Pages

Friday, 26 September 2014

Monday, 3 March 2014

Rescator

Recent updates at Rescator Track2 Shop






Wednesday, 5 February 2014

Storm - DDOS Bot


Screens













Videos

https://mega.co.nz/#!5VtWwIiZ!MJYTS0nS4GbFRzfaVfnfKWbkp_E8_w68rcuT3i9_Qp0

https://mega.co.nz/#!gZ1yiLYC!MHK-nTtBlIweJu8Pv8yc8HXOhXEfbRGWcVW8eIh3ERE


Features

====Storm.Bot серверная часть====
Утилита предназначена ИСКЛЮЧИТЕЛЬНО для стресс-тестирования своих собственных сетей. За использования в незаконных целях автор ответсвенности не несет.
- Все модули бота находятся в одном бинарнике.
- Написан на чистом Си.
- Обфусцирован и упакован собственным алгоритмом.
- После запуска бота моментально самоудаляется.
- Хоть это и не windows-бот, все же бот пытается лишний раз не палить себя в системе, прячется под системный процесс, скрываются параметры запуска.
- При каждом запуске очищаются все возможные логи сервера начиная от .bash_history, заканчивая системными. Даже если сервер попадет не в те руки, никто ничего на нем не найдет.
- C&C(админ-панель) автоматически заливает бота при каждой атаке.
- Малый размер - менее 30кб.
- Работает на любой системе *nix(x86,x64).
- Защита по hwid при запуске бота, запускается только со специальным ключом, уникальным для каждого сервера.
- Общение между ботом и C&C зашифровано.

----------------------
*Модуль UDP DNS
----------------------
-Атака DNS-амлификацией.
-Файл с опен-резолверами подгружается в память целиком.
-Атака по рандомным портам.
-Атака по подсети любого размера.
-Возможна атака по любому диапазону(пример 1.1.1.1-1.1.23.2).
-Выжимает максимальную мощность из дедика при низкой загрузке процессора.
-Возможна одновременная амплификация с разных доменов.
-Выбор DNS Query type для атаки(A/TXT/ANY).
-Выбор определенных стран(реализовано на стороне C&C).
-Многопоточность.

----------------------
*Модуль SYN(Syn-Random, Syn-IP-list, Syn-Country, Syn Amplification(Он же SYN Reflection)
----------------------
-Атака "perfect" spoofed-syn-флудом, пробивающим очень многие анти-ддос защиты.
-Syn-пакет !полностью! идентичен пакету Windows 7/8.
-Атака по рандомным портам.
-Выжимает максимальную мощность из дедика при низкой загрузке процессора.
-Автоматическое определение страны атакующего сервера и атака только с ип-адресов той страны где непосредственно находится сервер(Syn-Country флуд).
Данный тип флуда помогает избежать потерь PPS на магистральных провайдерах и на умных маршрутизаторах некоторых датацентров.
-Атака с подменой ип адресов по вашему собственному списку. Сделано для того чтобы все эти ип адреса с большой вероятностью забанились на антиддос провайдере.
-Атака SYN(TCP)-Амплификацией. Возможно поднять мощность PPS в 5 раз(но при этом потеряется немного легальность пакетов, ибо приходить будут SYN-ACK\RST).
-Выбор определенных стран для SYN амплификации(реализовано на стороне C&C).
-Возможность выбора к атакам Syn-Random, Syn-IP-list, Syn-Country параметр ACK.
После каждого SYN будем слать полулегальный ACK. Полулегальный потому что невозможно угадать Seq-number, возможно угадать только Win-окно.
Если комбинировать различные типы атак - то сносит напрочь мозги всяким цискам и джуниперам.
-Многопоточность.

