Category: Hackforums

Nov 21 2017

Krebs on Security 2017-11-21 09:11:31

KrebsOnSecurity recently featured a story about a New Mexico man who stands accused of using the now-defunct vDOS attack-for-hire service to hobble the Web sites of several former employers. That piece stated that I wasn’t aware of any other prosecutions related to vDOS customers, but as it happens there was a prosecution in the United Kingdom earlier this year of a man who’s admitted to both using and helping to administer vDOS. Here’s a look at some open-source clues that may have led to the U.K. man’s arrest.

Jack Chappell, outside of a court hearing in the U.K. earlier this year.

In early July 2017, the West Midlands Police in the U.K. arrested 19-year-old Stockport resident Jack Chappell and charged him with aiding the vDOS co-founders — two Israeli men who were arrested late year and charged with running the service.

Until its demise in September 2016, vDOS was by far the most popular and powerful attack-for-hire service, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most Web sites offline. vDOS made more than $600,000 in just two of the four years it was in operation, launching more than 150,000 attacks against thousands of victims (including this site).

For his part, Chappell was charged with assisting in attacks against Web sites for some of the world’s largest companies, including Amazon, BBC, BT, Netflix, T-Mobile, Virgin Media, and Vodafone, between May 1, 2015 and April 30, 2016.

At the end of July 2017, Chappell pleaded guilty to those allegations, as well as charges of helping vDOS launder money from customers wishing to pay for attacks with PayPal accounts.

A big factor in that plea was the leak of the vDOS attacks, customer support and payments databases to this author and to U.S. law enforcement officials in the fall of 2016. Those databases provided extremely detailed information about co-conspirators, paying customers and victims.

But as with many other cybercrime investigations, the perpetrator in this case appears to have been caught thanks to a combination of several all-too-common factors, including password re-use, an active presence on the sprawling English-language hacking community Hackforums, and domain names registered in his real name. In combination, these clues provide a crucial bridge between Chappell’s online and real-world identities.

A simple search at domaintools.com for the name Jack Chappell and “UK” returns a handful of results, including the domain fractal[dot]hf. That domain was registered in June 2015 to a Jack Chappell in Stockport, using the email address me@jackchappell.co[dot]uk [full disclosure: Domaintools is an advertiser on this site].

Neither domain is online anymore, but a Google search on fractal[dot]hf reveals several mentions of this site on Hackforums — a sprawling English-language forum that until very recently hosted the most bustling open-air market for competing attack-for-hire services.

According to a review of those Hackforums postings, fractal[dot]hf was a free service that allowed users to test the size and impact of any DDoS attack tool — displaying detailed graphs showing how much data a given attack tool could hurl at an intended target. Multiple forum members told interested users that fractal[dot]hf was owned and operated by a friendly and helpful Hackforums user named Fractal.

A screenshot of the user Fractal advertising his service for measuring the size of attacks. Fractal posted this graphic to illustrate the power of an IRC-based botnet that was being sold on Hackforums in mid-2015.

Perhaps unsurprisingly, there was a very active user on vDOS who went by the same Fractal nickname, using the password “HelloWorld1998” and email address smellyjelly01@gmail.com.

The above-mentioned domain Jackchappell.co[dot]uk appears in the leaked vDOS payments database, which states that a PayPal account tied to the email address “paypal@jackchappell.co[dot]uk” was one of several PayPal accounts used to launder customer payments for online attacks.

As noted in my June 2017 piece Following the Money Hobbled vDOS Attack-for-Hire Service, vDOS was forced to round-robin customer PayPal payments through a series of accounts after academic researchers began signing up for a variety of attack-for-hire services (including vDOS) and then reporting to PayPal the email addresses tied to accounts being used to receive payments.

The paypal@jackchappell.co[dot]uk address was linked to a vDOS user account called “portalKiller” which used the password “HelloWorld8991.” Note that this password is very similar to the one used by the vDOS user Fractal — only the numbers at the end of the password have been reversed (1998/8991).

Portalkiller changed his password several times during his time on vDOS, and one of the passwords he used was “Smith8991.” An Internet search on this password turns up an account in the user database that was hacked and posted online from a similar attack-for-hire service previously run by a hacker group known as the Lizard Squad. The email address tied to that account? Smellyjelly01@gmail.com.

From reviewing Fractal’s posts and reputation on Hackforums it appears that on Dec. 28, 2015 his account received praise and positive reputation points (similar to eBay’s user “feedback” system) from M30w and AppleJ4ck, the nicknames used by the alleged co-founders of vDOS.

Positive reputation points awarded to Chappell by the co-owners of vDOS, who used the aliases “M30W” and “AppleJ4ck.”

Comments in the leaked vDOS databases also suggest Chappell was for a time one of several trusted administrators and/or support personnel of the service. vDOS routinely banned accounts for members who shared their logins, or who logged on via virtual private network (VPN) services to anonymize their connections, but many members ignored this advice.

For example, in one support ticket dated March 13, 2016, a vDOS subscriber named “Bears” who had his account banned pleaded with the administrators to reactivate (or “unban”) his account.

“Hi jeremy pls unban hi p1st i love you hi AJ i love you hi fractal i love you hi whoever else is support is swagdaddy still support?” Bears pleads.

