Cross posted from Russian Cyber Criminal Forum
English translation @Sherb1n
Seller - xfrzx
Ulocker is EU traffic monetization software. It accepts payments through Ukash and Psc vouchers for €50 or €100.
As of today, it supports AT,CH,CY,DE,ES,FI,FR,GR,IT,NL,PL,PT,RO,SE. You are able to add and modify the number of languages.
Details:
1. Size: ~22KB uncompressed.
2. Kills MSCONFIG.exe, regedit.exe, regedit32.exe, CMD.exe, taskmgr.exe.
3. Accepts Ukash and Psc.
4. Hides Start menu and taskbar.
5. Blocks system keys.
6. Can modify text remotely.
7. Does not turn on if there's no internet connection (optional).
8. Launches on startup.
9. Disables Safe mode (XP)
10. Always on top.
11. Stays up after entry.
12. It's easy to add new languages to work with additional countries (!)
Server component:
Option 1: No panel, writes to file: date || ip || ukash || amount || country. The same for Psc. Responses are written to file.
Option 2: Simple panel, displays vouchers (ukash, psc), displays responses. Requires Php+MySql.
Responses are replies from the infected machines, not necessarily unique ones.
Price:
For the first 3 buyers: $250. 0/3.
The price does not depend on the server component.
The buyer receives:
1. Consultation at the time of purchase.
2. Minor updates for free.
3. You do your own encryption.
4. Help adding new language modules. Not creating, only adding. I'll show you how, it's very simple.
5. Don't have the builder yet (!). Free rebuilds.
6. Vouchers are not checked for validity. Checking services can be added if available.
You're prohibited from:
1. Uploading the build to public AV checkers.
2. Making this software available to others.
Violators will get banned without a refund.
Original
Seller - xfrzx
Ulocker - софт для монетизации евро загрузок.В качестве оплаты принимает Ukash,Psc ваучеры по 50,100 евро.
На данный момент AT,CH,CY,DE,ES,FI,FR,GR,IT,NL,PL,PT,RO,SE . Вы сможете добалять и изменять количество языков.
Детали:
1.Вес ~22кб без сжатия
2.Убивает MSCONFIG.exe, regedit.exe, regedt32.exe, CMD.exe, taskmgr.exe
3.Принимает Ukash,Psc.
4.Скрывает пуск и панель.
5.Блокирует системные клавиши.
6.Возможность удалённо менять текст.
7.Не включается при отключенном интернет(Опционально).
8.Автозагрузка.
9. Отлючение Безопасного режима(хп)
10.Висит поверх всех окон.
11.После ввода не снимается.
12. Возможность быстро и удобно добавлять свои языки для работы с конкретными странами(!)
Серверная часть:
1й вариант - без панели пишет в файл дата || ip || ukash || номинал || страна .C psc аналогично.Пишет отклики в файл.
2й вариант - простенькая панель ,вывод ваучеров(ukash,psc) ,вывод откликов.Необходимо Php+MySql.
Отклик - отстук зараженной машины,не обязательно уникальный.
Цена:
Первым 3 покупателям - 250$ 0/3 .
Цена не зависит от варианта серверной части.
Покупателю:
1. Консультации при покупке.
2. Мелкие апдейты бесплатно.
3. Крипт лежит на вас.
4. Помощь в добавлении языков для работы локера. Не создании,а добавлении.На примере,очень просто.
5. Билдера пока нет(!).Ребилд бесплатно.
6. На валид ваучеры не чекаются.Если есть сервисы для чека,можно добавить.
Запрещено:
1. Сливать билд на паблик чекеры АВ.
2. Выкладывать софт.
При нарушении в бан,без возврата средств.
Thursday, 20 September 2012
Upas Rootkit
Cross posted from Russian Cyber Criminal Forum
English translation @Sherb1n
Seller - Auroras
Upas Kit 1.0.0.0
Description:
Upas is a modular http bot created for a single purpose - eliminating your headache. It's an advanced Ring3 rootkit that has something in common with SpyEye and Zeus. As a result, it's installed "silently", without triggering AV. As of today, it works on the following Windows versions: XP, Vista, 7 (Seven), Server 2003, server 2008. It's also "compatible" with all the service packs.