----------------------
*Модуль ABUSE
----------------------
-Атака "Abuse" SYN/ACK флудом по 22/21 портам, с подменой ип адреса жертвы.
Суть заключается в том что мы загружаем большие подсети разных датацентров, и флудим их на 22 и 21 порт, подставляя в обратный ип - адрес жертвы.
И на этот адрес сыпется куча абуз за SCAN/Bruteforce/DDOS 22(ssh) и 21(ftp) портов других датацентров. Большое поле для экспериментов, например залить подсеть US Army или UK Ministry of Defense.

----------------------
*Модуль DNS Scaner
----------------------
-Состоит из двух потоков которые запускаются параллельно, один из них биндится на задданный порт, второй рассылает днс-запросы к потенциальным опен_резолверам.
-Принимает в виде листов как и список ип адресов, так и список подсетей вида 1.1.1.1/24
-В качестве аргумента принимает домен для DNS-запроса и тип query запроса.
-Возможность установить нижний минимальный лимит ответа от DNS опен_резолвера в виде аргумента(например не сохранять опен_резолверы, которые отвечают менее 512 байт)
-Искуственная умная задержка при разных типах сканирования (чтобы не упираться в лимит канала сервера) и всегда собирать ответы от опен_резолверов.

----------------------
*Модуль SYN Scaner
----------------------
-Состоит из двух потоков которые запускаются параллельно, один из них биндится на заданный порт, второй рассылает SYN-запросы на 80 порт.
-Принимает в виде листов как и список ип адресов, так и список подсетей вида 1.1.1.1/24
-Возможность установить нижний минимальный количества ответов от серверов(например не сохранять сервера, которые ответили SYN+ACK менее чем два раза)
-Искусственная умная задержка при разных типах сканирования (чтобы не упираться в лимит канала сервера) и всегда собирать ответы от серверов.
----------------------

Все управление ботом осуществляется через Веб-админку, админка полностью многопоточная, веб2.0, аякс, jquery, все статусы серверов обновляются на аяксе. Все это и прочие штуки работают интуитивно понятно.

Полный комплект всего этого добра стоит 2500 USD.
Оплата в webmoney, либо bitcoin.

Wednesday, 6 November 2013

Card Shop Advertisement


Stolen Card Shops Advertisement on a Underground forum.











Wednesday, 11 September 2013

Chinese Threat Actor Part 7

According to the HTRAN report published by Dell, gxdet.com is one the command control domains used by threat actor.

http://www.secureworks.com/cyber-threat-intelligence/threats/htran/


conn.gxdet.com - 112.64.213.249:443

ddbb.gxdet.com - 112.64.213.249:443


Other subdomains associated with the domain gxdet.com

*.gxdet.com
bbs.gxdet.com
conn.gxdet.com
db.gxdet.com
ddbb.gxdet.com
home.gxdet.com
info.gxdet.com
mail.gxdet.com
mailsrv.gxdet.com
news.gxdet.com
soft.gxdet.com
sports.gxdet.com
tcp.gxdet.com
tech.gxdet.com
webmail.gxdet.com
www.gxdet.com

WHOIS


Domain:    gxdet.com - Whois History
Cache Date:    2010-02-11
Registrar:    ENOM, INC.
Server:    whois.enom.com
Created:    2008-07-14
Updated:    2008-07-18
Expires:    2010-07-14

Reverse Whois:    Click on an email address we found in this whois record
to see which other domains the registrant is associated with:
xixipai@hotmail.com 20051xue@sina.com

Registration Service Provided By: Chinese DQ Network Tech Corp.
Contact: xixipai@hotmail.com
   
Domain name: gxdet.com

Registrant Contact:
   Zhang san
   Zhang San ()
      Fax:
   beijing
   beijing, Beijing 100000
   CN

Administrative Contact:
   Zhang san
   Zhang San (20051xue@sina.com)
   +86.1033333333
   Fax: +86.1044444444
   beijing
   beijing, Beijing 100000
   CN

Technical Contact:
   Zhang san
   Zhang San (20051xue@sina.com)
   +86.1033333333
   Fax: +86.1044444444
   beijing
   beijing, Beijing 100000
   CN

Status: Locked

Name Servers:

   dns1.name-services.com
   dns2.name-services.com
   dns3.name-services.com
   dns4.name-services.com
   dns5.name-services.com


In the month of March 2010, Threat actor noticed his mistake that he used his personal email for domain registration. He then changed the registrant email to henfinder@gmail.com.