Ironically, both of Chappell’s accounts on vDOS — Fractal and portalKiller — were ultimately banned, the latter supposedly for flouting vDOS’s no-VPN restrictions. In one customer support ticket, portalKiller explains the reason for his use of a VPN: He routinely used a VPN so that he could tunnel his connection to the United States and watch the U.S. catalog of Netflix videos.

“Account Banned’,85801,’portalKiller’,’Hi, My account was banned a couple of days ago for logging in from a VPN. Let me explain, the 82.132.234.244 IP is not a VPN it is my mobile provider (O2), which is not a proxy/VPN. The second IP was a mistake I made, I logged out and logged back in from my normal IP (81.103.71.50) after I noticed my VPN was on (I use it for Netflix). I really want you to re-consider my ban. Thanks, portalKiller.”

Fractal also was eventually banned from using vDOS, although it’s less clear why that account was banished. Perhaps Chappell no longer offered the ability to help the other vDOS administrators launder funds, or maybe he had a falling out with M30W/p1st and AppleJ4ck.

Chappell did not respond to requests for comment. His sentencing has been delayed several times since his guilty plea; it is currently slated for December 2017.

Chappell’s guilty plea reminds me that there are many others who helped launder funds for vDOS that are in all likelihood similarly exposed. Stay tuned for more updates on that front.

Sep 05 2017

Krebs on Security 2017-09-05 06:50:03

In early August 2017, FBI agents in Las Vegas arrested 23-year-old British security researcher Marcus Hutchins on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. Hutchins was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.

Relatively few knew it before his arrest, but Hutchins has for many years authored the popular cybersecurity blog MalwareTech. When this fact became more widely known — combined with his hero status for halting Wannacry — a great many MalwareTech readers quickly leapt to his defense to denounce his arrest. They reasoned that the government’s case was built on flimsy and scant evidence, noting that Hutchins has worked tirelessly to expose cybercriminals and their malicious tools. To date, some 226 supporters have donated more than $14,000 to his defense fund.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

At first, I did not believe the charges against Hutchins would hold up under scrutiny. But as I began to dig deeper into the history tied to dozens of hacker forum pseudonyms, email addresses and domains he apparently used over the past decade, a very different picture began to emerge.

In this post, I will attempt to describe and illustrate more than three weeks’ worth of connecting the dots from what appear to be Hutchins’ earliest hacker forum accounts to his real-life identity. The clues suggest that Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.

GH0STHOSTING/IARKEY

I began this investigation with a simple search of domain name registration records at domaintools.com [full disclosure: Domain Tools recently was an advertiser on this site]. A search for “Marcus Hutchins” turned up a half dozen domains registered to a U.K. resident by the same name who supplied the email address “surfallday2day@hotmail.co.uk.”

One of those domains — Gh0sthosting[dot]com (the third character in that domain is a zero) — corresponds to a hosting service that was advertised and sold circa 2009-2010 on Hackforums[dot]net, a massively popular forum overrun with young, impressionable men who desperately wish to be elite coders or hackers (or at least recognized as such by their peers).

The surfallday2day@hotmail.co.uk address tied to Gh0sthosting’s initial domain registration records also was used to register a Skype account named Iarkey that listed its alias as “Marcus.” A Twitter account registered in 2009 under the nickname “Iarkey” points to Gh0sthosting[dot]com.

Gh0sthosting was sold by a Hackforums user who used the same Iarkey nickname, and in 2009 Iarkey told fellow Hackforums users in a sales thread for his business that Gh0sthosting was “mainly for blackhats wanting to phish.” In a separate post just a few days apart from that sales thread, Iarkey responds that he is “only 15” years old, and in another he confirms that his email address is surfallday2day@hotmail.co.uk.

daloseronly15

A review of the historic reputation tied to the Gh0sthosting domain suggests that at least some customers took Iarkey up on his offer: Malwaredomainlist.com, for example, shows that around this same time in 2009 Gh0sthosting was observed hosting plenty of malware, including trojan horse programs, phishing pages and malware exploits.

A “reverse WHOIS” search at Domaintools.com shows that Iarkey’s surfallday2day email address was used initially to register several other domains, including uploadwith[dot]us and thecodebases[dot]com.

Shortly after registering Gh0sthosting and other domains tied to his surfallday2day@hotmail.co.uk address, Iarkey evidently thought better of including his real name and email address in his domain name registration records. Thecodebases[dot]com, for example, changed its WHOIS ownership to a “James Green” in the U.K., and switched the email to “herpderpderp2@hotmail.co.uk.”

A reverse WHOIS lookup at domaintools.com for that email address shows it was used to register a Hackforums parody (or phishing?) site called Heckforums[dot]net. The domain records showed this address was tied to a Hackforums clique called “Atthackers.” The records also listed a Michael Chanata from Florida as the owner. We’ll come back to Michael Chanata and Atthackers at the end of this post.

DA LOSER/FLIPERTYJOPKINS

As early as 2009, Iarkey was outed several times on Hackforums as being Marcus Hutchins from the United Kingdom. In most of those instances he makes no effort to deny the association — and in a handful of posts he laments that fellow members felt the need to “dox” him by posting his real address and name in the hacking forum for all to see.

Iarkey, like many other extremely active Hackforums users, changed his nickname on the forum constantly, and two of his early nicknames on Hackforums around 2009 were “Flipertyjopkins” and “Da Loser“.

Hackforums user “Da Loser” is doxed by another member.

Happily, Hackforums has a useful feature that allows anyone willing to take the time to dig through a user’s postings to learn when and if that user was previously tied to another account.

