Friday, September 13, 2013

Who is behind BestRecovery

The Pakistani copy/paste admin of BestRecovery key spy service

 Xenon Cool


 I emailed this coward and he deleted his twitter account.


We can see from the youtube channel (pro2comp) that he is commenting on many videos about how to make VB software, how to avoid AV detection, crypters, etc.

can u make video how can we make rat like dark comet and cybergate i hope u will make i love ur videos i have sub to ur channel sir i am inspired and ur role model for me

Wow. This is sad..but really funny. 

Anyway..shall we continue?






The admin of BestRecovery posted a video about the keylogger service using the youtube account Affan Majid (hacked) / Pro2Comp - http://www.youtube.com/watch?v=csiZMBhRJGw


Published on Aug 6, 2012
xenon.cool@yahoo.com



Connect the dots.

ainey_cool aka xenon.cool@yahoo.com
http://hamarakindking.com/Builder.exe
http://achanbhai.com/bai.php
http://wirelesstecho.com/achabai.txt
http://aineyhosting.com/web.php
http://www.financetasksforce.com/ht.txt



The twitter account https://twitter.com/affan546 has a picture of Xenon - the Admin of BestRecovery.
(this account has been deleted. see screen shots)



Notes
mybestrecovery.net 14152 IN A 85.195.87.18
mybestrecovery.ws. 14362 IN A 85.195.87.18
cmmsol.com. 14085 IN A 85.195.87.18
sendsmsfree.co.uk. 9095 IN A 85.195.87.18
WHOIS mybestrecovery.net

Name Servers:
ns1.sendsmsfree.co.uk
ns2.sendsmsfree.co.uk
DNS records
ns1.sendsmsfree.co.uk. 14400 IN A 85.195.87.18
ns2.sendsmsfree.co.uk. 14400 IN A 85.195.87.18
mybestrecovery.net. 21600 IN NS n2.sendsmsfree.co.uk.
mybestrecovery.net. 21600 IN NS ns1.sendsmsfree.co.uk
DNS checks
# dig ns1.mybestrecovery.ws 
mybestrecovery.ws. 1800 IN SOA ns1.sendsmsfree.co.uk. ainey_cool.ymail.com.
and again on the other NS
# dig ns1.cmmsol.com 
cmmsol.com. 1709 IN SOA ns1.localdomain.com. ainey_cool.ymail.com.
Wait....WTF!?!?
You left your email address in your DNS record? Ok..
That email address was plastered on the front page of BestRecovery. 

Busted!

he is in pakbugs.com db dump:

http://archives.neohapsis.com/archives/fulldisclosure/2009-09/att-0197/pakbugs.users.html

I wonder if this guy is Pakistani..?

he registered

betercalls.com 
facebook page:
https://www.facebook.com/xenon.cool.9?fref=ts

(note the Vampire avitar from his Vampire Crypter)
via Xenon Cool (source)





Best Recovery-The Best Fud Keylogger
xenon.cool@yahoo.com

He posted screen pics of him using DarkComet on people and claiming they have $ in bank accounts.

He is also selling access to poeple bank accounts on FB - what a fucker.



 He has a link on the FB account claiming to own the 'FUD' keylogger and video for BestRecovery. 
Uber 1337






Summary 

Im thinking his name is Ainey Bhai? of Lahore PK

He definately lives in Pakistan, and I believe he is or recently was a student. He used the school computers to spread the malware.

Someone will recognize this guy.
ainey cool
xenon.cool@yahoo.com
@affan546
born 27 December 1989

Its all just so pathetic.

Get a life man.

BESTRECOVERY keylogger

The BestRecovery spy service provides users with a builder (the actual exe is called Builder.exe, however it is a file binder) that was used to create new keylogger malware for each customer to distribute to victims.