July 2008 - Feb 2010  Zhang San (20051xue@sina.com) 

Mar 2010 - July 2010   Tom Hanson (henfinder@gmail.com)



Actor Attribution

The Sina email "20051xue@sina.com" is the registrant email of Sina community where the registrant posted on a tech forum, Video, Astrology forum and finally a Micro blog where he posted his picture.

http://blog.sina.com.cn/u/1145193935






http://club.tech.sina.com.cn/default.php?s=user&a=profile&uid=1145193935



Sina Video




http://club.astro.sina.com.cn/thread-171861-1-1.html



20051xue   Newbie    Posted :2005 -07-26 11:31    Show author
Post 39 Posts: 0 Joined :2005-3-8    PM       
Large in small
4

Of course!
sign this thing is not allowed, but every time I look up, never really had. Anyway, my wife is a lion (818), I am Capricorn (107), the two married four years, and loving too are almost never fight, I live in the compound who recognized that we are the most loving couple.

The most interesting part is his Weibo personal blog where he mentions that he is Alumni of Tsinghua University and follow them, born on Jan 7, 1974 Capricorn and lives in Haidian District, Beijing.



http://weibo.com/1145193935/

Basic information

Nickname - Riding a white deer visit mountains

Location - Haidian District, Beijing

Gender - Male

Birthday - January 7, 1974, Capricorn

Job Information

Education Information -  Tsinghua University








200051Xue is using Samsung Galaxy S III android phone and he posted one of the picture of his daughter. The geo location listed in the pic was Han Jiachuan Road, Beijing, Haidan District.


He posted his personal picture in the album.




Saturday, 20 April 2013

Sakura Exploit Pack

(Cross posted from Underground Forum)

Intro: Можно сказать что связка прошла успешное испытание временем, доказала свою конкурентноспособность и право на существование.
Я уверен что она придется по вкусу многим. Добро пожаловать в проект Sakura!

Текущая версия 1.1

В связку на данный момент входят:
- Java Rhino
- Java Obe
- Pdf Libtiff

Изменения:
- Внедрены дополнительные механизмы защиты эксплоитов
- Добавлен модуль проверки домена/ip по блеклистам
- Добавлен список юзерагентов основных ботов
- Добавлена возможность установки беклинка(по умолчанию 404 ошибка) для непробитого траффа
- Mac, Linux траффик и браузер Google Сhrome по умолчанию считаются неуникальным траффиком.


Возможности:
- Статистика по странам/источникам/браузерам/версиям ОС
- Поддержка потоков с разными настройками
- Ребилд связки на новый ip/домен через админку

Цена:
- 2000$/месяц при потоках <100к траффика в сутки. При больших потоках цена обговаривается отдельно.
- За 30% траффа US,CA,UK,AU при потоках >50к сутки.
Связка предоставляется бесплатно! Вы не покупаете лицензию.

За что вы платите:
1)Чистки - Постоянные чистки. Моя основная задача - поддерживать постоянную чистоту.
Вам не придется беспокоится об этом, я сам проверяю несколько раз в день и при палеве автоматически заливаю на ваш сервер.
2)Обновления
3)Написание любых нужных вам модулей, функционала

Особенности связки:
Связка ставится на Ваш сервер.

Время работы:
- пн-пт 10.00-19.00(мск)
- выходные - суббота,воскресение.

Screens





Detailed Screens

http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html

Styx Exploit Pack



(Cross posted from Underground forum )

Styx Sploit Pack

Gentlemen, it's a time to announce a new next generation product for your viewing pleasure: Styx Vulnerability Browser Stress Test Platform 2.0.