This is especially evident in multi-page Hackforums discussion threads that span many days or weeks: If a user changes his nickname during that time, the forum is set up so that it includes the user’s most previous nickname in any replies that quote the original nickname — ostensibly so that users can follow along with who’s who and who said what to whom.

In the screen shot below, for instance, we can see one of Hutchins’ earliest accounts — Da Loser — being quoted under his Flipertyjopkins nickname.

A screen shot showing Hackforums’ tendency to note when users switch between different usernames.

Both the Da Loser and Flipertyjopkins identities on Hackforums referenced the same domains in 2009 as theirs — Gh0sthosting — as well as another domain called “hackblack.co[dot]uk.” Da Loser references the hackblack domain as the place where other Hackforums users can download “the sourcecode of my IE/MSN messenger password stealer (aka M_Stealer).”

In another post, Da Loser brags about how his password stealing program goes undetected by multiple antivirus scanners, pointing to a (now deleted) screenshot at a Photobucket account for a “flipertyjopkins”:

Another screenshot from Da Loser’s postings in June 2009 shows him advertising the Hackblack domain and the Surfallday2day@hotmail.co.uk address:

Hackforums user “Da Loser” advertises his “Hackblack” hosting and points to the surfallday2day email address.

An Internet search for this Hackblack domain reveals a thread on the Web hosting forum MyBB started by a user Flipertyjopkins, who asks other members for help configuring his site, which he lists as http://hackblack.freehost10[dot]com.

A user named Flipertyjopkins asks for help for his domain, hackblack.freehost10[dot]com.

Poking around the Web for these nicknames and domains turned up a Youtube user account named Flipertyjopkins that includes several videos uploaded 7-8 years ago that instruct viewers on how to use various types of password-stealing malware. In one of the videos — titled “Hotmail cracker v1.3” — Flipertyjopkins narrates how to use a piece of malware by the same name to steal passwords from unsuspecting victims.

Approximately two minutes and 48 seconds into the video, we can briefly see an MSN Messenger chat window shown behind the Microsoft Notepad application he is using to narrate the video. The video clearly shows that the MSN Messenger client is logged in to with the address “hutchins22@hotmail.com.”

The email address “hutchins22@hotmail.com” can be seen briefly in the background of this video.

To close out the discussion of Flipertyjopkins, I should note that this email address showed up multiple times in the database leak from Hostinger.co.uk, a British Web hosting company that got hacked in 2015. A copy of that database can be found in several places online, and it shows that one Hostinger customer named Marcus used an account under the email address flipertyjopkins@gmail.com.

According to the leaked user database, the password for that account — “emmy009” — also was used to register two other accounts at Hostinger, including the usernames “hacker” (email address: flipertyjopkins@googlemail.com) and “flipertyjopkins” (email: surfallday2day@hotmail.co.uk).

ELEMENT PRODUCTS/GONE WITH THE WIND

Most of the activities and actions that can be attributed to Iarkey/Flipertyjopkins/Da Loser et. al on Hackforums are fairly small-time  — and hardly rise to the level of coding from scratch a complex banking trojan and selling it to cybercriminals.

However, multiple threads on Hackforums state that Hutchins around 2011-2012 switched to two new nicknames that corresponded to users who were far more heavily involved in coding and selling complex malicious software: “Element Products,” and later, “Gone With The Wind.”

Hackforums’ nickname preservation feature leaves little doubt that the user Element Products at some point in 2012 changed his nickname to Gone With the Wind. However, for almost a week I could not see any signs of a connection between these two accounts and the ones previously and obviously associated with Hutchins (Flipertyjopkins, Iarkey, etc.).

In the meantime, I endeavored to find out as much as possible about Element Products — a suite of software and services including a keystroke logger, a “stresser” or online attack service, as well as a “no-distribute” malware scanner.

Unlike legitimate scanning services such as Virustotal — which scan malicious software against dozens of antivirus tools and then share the output with all participating antivirus companies — no-distribute scanners are made and marketed to malware authors who wish to see how broadly their malware is detected without tipping off the antivirus firms to a new, more stealthy version of the code.

Indeed, Element Scanner — which was sold in subscription packages starting at $40 per month — scanned all customer malware with some 37 different antivirus tools. But according to posts from Gone With the Wind, the scanner merely resold the services of scan4you[dot]net, a multiscanner that was extremely powerful and popular for several years across a variety of underground cybercrime forums.

element

According to a story at Bleepingcomputer.com, scan4you disappeared in July 2017, around the same time that two Latvian men were arrested for running an unnamed no-distribute scanner.

[Side note: Element Scanner was later incorporated as the default scanning application of “Blackshades,” a remote access trojan that was extremely popular on Hackforums for several years until its developers and dozens of customers were arrested in an international law enforcement sting in May 2014. Incidentally, as the story linked in the previous sentence explains, the administrator and owner of Hackforums would play an integral role in setting up many of his forum’s users for the Blackshades sting operation.]

According to one thread on Hackforums, Element Products was sold in 2012 to another Hackforums user named “Dal33t.” This was the nickname used by Ammar Zuberi, a young man from Dubai who — according to this this January 2017 KrebsOnSecurity story — may have been associated with a group of miscreants on Hackforums that specialized in using botnets to take high-profile Web sites offline. Zuberi could not be immediately reached for comment.