In its current version the rootkit can be injected into any 32-bit process. Written in C++.
By default, the kernel comes with the following modules (additional modules sold separately):
Rootkit
Download/Execute
Update
AntiRuskill
HTTP Panel
Antis
The following modules are sold separately:
USB spreader (lnk/autorun)
Botkiller
Form Grabber (IE, FF, Chrome)
FTP Grabber
Flooders Package - SYN/Slowloris/UDP
DNS Hook
Visit (hidden, show)
Ruskill
Post Spreaders
Prices, as of 6/14/2012:
Kernel $1000
Usb Spreader $200
Form Grabber $1000
Recompile with the same data $10
Recompile with different data (if your DNS is blacklisted or blocked) $50
The prices may seem a bit infated, but if you consider the conversion rate and how effective this kit is, the price is right.
Panel features:
GeoIP (Maxmind)
IP block when the gate receives a response from anything but a bot
IP block when the input data is brute-forced
Add/Remove/Manage users
Installs log
Scan2you scanner for checking files, exploits, IPs, domains, etc. through web requests.
Detailed stats using Google Chart Tools
CAPTCHA at login, to prevent password brute-forcing
Easy way to add/remove jobs with parameters
Pre-populated list of sites for grabbing, ability to modify websites grabbed by Form Grabber
Per-country commands
Simple installer
English and Russian interface
Special features:
Antis file analysis protection
Decent sized stub
Easily cryptable
Unlimited domains. If a domain is unavailable, the bot tries the next one.
Ability to specify subdomains the responses will be sent to.
Disclaimer:
Upas Kit was created for penetration testing of personal and business information systems.
Upas Kit has never been and cannot be used to commit cybercrimes.
By purchasing this software you agree to not break the laws of the Russian Federation and other countries.
By purchasing this product you agree to use it at your own risk. Before installing this software on anyone's computer, you need to ask for that person's permission.
Original
Seller - Auroras
Upas Kit 1.0.0.0
Описание:
Upas - это модульный http бот, который был создан с единственной целью - избавить вас от головной боли. Это продвинутый ring3 руткит, имеющий что-то общее со SpyEye и Zeus. Таким образом установка происходит "тихо" без опознования антивирусами. В данный момент он работает на следующих версиях Windows: XP, Vista, 7 (Seven), Server 2003, Server 2008. Помимо этого "совместим" и со всеми сервис паками.
В текущей версии руткит внедряется во всех 32-х битные процессы. Приложение написано на С++.
По умолчанию ядро поставляется со следующими модулями (дополнительные покупаются отдельно)
Rootkit
Download/Execute
Update
AntiRuskill
HTTP Panel
Antis
Список модулей, которые можно приобрести отдельно:
Usb spreader (lnk/autorun)
Botkiller
Form Grabber (IE,FF,Chrome)
FTP Grabber
Flooders Package - SYN/Slowloris/UDP
DNS Hook
Visit (hidden, show)
Ruskill
Post Spreaders
Цены актуальные 6/14/2012 числа:
Ядро $1000
Usb Spreader $200
FormGrabber $1000
Перекомпиляция на те же данные $10
Перекомпиляция с вводом других данных (если DNS попали в лист, либо заблокировали) $50
Цены могут показатся завышенными, однако, если прикинуть степень монетизация и эффективности данного софта цена становится обоснованной.
Возможности панели:
Geoip от maxmind
Блокировка IP если отстук на гейт пришел не от бота
Блокировка IP в случае брута данных входа
Добавление/Удаление/Управление пользователя
Журнал загрузок
Сканнер Scan2you, использующий веб-запросы для сканирования файлов, эксплойтов, IP, доменов и т.д.