Our team worked hardly around three years to make a quality product which will be trustful for any person. Also we made a deep testing so this product already tested with our crypt.

Possibilities:

Updating via GIT from the master-server twice a day with any detect of any sploit;
No domains binding: you can specify any number of domains without rebuild;
There are no restrictions on traffic. Flow as many traffic as your channels and its hardware server can handle; Traffic must flow.
Speed. The product is able to handle as many connections as your MIPS processor.
Working with sub accounts: you can split any traffic flows to different sub accounts, share files and watch for the most quality traffic;
Flexible statistics: we use MongoDB (NoSQL-stores) on each sub account, browsers, country, operating system, time;
Two variants of rent: use can use the product on your servers or on our server;
Package. Deployment on your server with one script will take around two minutes.
Dynamic URL Flow link generation. Each link on which traffic flows is unique. This way makes a lack of possibility to detect the URL by the signature. Only domain.
Support for downloading files from a remote host. You can upload files to your sub account remotely.
Having a flexible API for all types of operations: each operation, which is available through the administrative interface is a command, and it's repeated by the API;
Checking the IP / Domain to the presence of black-lists through friendly service GhostBusters;
Quiet operation: like falling from a tree sakura flower, all the product is quiet;

Frequently asked questions:

Q: WTF Styx Sploit Pack?

A: This is a modern new generation exploit pack written by Styx team from scratch. It has been tested on huge traffic: 500К - 2КК in last 1,5 years.

Q: What's the differences between Styx Sploit Pack and BH, Phoenix, Sakura?

A: Our product is much more professional then other products: we written all exploits from scratch, we don't need rebuilds, we have really rapid product cleaning on demand, we have good support, also we have ticket system and 'All inclusive' package which includes everything: setup, cleaning, support, consulting.

We don't have a term 'rebuild for a new domain', 'how much is FUD', and 'when it will be FUD?' Paid once a month you will have stable and professional work all time you use the product and it will fully satisfy you.

Q: What exploits are included to package?

A: Java, PDF, Abobe Flash and their derivatives.

Q: What's the % hit, where can I see stats?

A: Stats really depends on traffic. This means that all people showing stats are cheaters and cheating all newbies because it's no way to make real life stats like that on pictures.

We will not fool you with stats pictures and huge numbers but the truth is out there (: -- our % hit and stats is better than any product which is available in market at this time. We have from 1 to 10% more but it only depends on traffic.

Q: What's the guaranteed support time and reaction?

A: Support is available in two modes: ticket system and realtime (jabber, online). You will have full 24x7 support all paid time.

Q: What will I get for this money?

A: You will get the product, installed to your server, setup to work with TDS and consulting and cleaning for 1 month. We don't have to 'rebuild for a new domain', our product works fine without any rebuilds, you just have to specify paths in settings. Guaranteed clean time is two hours from alert. In this way you will have a full freedom: you don't need to wait for anybody to rebuild or clean, exploit pack works with any your domains and server demands are low.

We think these arguments are enough to explain quality and price for private customers.

Q: How much does it cost?

A: $3000 per month.

Q: Can I buy sources?

A: No. (=

Q: What are hardware requirements?

A: They are fully democratic: we need only 512Mb RAM and 100Mbit channel to work comfortably. We also demand good OS installed to server: we don't support Windows or any *BSD.

Q: What about domains? How can I see if it's in stop-list?

A: We recommend you to use Ghost Busters or CHK4ME services for that, write a simple script and setup it up to cron to 1/2 hour.

Q: TDS? What TDS do you support and what TDS are compatible?

A: Any adequate TDS. We recommend you to use Sutra.

Q: Are your sploits packed?

A: Each exploit is cyphered and obfuscated from AVs at our service Styx Crypt.

Q: Is there browser fall down?

A: We have a small % of browser fall down so it can be ignored at all because it only depends on user's OS and browser version installed, so just ignore them.

Q: Is Chrome hit?

A: No.