I soon discovered that Element Products was by far the least harmful product that this user sold on Hackforums. In a separate thread in 2012, Element Products announces the availability of a new product he had for sale — dubbed the “Ares Form Grabber” — a program that could be used to surreptitiously steal usernames and passwords from victims.

Element Products/Gone With The Wind also advertised himself on Hackforums as an authorized reseller of the infamous exploit kit known as “Blackhole.” Exploit kits are programs made to be stitched into hacked and malicious Web sites so that when visitors browse to the site with outdated and insecure browser plugins the browser is automatically infected with whatever malware the attacker wishes to foist on the victim.

In addition, Element Products ran a “bot shop,” in which he sold access to bots claimed to have enslaved through his own personal use of Blackhole:

Gone With The Wind’s “Bot Shop,” which sold access to computers hacked with the help of the Blackhole exploit kit.

A bit more digging showed that the Element Products user on Hackforums co-sold his wares along with another Hackforums user named “Kill4Joy,” who advertised his contact address as kill4joy@live.com.

Ironically, Hackforums was itself hacked in 2012, and a leaked copy of the user database from that hack shows this Kill4Joy user initially registered on the forum in 2011 with the email address rohang93@live.com.

A reverse WHOIS search at domaintools.com shows that email address was used to register several domain names, including contegoprint.info. The registration records for that domain show that it was registered by a Rohan Gupta from Illinois.

I learned that Gupta is now attending graduate school at the University of Illinois at Urbana-Champaign, where he is studying computer engineering. Reached via telephone, Gupta confirmed that he worked with the Hackforums user Element Products six years ago, but said he only handled sales for the Element Scanner product, which he says was completely legal.

“I was associated with Element Scanner which was non-malicious,” Gupta said. “It wasn’t black hat, and I wasn’t associated with the programming, I just assisted with the sales.”

Gupta said his partner and developer of the software went by the name Michael Chanata and communicated with him via a Skype account registered to the email address atthackers@hotmail.com.

Recall that we heard at the beginning of this story that the name Michael Chanata was tied to Heckforums.net, a domain closely connected to the Iarkey nickname on Hackforums. Curious to see if this Michael Chanata character showed up somewhere on Hackforums, I used the forum’s search function to find out.

The following screenshot from a July 2011 Hackforums thread suggests that Michael Chanata was yet another nickname used by Da Loser, a Hackforums account associated with Marcus Hutchins’ early email addresses and Web sites.

daloser-chanata

Hackforums shows that the user “Da Loser” at the same time used the nickname “Michael Chanata.”

BV1/ORGY

Interesting connections, to be sure, but I wasn’t satisfied with this finding and wanted more conclusive evidence of the supposed link. So I turned to “passive DNS” tools from Farsight Security — which keeps a historic record of which domain names map to which IP addresses.

Using Farsight’s tools, I found that Element Scanner’s various Web sites (elementscanner[dot]com/net/su/ru) were at one point hosted at the Internet address 184.168.88.189 alongside just a handful of other interesting domains, including bigkeshhosting[dot]com and bvnetworks[dot]com.

At first, I didn’t fully recognize the nicknames buried in each of these domains, but a few minutes of searching on Hackforums reminded me that bigkeshhosting[dot]com was a project run by a Hackforums user named “Orgy.”

I originally wrote about Orgy — whose real name is Robert George Danielson — in a 2012 story about a pair of stresser or “booter” (DDoS-for-hire) sites. As noted in that piece, Danielson has had several brushes with the law, including a guilty plea for stealing multiple firearms from the home of a local police chief.

I also learned that the bvnetworks[dot]com domain belonged to Orgy’s good friend and associate on Hackforums — a user who for many years went by the nickname “BV1.” In real life, BV1 is 27-year-old Brendan Johnston, a California man who went to prison in 2014 for his role in selling the Blackshades trojan.

When I discovered the connection to BV1, I searched my inbox for anything related to this nickname. Lo and behold, I found an anonymous tip I’d received through KrebsOnSecurity.com’s contact form in March 2013 which informed me of BV1’s real identity and said he was close friends with Orgy and the Hackforums user Iarkey.

According to this anonymous informant, Iarkey was an administrator of an Internet relay chat (IRC) forum that BV1 and Orgy frequented called irc.voidptr.cz.

“You already know that Orgy is running a new booter, but BV1 claims to have ‘left’ the hacking business because all the information on his family/himself has been leaked on the internet, but that is a lie,” the anonymous tipster wrote. “If you connect to http://irc.voidptr. cz ran by ‘touchme’ aka ‘iarkey’ from hackforums you can usually find both BV1 and Orgy in there.”

TOUCHME/TOUCH MY MALWARE/MAYBE TOUCHME

Until recently, I was unfamiliar with the nickname TouchMe. Naturally, I started digging into Hackforums again. An exhaustive search on the forum shows that TouchMe — and later “Touch Me Maybe” and “Touch My Malware” — were yet other nicknames for the same account.

In a Hackforums post from July 2012, the user Touch Me Maybe pointed to a writeup that he claimed to have authored on his own Web site: touchmymalware.blogspot.com:

The Hackforums user “Touch Me Maybe” seems to refer to his own blog and malware analysis at touchmymalware.blogspot.com, which now redirects to Marcus Hutchins’ blog — Malwaretech.com

If you visit this domain name now, it redirects to Malwaretech.com, which is the same blog that Hutchins was updating for years until his arrest in August.