Детальная статистика с использованием Google Chart Tools
Капча при входе в панель для усложнения процесса подбора пароля
Простое и удобнное добавление/удаление задач с параметрами
Готовый список сайтов для грабинга, возможность изменения сайтов сграбленных Форм граббером (Form Grabber)
Отправка команда по странам
Простой установщик
Английский и русский языки
Особенности бота:
Antis защита для предовтращения от анализа вашего файла
Decent sized stub
Easily cryptable
Легко шифруем
Неограниченное число доменов. Отстук идет по доменам, в случае неудачи берется следующий.
Возможность отстука для произвольный поддомен
Отказ от отвественности:
ПО Upas Kit было создано для выявления уязвимостей в информационных системах как частных лиц, так и огранизаций.
Upas Kit никогда не использовался для совершения кибер преступлений и таковым быть не может.
Покупая данный продукт вы соглашаетесь не нарушать законы Российской Федерации и других стран.
Покупая данный продукт вы используете его на свой страх и риск. Перед загрузкой приложения на ПК пользователя вы должны получить его согласие.
English translation @Sherb1n
Seller - Auroras
Upas Kit 1.0.0.0
Description:
Upas is a modular http bot created for a single purpose - eliminating your headache. It's an advanced Ring3 rootkit that has something in common with SpyEye and Zeus. As a result, it's installed "silently", without triggering AV. As of today, it works on the following Windows versions: XP, Vista, 7 (Seven), Server 2003, server 2008. It's also "compatible" with all the service packs.
In its current version the rootkit can be injected into any 32-bit process. Written in C++.
By default, the kernel comes with the following modules (additional modules sold separately):
Rootkit
Download/Execute
Update
AntiRuskill
HTTP Panel
Antis
The following modules are sold separately:
USB spreader (lnk/autorun)
Botkiller
Form Grabber (IE, FF, Chrome)
FTP Grabber
Flooders Package - SYN/Slowloris/UDP
DNS Hook
Visit (hidden, show)
Ruskill
Post Spreaders
Prices, as of 6/14/2012:
Kernel $1000
Usb Spreader $200
Form Grabber $1000
Recompile with the same data $10
Recompile with different data (if your DNS is blacklisted or blocked) $50
The prices may seem a bit infated, but if you consider the conversion rate and how effective this kit is, the price is right.
Panel features:
GeoIP (Maxmind)
IP block when the gate receives a response from anything but a bot
IP block when the input data is brute-forced
Add/Remove/Manage users
Installs log
Scan2you scanner for checking files, exploits, IPs, domains, etc. through web requests.
Detailed stats using Google Chart Tools
CAPTCHA at login, to prevent password brute-forcing
Easy way to add/remove jobs with parameters
Pre-populated list of sites for grabbing, ability to modify websites grabbed by Form Grabber
Per-country commands
Simple installer
English and Russian interface
Special features:
Antis file analysis protection
Decent sized stub
Easily cryptable
Unlimited domains. If a domain is unavailable, the bot tries the next one.
Ability to specify subdomains the responses will be sent to.
Disclaimer:
Upas Kit was created for penetration testing of personal and business information systems.
Upas Kit has never been and cannot be used to commit cybercrimes.
By purchasing this software you agree to not break the laws of the Russian Federation and other countries.
By purchasing this product you agree to use it at your own risk. Before installing this software on anyone's computer, you need to ask for that person's permission.
Original
Seller - Auroras
Upas Kit 1.0.0.0
Описание:
Upas - это модульный http бот, который был создан с единственной целью - избавить вас от головной боли. Это продвинутый ring3 руткит, имеющий что-то общее со SpyEye и Zeus. Таким образом установка происходит "тихо" без опознования антивирусами. В данный момент он работает на следующих версиях Windows: XP, Vista, 7 (Seven), Server 2003, Server 2008. Помимо этого "совместим" и со всеми сервис паками.
В текущей версии руткит внедряется во всех 32-х битные процессы. Приложение написано на С++.