Q: Can I make a test?

A: Yes.

Q: What are test demands for me?

A: You should provide us abuse-immunity server with root access with OS Linux installed (Debian is preferred), installed TDS (to filter unused traffic: mobile useragents, Mac, Linux, Chrome), you should provide us FUD EXE to be loaded from pack (no detections at all with size < 4Mb) and a clean domain.

Q: What shoud I get from test?

A: We will provide a full URL (from your domain) to allow you to 'make the spice flow (:' - to put there traffic. Two hours will be enough to let you to see % hit. EXE you provided will be loaded and you can check knoks from it. It's clear to understand that % hit fully depends on traffic quality so we will not accept any complain about it.

Q: Which language is sploit-pack written?

A: Usermode is written on PHP5, but exploit coge and generator — is no matter for you.

Q: What database do you use?

A: We use last MySQL version.

Q: So what is real hit percentage?

A: You can see it by yourself by requesting a test. We will not fool you by specifying huge numbers in «35%» and / or «right 2% higher then BH». Anoone who once tried to compare sploit packs knows what the hellish job this is: you need to have perfectly ideal traffic, same servers must work absolutely in same mode and so on. In real life quality can be determined by only one parameter: by testing. Of course this depends on your traffic.

Q: So why are you better? For what do I pay money?

A: For the first, by hit percentage. For the second, by flexible integrated system which can be used in any huge infrastucture. Our product is flexible and scalable and these features are used some times by different partnership programs. This flexibility allows you to work with more clients on same server then BH due to reduced file sizes and due to no PHP obfuscation. For the third, updates, support and cleaning. You don't have to pay for «domain switching / rebuilding» and «cleaning». We will just update pack on server. For the fourth, all new sploits are always included to pack first right after all tests passed on all browsers and OSes with all SPs. We don't search for any public sploits we research my ourselves and in some cases we buy technologies. So you see that this is - Perpetuum Mobile, but in same cases is Perfectum Mobile.

Wednesday, 6 March 2013

Chinese Threat Actor Part 6


APT Malware reported on 2012-05-24

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~PWS-BXJ/detailed-analysis.aspx

www.wmicrosoftw3.com

Whois

Domain Name ..................... WMICROSOFTW3.COM
Name Server ..................... dns27.hichina.com
                                            dns28.hichina.com
Registrant ID ................... hc354172142-cn
Registrant Name ................. li gang
Registrant Organization ......... ligang
Registrant Address .............. beijingchaiyangshuangjing
Registrant City ................. bei jing shi
Registrant Province/State ....... bei jing
Registrant Postal Code .......... 100001
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.01052636523 -
Registrant Fax .................. +86.01095236325 -
Registrant Email ................  pksslxc@gmail.com

pksslxc@gmail.com is also registrant of many other espionage domains


Actor Attribution


pksslxc@gmail.com is the registrant email of many chinese boards. On his baidu profile he mentioned that he is into Computers / Network Military but after the Bloomberg and Mandiant report, he removed that information.


6Sanya

http://www.6sanya.com/show.php?t_766_72_82125




http://www.tianya.cn/techforum/content/766/72/82125.shtml  ( Cache)

7140#作者:pksslxc   回复日期:2012-3-19 23:12:00    pksslxc@gmail.com


http://www.baidu.com/p/pksslxc

http://www.baidu.com/p/pksslxc/detail

擅长领域: 电脑/网络 军事

Male,  Area of expertise - Computer / Network Military

(Now the profile details are changed)



CSDN Profile

http://blog.csdn.net/pksslxc



 51CTO Blog

http://3239647.blog.51cto.com




Tianya Board

http://www.tianya.cn/65799758


Wednesday, 20 February 2013

Chinese Threat Actor Part 5

Follow up on Mandiant report

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Mandiant Report

"Once again, in tracking SH we are fortunate to have access to the accounts disclosed from rootkit.com. The rootkit. com account “SuperHard_M” was originally registered from the IP address 58.247.237.4, within one of the known APT1 egress ranges, and using the email address “mei_qiang_82@sohu.com”. We have observed the DOTA persona emailing someone with the username mei_qiang_82. The name “Mei Qiang” (梅强) is a reasonably common Chinese last/first name combination. Additionally, it is a common practice for Chinese netizens to append the last two digits of their birth year, suggesting that SuperHard is in fact Mei Qiang and was born in 1982. Unfortunately, there are several “Mei Qiang” identities online that claim a birth year of 1982, making attribution to an individual difficult."

