it was disbanding Saturday, 50 days after its first publicised hack. A member of the group told The Associated Press that the group was “bored” and denied that it was stopping its public attacks because of pressure from law enforcement. The LulzSec member did, however, say that some of the chat logs and information about hackers’ identities was correct.

From The Washington Post

Bored? BORED? Really? How about you go out and get some exercise or maybe read a book? Bored, I know that this likely is just a ruse in this case as the Feds are investigating all those DOX put out on you all but really, bored. This does though make me ask why they are doing this, and just how do they all rationalise in their heads about the right and wrong of it.

Does Lulzsec have Asperger’s en toto? Or have we raised and are we will raising generations of sociopaths with computers I wonder? Looking at 4chan, one can see where the Lulz came from and frankly, while some of it is damn funny, other things there are a bit disturbing. The conventions of society seem to have been stripped in the digital world and it is anything goes… AND this is the crux of the issue isn’t it? After all, now the hacking and the cyber bullying etc have begun to manifest real life physical outcomes today because we have networked our lives so much.

The Lulz actions to date really did not amount to much in the sense of destroying lives as far as I know of. However, they have broken many laws and thought themselves to be outside of their dominion. I am pretty sure that some, if not all of them, are about to find out otherwise, but, it is a disturbing trend isn’t it? Because the internet is so new and the parents of these kids likely have had little interface with it, they have not even thought about trying to apply the norms of how they should act in the real world and society to the digital world.

That is the problem.

It’s time to give out the digital spankings.

K.

Written by Krypt3ia

2011/06/27 at 18:19