There are other facts to support a connection between MalwareTech and the IRC forum voidptr.cz: A passive DNS scan for irc.voidptr.cz at Farsight Security shows that at one time the IRC channel was hosted at the Internet address 52.86.95.180 — where it shared space with just one other domain: irc.malwaretech.com.

All of the connections explained in this blog post — and some that weren’t — can be seen in the following mind map that I created with the excellent MindNode Pro for Mac.

A mind map I created to keep track of the myriad data points mentioned in this story. Click the image to enlarge.

Following Hutchins’ arrest, multiple Hackforums members posted what they suspected about his various presences on the forum. In one post from October 2011, Hackforums founder and administrator Jesse “Omniscient” LaBrocca said Iarkey had hundreds of accounts on Hackforums.

In one of the longest threads on Hackforums about Hutchins’ arrest there are several postings from a user named “Previously Known As” who self-identifies in that post and multiple related threads as BV1. In one such post, dated Aug. 7, 2017, BV1 observes that Hutchins failed to successfully separate his online selves from his real life identity.

Brendan “BV1” Johnston says he worried his old friend’s operational security mistakes would one day catch up with him.

“He definitely thought he separated TouchMe/MWT from iarkey/Element,” said BV1. “People warned him, myself included, that people can still connect MWT to iarkey, but he never seemed to care too much. He has so many accounts on HF at this point, I doubt someone will be able to connect all the dots. It sucks that some of the worst accounts have been traced back to him already. He ran a hosting company and a Minecraft server with Orgy and I.”

In a brief interview with KrebsOnSecurity, Brendan “BV1” Johnston said Hutchins was a good friend. Johnston said Hutchins had — like many others who later segued into jobs in the information security industry — initially dabbled in the dark side. But Johnston said his old friend sincerely tried to turn things around in late 2012 — when Gone With the Wind sold most of his coding projects to other Hackforums members and began focusing on blogging about poorly-written malware.

“I feel like I know Marcus better than most people do online, and when I heard about the accusations I was completely shocked,” Johnston said. “He tried for such a long time to steer me down a straight and narrow path that seeing this tied to him didn’t make sense to me at all.”

Let me be clear: I have no information to support the claim that Hutchins authored or sold the Kronos banking trojan. According to the government, Hutchins did so in 2014 on the Dark Web marketplace AlphaBay — which was taken down in July 2017 as part of a coordinated, global law enforcement raid on AlphaBay sellers and buyers alike.

However, the findings in this report suggest that for several years Hutchins enjoyed a fairly successful stint coding malicious software for others, said Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley.

“It appears like Mr. Hutchins had a significant and prosperous blackhat career that he at least mostly gave up in 2013,” Weaver said. “Which might have been forgotten if it wasn’t for the involuntary British press coverage on WannaCry raising his profile and making him out as a ‘hero’.”

Weaver continued:

“I can easily imagine the Feds taking the opportunity to use a penny-ante charge against a known ‘bad guy’ when they can’t charge for more significant crimes,” he said. “But the Feds would have done far less collateral damage if they actually provided a criminal complaint with these sorts of detail rather than a perfunctory indictment.”

Hutchins did not try to hide the fact that he has written and published unique malware strains, which in the United States at least is a form of protected speech.

In December 2014, for example, Hutchins posted to his Github page the source code to TinyXPB, malware he claims to have written that is designed to seize control of a computer so that the malware loads before the operating system can even boot up.

While the publicly available documents related to his case are light on details, it seems clear that prosecutors can make a case against those who attempt to sell malware to cybercriminals — such as on hacker forums like AlphaBay — if they can demonstrate the accused had knowledge and intent that the malware would be used to commit a crime.

The Justice Department’s indictment against Hutchins suggests that the prosecution is relying heavily on the word of an unnamed co-conspirator who became a confidential informant for the government. Update, 9:08 a.m.: Several readers on Twitter disagreed with the previous statement, noting that U.S. prosecutors have said the other unnamed suspect in the Hutchins indictment is still at large.

Original story:

According to a story at BankInfoSecurity, the evidence submitted by prosecutors for the government includes:

  • Statements made by Hutchins after he was arrested.
  • A CD containing two audio recordings from a county jail in Nevada where he was detained by the FBI.
  • 150 pages of Jabber chats between the defendant and an individual.
  • Business records from Apple, Google and Yahoo.
  • Statements (350 pages) by the defendant from another internet forum, which were seized by the government in another district.
  • Three to four samples of malware.
  • A search warrant executed on a third party, which may contain some privileged information.

Hutchins declined to comment for this story, citing his ongoing prosecution. He has pleaded not guilty to all four counts against him, including conspiracy to distribute malicious software with the intent to cause damage to 10 or more affected computers without authorization, and conspiracy to distribute malware designed to intercept protected electronic communications. FBI officials have not yet responded to requests for comment.

Oct 31 2016

Krebs on Security 2016-10-31 13:30:30

Perhaps the most bustling marketplace on the Internet where people can compare and purchase so-called “booter” and “stresser” subscriptions — attack-for-hire services designed to knock Web sites offline — announced last week that it has permanently banned the sale and advertising of these services.

On Friday, Oct. 28, Jesse LaBrocca — the administrator of the popular English-language hacking forum Hackforums[dot]net — said he was shutting down the “server stress testing” (SST) section of the forum. The move comes amid heightened public scrutiny of the SST industry, which has been linked to several unusually powerful recent attacks and is responsible for the vast majority of denial-of-service (DOS) attacks on the Internet today.