По умолчанию ядро поставляется со следующими модулями (дополнительные покупаются отдельно)
Rootkit
Download/Execute
Update
AntiRuskill
HTTP Panel
Antis
Список модулей, которые можно приобрести отдельно:
Usb spreader (lnk/autorun)
Botkiller
Form Grabber (IE,FF,Chrome)
FTP Grabber
Flooders Package - SYN/Slowloris/UDP
DNS Hook
Visit (hidden, show)
Ruskill
Post Spreaders
Цены актуальные 6/14/2012 числа:
Ядро $1000
Usb Spreader $200
FormGrabber $1000
Перекомпиляция на те же данные $10
Перекомпиляция с вводом других данных (если DNS попали в лист, либо заблокировали) $50
Цены могут показатся завышенными, однако, если прикинуть степень монетизация и эффективности данного софта цена становится обоснованной.
Возможности панели:
Geoip от maxmind
Блокировка IP если отстук на гейт пришел не от бота
Блокировка IP в случае брута данных входа
Добавление/Удаление/Управление пользователя
Журнал загрузок
Сканнер Scan2you, использующий веб-запросы для сканирования файлов, эксплойтов, IP, доменов и т.д.
Детальная статистика с использованием Google Chart Tools
Капча при входе в панель для усложнения процесса подбора пароля
Простое и удобнное добавление/удаление задач с параметрами
Готовый список сайтов для грабинга, возможность изменения сайтов сграбленных Форм граббером (Form Grabber)
Отправка команда по странам
Простой установщик
Английский и русский языки
Особенности бота:
Antis защита для предовтращения от анализа вашего файла
Decent sized stub
Easily cryptable
Легко шифруем
Неограниченное число доменов. Отстук идет по доменам, в случае неудачи берется следующий.
Возможность отстука для произвольный поддомен
Отказ от отвественности:
ПО Upas Kit было создано для выявления уязвимостей в информационных системах как частных лиц, так и огранизаций.
Upas Kit никогда не использовался для совершения кибер преступлений и таковым быть не может.
Покупая данный продукт вы соглашаетесь не нарушать законы Российской Федерации и других стран.
Покупая данный продукт вы используете его на свой страх и риск. Перед загрузкой приложения на ПК пользователя вы должны получить его согласие.
Sunday, 10 June 2012
Spam Service
Provider - avigdottir
Cross posted from Russian cyber criminal forum
English translation by @Sherb1n
Spam Campaigns
The service is designed to provide clicks for your link, including the option of using our intermediary redirect shells.
Our campaign most often results in a visitor coming to your site/page/affiliate page.
We can spam different links, automatically pulling them from your URL every minute.
This rules out the loss of traffic due to obsolete URLs and other similar problems.
We provide traffic stats (this feature is complimentary when you order our redirect shells).
Inbox rate for Gmail is over 90%. The rate varies for other services, but is considerably higher than Gmail's. If you have a specific request, run it by our support before starting the campaign.
Distribution speed: 1 million/20 minutes.
We can also help you pick a template (with randomization) for a theme-based campaign.
Prices:
$150 for 1 million goods, your spam base
$200 for 1 million goods, your DB, your link, through our redirect shells (with URL auto-update)
Minimum order: 1 million (anything under that goes at the price of a minimum order).
We can provide our own spam DBs in certain cases, but the price will increase substantially.
Typically, we prefer to use your bases. After spamming, they are permanently deleted.
Cross posted from Russian cyber criminal forum
English translation by @Sherb1n
Spam Campaigns
The service is designed to provide clicks for your link, including the option of using our intermediary redirect shells.
Our campaign most often results in a visitor coming to your site/page/affiliate page.
We can spam different links, automatically pulling them from your URL every minute.
This rules out the loss of traffic due to obsolete URLs and other similar problems.
We provide traffic stats (this feature is complimentary when you order our redirect shells).
Inbox rate for Gmail is over 90%. The rate varies for other services, but is considerably higher than Gmail's. If you have a specific request, run it by our support before starting the campaign.