In a traditional botnet, for example Andromeda, bot clients are built using a builder application.. The bot master supplies the configuration data such as C&C gate and build ID and the builder pops out a new binary.
File binders are applications that allow a user to "bind" executables together resulting in a single executable. They are useful for crackers to insert other applications such as trojan horse executables into otherwise harmless files, making them more difficult to detect. (Source
 The first BestRecovery builder I came across was version 12.4




Ver 12.4 was a hideous awful mess of an application. 

Just looking at the builder makes me feel bad for the 419'ers using it. Not to mention I could not get this thing to kick out a useful sample. 



I had to run through the Error-FIXX directory and register some components. I forget, I was distracted by the horror show that is the ::: BESTRECOVERY BUILDER :::

Anyway, the admin updated the builder, I must have missed a few versions or he did it really quickly. The next time I checked the builder it was on 17.3 





I am a reverse engineer in training so I will do my best to figure out what the heck is going on under the hood.

I'm going to look at the builder itself and then the binded output file from the builder.

I used resource hacker to extract a file: (VT 28/47)
https://www.virustotal.com/en/file/aa02bcfd2997c889f730b33496b3635725be58039ab95f8cc4109fe50b62b50a/analysis/

Looks like this has been around the block already - I was not the first to get this on VT and its detection rate is high.


BestRecovery Builder v12.4 

All BestRecovery software can best be described as a copy/paste piece of shit.

I ran the 12.4 builder through "strings" and pulled out some data. The following is some useful details obtained from the BestRecovery 12.4 builder
Builder_12.4
BEST RECOVERY
BESTRECOVERY
BESTRECOVERY
C:\Users\yaisr\Downloads\bs_fusion\data\MSCOMCTL.oca
C:\Users\yaisr\Downloads\bs_fusion\data\mswinsck.oca
http://hamarakindking.com/Builder.exe
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Keyspy Will Not Be Responsible For Any Use/Misuse OF Other's Information
Ethics is Philosophical Study Of Moral Values & Rules. It is the motivation based on the ideas of Right & Wrong.
Professional Is A Person Engage in one of a Learned Professions.Who is the Expert in any particular Field Like Doctors,Engineers,Accountants Etc
The Idea is To Combine Both The above terms together To Make The Client Or Stakeholders Of any Profession Relax & Free From Worries & They Can Trust The Professional. Accountants are Deployed in many fields Forexample They Can contribute
To The Ecnomic Development Of Their Country & Global Economy.
They Can Act as Auditors,Financial managers.Accountants,So They Have A Very high Responsibility.Billions & Trillians OF Dollars & Pounds of shareholders,Bankers,Investors Are t Stake. If The Accountant Are biased Means Their Weath & Hard Earnings Of People (Pension Funds) Will Be At RISK.This is Why The Accountants Must Obey Some Sort of Ethics/Guidelines like IFAC Code Of Ethics & ACCA Code Of Ethics . Acca Code Of Ethics States That Accountants & its Members Must Have The Quality Of
1) Objectivity
2) Integrity
3) Professional Behaviour
4) Confidentiality
5) Professional Competence
Practitioner Needs To Behave & Seen To Behave In an Ethical Professional Manner. In His Professional Life He might Face some risky events or Delemas.Code ofEthics Says Accountatns must use their Ethical Judgment To Avoid & Resolve The Ethical Delemas & Be away from Conflict of Interest.Threats he May Be Facing can Be Of Many Types Like
phppost
http://aineyhosting.com/web.php
httppath
http://www.financetasksforce.com/ht.txt
Exif
Ducky
mhttp://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:23C5E3E8B0A4E0119B2AC28829143BAE" xmpMM:DocumentID="xmp.did:FE1ECDCBA4B011E0B3EA880C2BEAE119" xmpMM:InstanceID="xmp.iid:FE1ECDCAA4B011E0B3EA880C2BEAE119" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:24C5E3E8B0A4E0119B2AC28829143BAE" stRef:documentID="xmp.did:23C5E3E8B0A4E0119B2AC28829143BAE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
LED Table Marquee
(http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=60188&lngWId=1)
BEST-RECOVERY
Lavf53.20.0 (mpeg encoder?)
LAME3.98.4
LAME3.98.4
LAME3.98.4
RIFFL
WAVEfmt