The administrator of Hackforums bans the sale and advertising of server stress testing (SST) services, also known as "booter" or "stresser" online attack-for-hire services.

The administrator of Hackforums bans the sale and advertising of server stress testing (SST) services, also known as “booter” or “stresser” online attack-for-hire services.

“Unfortunately once again the few ruin it for the many,” LaBrocca wrote under his Hackforums alias “Omniscient.” “I’m personally disappointed that this is the path I have to take in order to protect the community. I loathe having to censor material that could be beneficial to members. But I need to make sure that we continue to exist and given the recent events I think it’s more important that the section be permanently shut down.”

Last month, a record-sized DDoS hit KrebsOnSecurity.com. The attack was launched with the help of Mirai, a malware strain that enslaves poorly secured Internet-of-Things (IoT) devices like CCTV cameras and digital video recorders and uses them to launch crippling attacks.

At the end of September, a Hackforums user named “Anna_Senpai” used the forum to announce the release the source code for Mirai. A week ago, someone used Mirai to launch a massive attack on Internet infrastructure firm Dyn, which for the better part of a day lead to sporadic outages for some of the Web’s top destinations, including Twitter, PayPal, Reddit and Netflix.

The Hackforums post that includes links to the Mirai source code.

The Hackforums post that includes links to the Mirai source code.

As I noted in last week’s story Are the Days of Booter Services Numbered?, many booter service owners have been operating under the delusion or rationalization that their services are intended solely for Web site owners to test the ability of their sites to withstand data deluges.

Whatever illusions booter service operators or users may have harbored about their activities should have been dispelled following a talk delivered at the Black Hat security conference in Las Vegas this year. In that speech, FBI Agent Elliott Peterson issued an unambiguous warning that the agency was prepared to investigate and help prosecute people engaged in selling and buying from booter services.

But it wasn’t until this month’s attack on Dyn that LaBrocca warned the Hackforums community he may have to shut down the SST section.

“I can’t image this attention is going to be a good thing,” Omni said in an October 26, 2016 thread titled “Bad things.” “Already a Senator is calling for a hearing on the Internet of Things [link added]. In the end there could be new laws which effect [sic] us all. So for those responsible for the attacks and creating this mess….you dun goofed. I expect a lot of backlash to come out of this.”

If LaBrocca appears steamed from this turn of events, it’s probably with good reason: He stands to lose a fair amount of regular income by banning some of the most lucrative businesses on his forum. Vendors on Hackforums pay fees as high as $25 apiece to achieve a status that allows them to post new sales threads, and banner ads on the forum can run up to $200 per week.

"Stickies" advertising various "booter" or "stresser" DDoS-for-hire services.

“Stickies” advertising various “booter” or “stresser” DDoS-for-hire services.

Vendors who wish to “sticky” their ads — that is, pay to keep the ads displayed prominently near or at the top of a given discussion subforum — pay LaBrocca up to $60 per week for the prime sticky spots. And there were dozens of booter services advertised on Hackforums.

Allison Nixon, director of security research at Flashpoint and an expert on booter services, said the move could put many booter services out of business.

Nixon said the average booter service customer uses the attack services to settle grudges with opponents in online games, and that the closure of the SST subforum may make these services less attractive to those individuals.

“There is probably a lesser likelihood that the average gamer will see these services and think that it’s an okay idea to purchase them,” Nixon said. “The ease of access to these booters services makes people think it’s okay to use them. In gaming circles, for example, people will often use them to DDoS one another and not realize they might be shutting down an innocent person’s network. Recognizing that this is criminal activity on the same level of criminal hacking and fraud may discourage people from using these services, meaning the casual actor may be less likely to buy a booter subscription and launch DDoS attacks.”

While a welcome development, the closure of the SST subforum almost seems somewhat arbitrary given the sheer amount of other illegal hacking activity that is blatantly advertised on Hackforums, Nixon said.

“It’s interesting the norms that are on this forum because they’re so different from how you or I would recognize acceptable behavior,” she said. “For example, most people would think it’s not acceptable to see booter services advertised alongside remote access Trojans, malware crypting services and botnets.”

Other questionable services and subsections advertised on Hackforums include those intended for the sale of hacked social media and e-commerce accounts. More shocking are the dozens of threads wherein Hackforums members advertise the sale of “girl slaves,” essentially access to hacked computers belonging to teenage girls who can be extorted and exploited for payment or naked pictures. It’s worth noting that the youth who was arrested for snapping nude pictures of Miss Teen USA Cassidy Wolf through her webcam was a regular user of Hackforums.

Hackforums users advertising the sale and procurement of "girl slaves."

Hackforums users advertising the sale and procurement of “girl slaves.”

Nixon said most Hackforums users are essentially good people who are interested in learning more about technology, security and other topics. But she said many of the younger, impressionable members are heavily influenced by some of the more senior forum participants, a number of whom are peddling dangerous products and services.

“Most of the stuff on Hackforums is not that bad,” Nixon said. “There are a lot of kids who are pretty much normal people and interested in hacking and technology. But there are also gangs, and there are definitely criminal organizations that have a presence on the forum that will try to enable criminal activity and take advantage of people.”

The removal of booter services from Hackforums is a gratifying development for me personally and professionally. My site has been under near-constant attack from users of these booter services for several years now. As a result, I have sought to bring more public attention to these crooked businesses and to the young men who’ve earned handsome profits operating over the years. Here are just a few of those stories:

Stress Testing the Booter Services, Financially

Are the Days of Booter Services Numbered?

Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

Ragebooter: Legit DDoS Service, or Fed Backdoor?

DDoS Services Advertise Openly, Take PayPal

Booter Shells Turn Web Sites Into Weapons

Spreading the DDoS Disease and Selling the Cure

Lizard Stresser Runs on Hacked Home Routers

The New Normal: 200-400 Gpbs DDoS Attacks

Sep 08 2016

Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

vDOS  a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.

The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States.

The vDos home page.

The vDos home page.

To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement. The various subscription packages to the service are sold based in part on how many seconds the denial-of-service attack will last. And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.

Let the enormity of that number sink in for a moment: That’s nearly nine of what I call “DDoS years” crammed into just four months. That kind of time compression is possible because vDOS handles hundreds — if not thousands — of concurrent attacks on any given day.

Although I can’t prove it yet, it seems likely that vDOS is responsible for several decades worth of DDoS years. That’s because the data leaked in the hack of vDOS suggest that the proprietors erased all digital records of attacks that customers launched between Sept. 2012 (when the service first came online) and the end of March 2016.

HOW vDOS GOT HACKED

The hack of vDOS came about after a source was investigating a vulnerability he discovered on a similar attack-for-hire service called PoodleStresser. The vulnerability allowed my source to download the configuration data for PoodleStresser’s attack servers, which pointed back to api.vdos-s[dot]com. PoodleStresser, as well as a large number of other booter services, appears to rely exclusively on firepower generated by vDOS.

From there, the source was able to exploit a more serious security hole in vDOS that allowed him to dump all of the service’s databases and configuration files, and to discover the true Internet address of four rented servers in Bulgaria (at Verdina.net) that are apparently being used to launch the attacks sold by vDOS. The DDoS-for-hire service is hidden behind DDoS protection firm Cloudflare, but its actual Internet address is 82.118.233.144.

vDOS had a reputation on cybercrime forums for prompt and helpful customer service, and the leaked vDOS databases offer a fascinating glimpse into the logistical challenges associated with running a criminal attack service online that supports tens of thousands of paying customers — a significant portion of whom are all trying to use the service simultaneously.

Multiple vDOS tech support tickets were filed by customers who complained that they were unable to order attacks on Web sites in Israel. Responses from the tech support staff show that the proprietors of vDOS are indeed living in Israel and in fact set the service up so that it was unable to attack any Web sites in that country — presumably so as to not attract unwanted attention to their service from Israeli authorities. Here are a few of those responses:

(‘4130′,’Hello `d0rk`,rnAll Israeli IP ranges have been blacklisted due to security reasons.rnrnBest regards,rnP1st.’,’03-01-2015 08:39),

(‘15462′,’Hello `g4ng`,rnMh, neither. I’m actually from Israel, and decided to blacklist all of them. It’s my home country, and don’t want something to happen to them :)rnrnBest regards,rnDrop.’,’11-03-2015 15:35),

(‘15462′,’Hello `roibm123`,rnBecause I have an Israeli IP that is dynamic.. can’t risk getting hit/updating the blacklist 24/7.rnrnBest regards,rnLandon.’,’06-04-2015 23:04),

(‘4202′,’Hello `zavi156`,rnThose IPs are in israel, and we have all of Israel on our blacklist. Sorry for any inconvinience.rnrnBest regards,rnJeremy.’,’20-05-2015 10:14),

(‘4202′,’Hello `zavi156`,rnBecause the owner is in Israel, and he doesn’t want his entire region being hit offline.rnrnBest regards,rnJeremy.’,’20-05-2015 11:12),

(‘9057′,’There is a option to buy with Paypal? I will pay more than $2.5 worth.rnThis is not the first time I am buying booter from you.rnIf no, Could you please ask AplleJack? I know him from Israel.rnThanks.’,’21-05-2015 12:51),

(‘4120′,’Hello `takedown`,rnEvery single IP that’s hosted in israel is blacklisted for safety reason. rnrnBest regards,rnAppleJ4ck.’,’02-09-2015 08:57),

WHO RUNS vDOS?

As we can see from the above responses from vDOS’s tech support, the owners and operators of vDOS are young Israeli hackers who go by the names P1st a.k.a. P1st0, and AppleJ4ck. The two men market their service mainly on the site hackforums[dot]net, selling monthly subscriptions using multiple pricing tiers ranging from $20 to $200 per month. AppleJ4ck hides behind the same nickname on Hackforums, while P1st goes by the alias “M30w” on the forum.

Some of P1st/M30W's posts on Hackforums regarding his service vDOS.

Some of P1st/M30W’s posts on Hackforums regarding his service vDOS.

vDOS appears to be the longest-running booter service advertised on Hackforums, and it is by far and away the most profitable such business. Records leaked from vDOS indicate that since July 2014, tens of thousands of paying customers spent a total of more than $618,000 at the service using Bitcoin and PayPal.

Incredibly, for brief periods the site even accepted credit cards in exchange for online attacks, although it’s unclear how much the site might have made in credit card payments because the information is not in the leaked databases.

The Web server hosting vDOS also houses several other sites, including huri[dot]biz, ustress[dot]io, and vstress[dot]net. Virtually all of the administrators at vDOS have an email account that ends in v-email[dot]org, a domain that also is registered to an Itay Huri with a phone number that traces back to Israel.