Distribution speed: 1 million/20 minutes.
We can also help you pick a template (with randomization) for a theme-based campaign.
Prices:
$150 for 1 million goods, your spam base
$200 for 1 million goods, your DB, your link, through our redirect shells (with URL auto-update)
Minimum order: 1 million (anything under that goes at the price of a minimum order).
We can provide our own spam DBs in certain cases, but the price will increase substantially.
Typically, we prefer to use your bases. After spamming, they are permanently deleted.
Monday, 19 March 2012
Citadel 1.3
Citadel Zeus Bot is under active development and new version 1.3.3 is released by its coder Aquabox.
The author post is directly copied from underground forum and translated to english for your convenience. Thanks to @Sherb1n.
Citadel v1.3.3.0 Spring Edition!
It's springtime, a time when everything changes and functionality goes into full bloom. Pimp out your ride for the summer!
Our product has become quite unique, so we're going to give an overview of all the features you can start using right away to get even more profit out of the new version:
1) Admin control panel has a new section, "Performance and Security", which has been integrated with the scan4you service; now you can run AV detection checks for all of your exe builds with a single click, right from the Citadel control panel. You can also set up automated daily scans, so that if one of your files gets burned by more than 3 AVs, you'll receive an instant Jabber notification and will be able to replace the exe right away. Now that this task is automated, you can feel free to be lazy!
2) Some customers complained that only 40% of their bots were getting updated to the new exe versions, while the rest were failing to update for an unknown reason. Indeed, that turned out to be a bug from the old ZeuS times; we did some research and fixed it. Now config has a new parameter: timer_autoupdate 8, which sets how often (in hours) the bot will download and restart the exe from the server (RC4 key should match). 80% of bots are now successfully updating; go ahead, encrypt and re-upload your exe, with the uptime improved by 37.1%, your bots will have the freshest and cleanest builds.
3) Server reporting system has been rewritten. In previous versions, every report generated a separate POST request to the gate; in the new schema, reports are sent in batches. This reduces the number of open sessions and minimizes the server load, allowing the server to support a larger number of bots online.
4) Video recording format has been changed to .webm (HTML5); an online video player has been built into the Citadel control panel, and now you can watch the videos right in your browser (Opera is recommended). Features: rewind, fast-forward / full-screen / search for videos by BotID, IP address, date.
But that's not all, we didn't stop there: many of you are using AT (and it's about time everyone else started using it to develop this industry collectively), and personal admin servers for your injects/account collections, etc. Wouldn't you like to watch videos of how well your auto-transfers and injections work, right from your admin panel on that server? That's easy! We've created an API system for this: just send your BotID or IP address to the script, and the API will send back an HTML embed code for all the videos uploaded by that bot. You can embed and watch this video wherever you want, even on narod.ru, without having to visit the Citadel server.
5) An improved system command (CMDList) analyzer/parser has been added to the admin panel. Now you can use the new table layout to view the output of system commands like ipconfig, the list of machines on the local network, the list of running processes, etc.
6) Now, upon installation, the bot will automatically send to the server a one-time report with the following information: installed firewalls, installed AV products, installed programs.
This information can be viewed for each bot separately, or for the entire botnet. We've created a new admin panel section where you can see all these stats, visual graphs and calculations. Now you know who you're up against.
7) "Favorite logs" - this new feature allows you to mark any account (or report) of interest when searching for data in admin; the accounts will be highlighted, and you can easily find them later.
8) A new "CardSwipe" module has been developed. It can grab card numbers and dumps out of HTTPS/WinSocket traffic and send them as a separate report.
The module uses LUHN10 algorithm to analyze traffic. Margin of error - 25%.
Price: $250 LR.
9) Injects are now compatible with UTF-8, and can be customized for any language (Japanese, Chinese, etc.)
10) Want to find new clients or business partners in your line of work? Consider placing your banner ad with the Citadel CRM.