SOFTWARE\Borland\Delphi\RTL
Software\Borland\Delphi\Locales
Delphi%.8X
MFS_ENABLED
TGIFPainter (Delphi image function)
Delphi Picture
Delphi Component
NETSCAPE 2.0 ANIMEXTS1.0
Resource Hacker
RICHEDIT
System\CurrentControlSet\Control\Keyboard Layouts\%.8x

The Visual Component Library (VCL) is a set of visual components for the rapid development of Windows applications in the Delphi and C++ languages.
TImeMode
imDisable
imClose
imOpen
imDontCare
imSAlpha
imAlpha
imHira
imSKata
imKata imChinese
imSHanguel imHanguel

BestRecovery Builder v17.3

Interesting strings from the 17.3 builder.

C:\Users\yaisr\Desktop\Clon\1.pdb

C:\Users\yaisr\Desktop\BEST-RECOVERY\Error-FIXX\mswinsck.oca

SETTINGS:
phppost
http://aineyhosting.com/web.php
httppath
http://www.financetasksforce.com/ht.txt


BestRecovery Keylogger from Builder v17.3

I used the v17.3 builder to create an output sample. I chose putty.exe as my target file to bind the BR keylogger to.


Strings from builder output file:

<html>
<head>
</head>
<body>
<form method="POST" action="
teenk
"></p>
  <p>NOT:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <input type="text" name="note" size="20" value="
saatk
</textarea></p>
<p>&nbsp;</p>
  <p><input type="submit" value="hm" name="B1"></p>
</form>
<body onload="document.forms[0].submit();">
</body>
</html>
chek
"></p>
  <p>MSG:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <textarea rows="2" name="log" cols="7">
pank
"></p>
  <p>US:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <input type="text" name="user" size="20" value="
"></p>
  <p>COUNT:&nbsp; <input type="text" name="country" size="20" value="
dook
  <p>
  PC:&nbsp;&nbsp;&nbsp;
  <input type="text" name="pcname" size="20" value="
<html>
<head>
</head>
<body>
<form method="POST" action="


http://www.samair.ru/proxy/proxychecker/country.htm
Checks what country the users are from.  
http://achanbhai.com/bai.php
http://wirelesstecho.com/achabai.txt
C:\Users\yaisr\Desktop\Clon\1.pdb

This looks awful.

This cant be serious...but I think it is.

ReadyState
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser

So it looks like someone created a shitty keylogger (probably ripped the code) and the design they came up with to send data back to the C&C was to create a browser window, build an html form, and finally post back the data.. oh yeah, also you need to check samair.ru proxy checker to get the user country first.

Fuck me, thats retarded.


Resource hacker extracted the original putty from the output file and its clean.

extracted resource (putty)
https://www.virustotal.com/en/file/abcc2a2d828b1624459cf8c4d2ccdfdcde62c8d1ab51e438db200ab3c5c8cd17/analysis/1379011357/

However, the entire binded package itself is naughty

image (binded file) (VT 9/47)
https://www.virustotal.com/en/file/cb8757540e6d60e95a2187e734fec2d64fe5010f79b2e5fc2b1f7cc0291e8b89/analysis/1379011648/

https://malwr.com/analysis/OTc2Yzc3MzU4MzEyNGZjNDljNGMzMWIyOGM3ZjA1M2E/

(more samples I have found searching)
https://malwr.com/analysis/ODc4ZDM4MzRhOGE0NDY3M2JkMGM2OTg4MmRjYTM3MWQ/


Summary

The BestRecovery system is a hodgepodge of code that is held together by poor design.


I will be posting more again soon. Stay tuned for "Who is behind BestRecovery" ..