The proprietors of vDOS set their service up so that anytime a customer asked for technical assistance the site would blast a text message to six different mobile numbers tied to administrators of the service, using an SMS service called Nexmo.com. Two of those mobile numbers go to phones in Israel. One of them is the same number listed for Itay Huri in the Web site registration records for v-email[dot]org; the other belongs to an Israeli citizen named Yarden Bidani. Neither individual responded to requests for comment.

The leaked database and files indicate that vDOS uses Mailgun for email management, and the secret keys needed to manage that Mailgun service were among the files stolen by my source. The data shows that vDOS support emails go to itay@huri[dot]biz, itayhuri8@gmail.com and raziel.b7@gmail.com.

LAUNDERING THE PROCEEDS FROM DDOS ATTACKS

The $618,000 in earnings documented in the vDOS leaked logs is almost certainly a conservative income figure. That’s because the vDOS service actually dates back to Sept 2012, yet the payment records are not available for purchases prior to 2014. As a result, it’s likely that this service has made its proprietors more than $1 million.

vDOS does not currently accept PayPal payments. But for several years until recently it did, and records show the proprietors of the attack service worked assiduously to launder payments for the service through a round-robin chain of PayPal accounts.

They did this because at the time PayPal was working with a team of academic researchers to identify, seize and shutter PayPal accounts that were found to be accepting funds on behalf of booter services like vDOS. Anyone interested in reading more on their success in making life harder for these booter service owners should check out my August 2015 story, Stress-Testing the Booter Services, Financially.

People running dodgy online services that violate PayPal’s terms of service generally turn to several methods to mask the true location of their PayPal Instant Payment Notification systems. Here is an interesting analysis of how popular booter services are doing so using shell corporations, link shortening services and other tricks.

Turns out, AppleJ4ck and p1st routinely recruited other forum members on Hackforums to help them launder significant sums of PayPal payments for vDOS each week.

“The paypals that the money are sent from are not verified,” AppleJ4ck says in one recruitment thread. “Most of the payments will be 200$-300$ each and I’ll do around 2-3 payments per day.”

vDos co-owner AppleJ4ck recruiting Hackforums members to help launder PayPal payments for his booter service.

vDos co-owner AppleJ4ck recruiting Hackforums members to help launder PayPal payments for his booter service.

It is apparent from the leaked vDOS logs that in July 2016 the service’s owners implemented an additional security measure for Bitcoin payments, which they accept through Coinbase. The data shows that they now use an intermediary server (45.55.55.193) to handle Coinbase traffic. When a Bitcoin payment is received, Coinbase notifies this intermediary server, not the actual vDOS servers in Bulgaria.

A server situated in the middle and hosted at a U.S.-based address from Digital Ocean then updates the database in Bulgaria, perhaps because the vDOS proprietors believed payments from the USA would attract less interest from Coinbase than huge sums traversing through Bulgaria each day.

ANALYSIS

The extent to which the proprietors of vDOS went to launder profits from the service and to obfuscate their activities clearly indicate they knew that the majority of their users were using the service to knock others offline.

Defenders of booter and stresser services argue the services are legal because they can be used to help Web site owners stress-test their own sites and to build better defenses against such attacks. While it’s impossible to tell what percentage of vDOS users actually were using the service to stress-test their own sites, the leaked vDOS logs show that a huge percentage of the attack targets are online businesses.

In reality, the methods that vDOS uses to sustain its business are practically indistinguishable from those employed by organized cybercrime gangs, said Damon McCoy, an assistant professor of computer science at New York University.

“These guys are definitely taking a page out of the playbook of the Russian cybercriminals,” said McCoy, the researcher principally responsible for pushing vDOS and other booter services off of PayPal (see the aforementioned story Stress-Testing the Booter Services, Financially for more on this).

“A lot of the Russian botnet operators who routinely paid people to infect Windows computers with malware used to say they wouldn’t buy malware installs from Russia or CIS countries,” McCoy said. “The main reason was they didn’t want to make trouble in their local jurisdiction in the hopes that no one in their country would be a victim and have standing to bring a case against them.”

The service advertises attacks at up to 50 gigabits of data per second (Gbps). That’s roughly the equivalent of trying to cram two, high-definition Netflix movies down a target’s network pipe all at the same moment.

But Allison Nixon, director of security research at business risk intelligence firm Flashpoint, said her tests of vDOS’s service generated attacks that were quite a bit smaller than that — 14 Gbps and 6 Gbps. Nevertheless, she noted, even an attack that generates just 6 Gbps is well more than enough to cripple most sites which are not already protected by anti-DDoS services.

And herein lies the rub with services like vDOS: They put high-powered, point-and-click cyber weapons in the hands of people — mostly young men in their teens — who otherwise wouldn’t begin to know how to launch such attacks. Worse still, they force even the smallest of businesses to pay for DDoS protection services or else risk being taken offline by anyone with a grudge or agenda.

“The problem is that this kind of firepower is available to literally anyone willing to pay $30 a month,” Nixon said. “Basically what this means is that you must have DDoS protection to participate on the Internet. Otherwise, any angry young teenager is going to be able to take you offline in a heartbeat. It’s sad, but these attack services mean that DDoS protection has become the price of admission for running a Web site these days.”

Stay tuned for the next piece in this series on the hack of vDOS, which will examine some of the more interesting victims of this service.