Number of ad spaces: only 3 (234x60), two are still available; we only accept ads for relevant vendors and services (installs, encryption, traffic, etc., business partner search). Contact support through Jabber for a price quote.
As always, this update is free for our current clients. Place your requests through Jabber or CRM. (The update kits will be delivered on March 15, at 11:30PM).
New clients will receive a discount when buying the full package!
Citadel V 1.1
http://cyb3rsleuth.blogspot.co.uk/2012/01/citadel-zeus-bot.html
The author post is directly copied from underground forum and translated to english for your convenience. Thanks to @Sherb1n.
Citadel v1.3.3.0 Spring Edition!
It's springtime, a time when everything changes and functionality goes into full bloom. Pimp out your ride for the summer!
Our product has become quite unique, so we're going to give an overview of all the features you can start using right away to get even more profit out of the new version:
1) Admin control panel has a new section, "Performance and Security", which has been integrated with the scan4you service; now you can run AV detection checks for all of your exe builds with a single click, right from the Citadel control panel. You can also set up automated daily scans, so that if one of your files gets burned by more than 3 AVs, you'll receive an instant Jabber notification and will be able to replace the exe right away. Now that this task is automated, you can feel free to be lazy!
2) Some customers complained that only 40% of their bots were getting updated to the new exe versions, while the rest were failing to update for an unknown reason. Indeed, that turned out to be a bug from the old ZeuS times; we did some research and fixed it. Now config has a new parameter: timer_autoupdate 8, which sets how often (in hours) the bot will download and restart the exe from the server (RC4 key should match). 80% of bots are now successfully updating; go ahead, encrypt and re-upload your exe, with the uptime improved by 37.1%, your bots will have the freshest and cleanest builds.
3) Server reporting system has been rewritten. In previous versions, every report generated a separate POST request to the gate; in the new schema, reports are sent in batches. This reduces the number of open sessions and minimizes the server load, allowing the server to support a larger number of bots online.
4) Video recording format has been changed to .webm (HTML5); an online video player has been built into the Citadel control panel, and now you can watch the videos right in your browser (Opera is recommended). Features: rewind, fast-forward / full-screen / search for videos by BotID, IP address, date.
But that's not all, we didn't stop there: many of you are using AT (and it's about time everyone else started using it to develop this industry collectively), and personal admin servers for your injects/account collections, etc. Wouldn't you like to watch videos of how well your auto-transfers and injections work, right from your admin panel on that server? That's easy! We've created an API system for this: just send your BotID or IP address to the script, and the API will send back an HTML embed code for all the videos uploaded by that bot. You can embed and watch this video wherever you want, even on narod.ru, without having to visit the Citadel server.
5) An improved system command (CMDList) analyzer/parser has been added to the admin panel. Now you can use the new table layout to view the output of system commands like ipconfig, the list of machines on the local network, the list of running processes, etc.
6) Now, upon installation, the bot will automatically send to the server a one-time report with the following information: installed firewalls, installed AV products, installed programs.
This information can be viewed for each bot separately, or for the entire botnet. We've created a new admin panel section where you can see all these stats, visual graphs and calculations. Now you know who you're up against.
7) "Favorite logs" - this new feature allows you to mark any account (or report) of interest when searching for data in admin; the accounts will be highlighted, and you can easily find them later.
8) A new "CardSwipe" module has been developed. It can grab card numbers and dumps out of HTTPS/WinSocket traffic and send them as a separate report.
The module uses LUHN10 algorithm to analyze traffic. Margin of error - 25%.
Price: $250 LR.
9) Injects are now compatible with UTF-8, and can be customized for any language (Japanese, Chinese, etc.)
10) Want to find new clients or business partners in your line of work? Consider placing your banner ad with the Citadel CRM.
Number of ad spaces: only 3 (234x60), two are still available; we only accept ads for relevant vendors and services (installs, encryption, traffic, etc., business partner search). Contact support through Jabber for a price quote.