Other Links:

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=3564054#none

Monday, September 9, 2013

Inside BestRecovery / MyBestRecovery

BESTRECOVERY (FOR LEGAL AND LEGITIMATE USE ONLY) 
BESTRECOVERY logs all keystrokes, mouseclicks, applications, windows, websites, email sent and received, chat conversations, system events. [source]

MyBestRecovery.net is best described as a paid key logging or key spy service. Customers of this service first register an account and are given access to the "builder" application. This builder is used to assemble an executable "spy" program that is to be distributed by the customer to any victims he chooses. Once the "spy" program is run by a victim, it records all keystrokes and sends the data back to the BestRecovery control panel, allowing the BestRecovery user to spy on his victims.

In the summer of 2013, the BestRecovery website was hacked and the user database was leaked. It contained about 3400 user accounts of this pay-to-spy service.



The hideous login screen for MyBestRecovery keylogging service. Note the support email address ainey_cool@ymail.com



Once you log in, you are presented with another ridiculous looking page. This laundry line themed control panel displays your metrics on a clothes pin note. 

A user can navigate the site from this main control panel. Some of the options include:
  • Check logs
  • Search Logs
  • Download icons
  • Download SPY! 


The main user control panel. 

Since I'm a new user and I have no idea how this disgusting site works, I'm forced to click "help" and read up on this awesomeness. 


 The BestRecovery help page. 


+ [First Time Use]
FIRST LOGIN TO YOUR ACCOUNT IT WILL FORWARD YOU TO THE HOME PAGE
THEN CLICK ON DOWNLOAD SPY! ...AFTER DOWNLOAD THE SETUP FILE INSTALL IT!
& THERE YOU WILL SEE BESTRECOVERY FOLDER ON YOUR DESKTOP
OPEN IT & YOU WILL SE BUILDER FROM WHERE YOU CAN BUILD YOUR OWN CLIENT FILES!
OPEN IT ..IF ITS OLD BUILDER IF WILL ASK YOU TO UPDATE THE BUILDER CLICK YES!
(NOTE) UPDATE IS MUST IF YOU WANT TO AVOID ANTIVIRUSES DETECTIONS)
AFTER UPDATION OPEN THE LATEST BUILDER! & THEN YOU WILL HAVE TO PUT YOUR USERNAME (case sensitive) 
ANY NOTE (MEMO) SELECT ANY OUTPUT EXTENSION YOU KIKE! THEN LOAD ANY FILE IN FILE SECTION TO BIND IT WITH THE FILE
SO THE CLIENT WILL SEE THE FILE BINDED (ie PDF FILE, JPG FILE)
THEN YOU CAN DOWNLOAD ICONS FROM YOUR HOME PAGE (NOTE: FRESH ICONS ARE MUST IF YOU WANT TO AVOID ANTIVIRUSES DETECTIONS) 
YOU CAN LOAD ANY ICON IN ICON SECTION & CLICK BUILD.. IT WILL BUILD YOUR CLIENT FILE WITH NAME (IMAGE.SCR, IMAGE.EXE etc) 



Wow.

Ok, so we learned a few things from the help page.

1. This service is For Skids By Skids - its like the blind leading the blind. Fresh icons to evade antivirus? Hilarious.

2. The builder they are giving out is actually a file binder, not an actual bot builder.

I downloaded the "SPY!" and installed the setup file. This dumps a folder to the desktop that contains the binder/builder and some icons.




I mentioned that BestRecovery is a pay-for-keylogging service. To renew your subscription simply click, the "Renew My Account", select the subscription package...



confirm the package..

and get redirected to Liberty Reserve...fail. 

https://sci.libertyreserve.com/?lr_acc=U5423822&lr_store=mykeyspy&lr_amnt=300&lr_currency=LRUSD&lr_comments=xxx%2F1+YEAR&user=xxx&package=1+YEAR&payfor=renew&auth=5&email=xxx&pay=PAY+NOW+%3E%3E

Note the name of the LR_store: MyKeySpy




MyBestRecovery has since been "seized" by the US Global Illicit Financial Team


More to come soon..



Links