One of the threat actor identified by Mandiant is "SuperHard_M". His name is Mei Qiang and email is "mei_qiang_82@sohu.com"

Attribution

Rootkit database

(32261,'SuperHard_M','bf787577ff656cde5b5d1f8236a75d2a','mei','mei_qiang_82@sohu.com',1,1130405749,'',''
,'','','','',1,'','',1267772902,'58.247.237.4',0,0,0,1267772654,0,0,0,'','','','','',800,'')

IP Address 58.247.237.4 -  CHINA, SHANGHAI, SHANGHAI

This email is the registrant email at kaixin001 social network

http://www.kaixin001.com/home/13874928.html

Full Name -  Mei Xiao Qiang ( 梅小强 ), Living in Shanghai




Tianya Chinese Board

meo_qiang_82@sohu.com is also the registrant email at Tianya chinese board but the name linked to this email address is "2005_9_24" and profile information says he is a Male, living in city of ZhengZhou, Henan Province with Date of Birth September 12th 1982, Virgo and this profile is registered on 24 Sep 2005 suggesting that he was in Zhengzhou at this time.

http://www.tianya.cn/3963856




Interesting enough, there is another account on Tianya with the handle "SuperHard_M" which is registered with email address "mei_qiang_82@hotmail.com"

http://www.tianya.cn/5685768



"mei_qiang_82@hotmail.com" is also the registrant email at kaixin social network but the profile is deleted now and we know why :)

Search on mei_qiang_82@hotmail.com reveals he is aged 24 in 2005, that means he is 31 years old now.
He was living in Zhengzhou, Henan province during 2005. In a Job profile, he mentions that his interests are network security and developing hacking tools.

http://www.sxsoft.com/index.php/it/employee/show/2331

Name: SuperHard_M
Gender: Male
Age: 24
Education: Masters
Tel: 13503456644
Contact Address: Henan Zhengzhou 1001 mailbox 774
PostalCode: 450002
E-mail: mei_qiang_82@hotmail.com
Date: 2005-11-28 08:50:40
Published Username:  SuperHard_M


The mailbox address 1001 mailbox 774, Zhengzhou city, Henan Province belongs to the famous PLA Information Engineering University that implies he was a student at PLAIEU.

Mei Qiang published two journals along with Zhu Yue-Fei related to HTTP Session Hijacking on Switch LAN, Man In The Middle (MITM), ARP Spoof. It is important to note that Zhu Yue-Fei also published articles with Zhang Chang-he

 http://www.cdblp.cn/namedisambiguation/%E6%A2%85%E5%BC%BA/%E4%BF%A1%E6%81%AF%E5%B7%A5%E7%A8%8B%E5%A4%A7%E5%AD%A6/32123.html



(Credit goes to Tommy for the Journal link)

Read online

http://www.docin.com/p-53977513.html


SuperHard_M profiles on chinese boards


Weibo Profile 

Lives in Shanghai Pudong area



T QQ Profile

Lives in Shanghai Pudong area and Virgo




http://www.douban.com/people/SuperHard_M/




Wolf's World

http://superhard.blog.sohu.com




http://www.pinglunjuhe.com/pinglun/1009858.aspx?bt=3



One of the other possible email of SuperHard is mei_qiang_82@163.com

Update

After few hours of this blog post, Mei Qiang's Kaixin profile is deleted and sxsoft profile details are changed.