As always, this update is free for our current clients. Place your requests through Jabber or CRM. (The update kits will be delivered on March 15, at 11:30PM).
New clients will receive a discount when buying the full package!
Citadel V 1.1
http://cyb3rsleuth.blogspot.co.uk/2012/01/citadel-zeus-bot.html
Friday, 2 March 2012
Chinese Threat Actor Part 3
Sin Digoo Identified
Archive on socialup.net reveals ICQ info of Jeno aka Tawnya aka xxgchappy
http://web.archive.org/web/20100106025256/http://www.socialup.net/contacts.php
ICQ 567950703
Creation date: 18 Nov 2009 02:17:06
Expiration date: 18 Nov 2010 02:17:06
Registrant Contact:
personal
eric charles ()
Fax:
Santa Cruz 1156 High Street
california, california 95064
US
Administrative Contact:
personal
eric charles (jeno_1980@hotmail.com)
+1.831459019
Fax: +1.831459019
Santa Cruz 1156 High Street
california, california 95064
US
Twitter
https://twitter.com/leedoctor
http://www.blackhatworld.com/blackhat-seo/members/73099-xxgchappy.html
http://www.v7n.com/forums/social-networking/161752-wts-cheap-digg-service-0-1-per-digg.html
Whois record of hnsj.org
Domain ID:D155737903-LROR
Domain Name:HNSJ.ORG
Created On:27-Mar-2009 10:10:58 UTC
Last Updated On:04-Apr-2010 05:17:20 UTC
Expiration Date:27-Mar-2011 10:10:58 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:f1f613654acc4737
Registrant Name:eric charles
Registrant Organization:personal
Registrant Street1:Santa Cruz 1156 High Street
Registrant Street2:
Registrant Street3:
Registrant City:california
Registrant State/Province:State
Registrant Postal Code:95064
Registrant Country:YE
Registrant Phone:+1.831459019
Registrant Phone Ext.:
Registrant FAX:+1.831459019
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com
Search on hnsj.org revealed some interesting information. The domain is related to mobile phone sales and the name of the company is Henan Mobile Network.
Archive
http://web.archive.org/web/20100109050932/http://www.hnsj.org/article.php?id=4
QQ number 55356626 is posted as contact on HNSJ.ORG
xxgchappy promoted hnsj.org on his baidu blog
http://hi.baidu.com/%BA%D3%C4%CF%CA%D6%BB%FA%CD%F8/home
His baidu profile mentions further details
http://passport.baidu.com/?business&aid=6&un=xxgchappy#0
Further search reveals other QQ and Phone contacts
http://bbs.shangdu.com/t/20080831/01004001126/126-1.htm
2008 post
慧慧数码旗舰店
http://shop36037986.taobao.com ( Shop doesn't exist now)
各种智能手机专卖
淘宝名店 钻石信誉 全国热卖
保原装 非原装赔偿精神损失50.全额退款。
百脑汇2楼2b16
QQ:55356626
旺旺:慧慧数码旗舰店
13949001667
我们的专业,值得信赖。
Phone number 13949001667 (mobile GSM card) is part of Zhengzhou City, Henan Province and name mentioned here is Zhang
http://www.hahait.com/h41328
QQ 878972156
QQ 390363752
QQ 55356626
The QQ number is linked to a post on a car forum dated 2005
http://www.xcar.com.cn/bbs/viewthread.php?tid=6300657
http://www.xcar.com.cn/bbs/viewthread.php?tid=1576356
爱 卡 I D:Jeno
小狮子 1。6 xmt
车牌 豫ADB922
手机号 13513899779
Created On:09-Jun-2006 06:16:29 UTC
Last Updated On:29-May-2007 01:13:12 UTC
Expiration Date:09-Jun-2009 06:16:29 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
Registrant ID:49A2353365A0954B
Registrant Name:tawnya grilth
Registrant Organization:i-tobuy.com
Registrant Street1:po box 211
Registrant Street2:
Registrant Street3:
Registrant City:sin digoo
Registrant State/Province:ca
Registrant Postal Code:92101
Registrant Country:US
Registrant Phone:+1.818926523
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com
Tawyna Grilth aka Eric Charles aka xxgchappy aka Jeno aka undercurrent
Personal Details
QQ number 55356626 Profile
转自:http://www.xfocus.net
创建时间:2003-08-31
文章属性:原创
文章提交:jeno (xxgchappy_at_vip.sina.com)
作者:jeno
Email: jeno@vip.371.net
Time: 2003-8-31
Xfocus Profile
https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35525
xxgchappy@vip.sina.com is the registrant email of chinese social network Kaixin001.
http://www.kaixin001.com/home/17206761.html
Personal details mentioned on Kaixin profile.
Name - 张长河 Zhang Chang-he
Living in Zhengzhou, Henan Province, China.
QQ number 55356626 leads to a personal blog revealing his pic
http://55356626.qzone.qq.com
Conclusion
Jeno registered all the domains associated with espionage and considering his xfocus and rootkit.com profile we can zero on Jeno or he is some way associated with the group.
Update 16 Feb 2013
http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked
Journals published by Zhang Chang-he (2005-2011)
http://www.cnki.net/KCMS/detail/search.aspx?dbcode=CJFQ&sfield=au&skey=%E5%BC%A0%E9%95%BF%E6%B2%B3&code=22840348;20139954;21141875;
Windows Rootkit
http://www.cnki.net/KCMS/detail/detail.aspx?QueryID=5&CurRec=2&recid=&filename=XXGC200702023&dbname=cjfd2007&dbcode=CJFQ&pr=&urlid=&yx=
http://www.docin.com/p-49869286.html
Analysis of Windows Startup
http://www.cnki.net/kcms/detail/detail.aspx?filename=XXGC200903027&dbcode=CJFQ&dbname=CJFD2009
http://www.docin.com/p-253321277.html
Security Analysis of PCI device
http://www.docin.com/p-279253540.html
Capturing File Transferred or Printed Based on SMB in LAN
http://www.cnki.net/kcms/detail/detail.aspx?filename=WJSJ200606039&dbcode=CJFQ&dbname=cjfd2006
Another email mentioned in Joe's blog was jeno_1980@hotmail.com which is linked to xxgchappy@vip.sina.com
Espionage Domains
Malware reported on umu1.echosky.biz
Malware reported on www.dellpc.us - December 2007
BlackHat Domains
http://web.archive.org/web/20100106025256/http://www.socialup.net/contacts.php
ICQ 567950703
The ICQ search leads to a blackhatworld profile with handle "xxgchappy" and a domain makewithmoney.com
Domain name: makewithmoney.com
Creation date: 18 Nov 2009 02:17:06
Expiration date: 18 Nov 2010 02:17:06
Registrant Contact:
personal
eric charles ()
Fax:
Santa Cruz 1156 High Street
california, california 95064
US
Administrative Contact:
personal
eric charles (jeno_1980@hotmail.com)
+1.831459019
Fax: +1.831459019
Santa Cruz 1156 High Street
california, california 95064
US
https://twitter.com/leedoctor
http://www.blackhatworld.com/blackhat-seo/members/73099-xxgchappy.html
http://www.v7n.com/forums/social-networking/161752-wts-cheap-digg-service-0-1-per-digg.html
Jeno promoted his socialup.net in chinese forums
The profile mentions www.hnsj.org as his website
Whois record of hnsj.org
Domain ID:D155737903-LROR
Domain Name:HNSJ.ORG
Created On:27-Mar-2009 10:10:58 UTC
Last Updated On:04-Apr-2010 05:17:20 UTC
Expiration Date:27-Mar-2011 10:10:58 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:f1f613654acc4737
Registrant Name:eric charles
Registrant Organization:personal
Registrant Street1:Santa Cruz 1156 High Street
Registrant Street2:
Registrant Street3:
Registrant City:california
Registrant State/Province:State
Registrant Postal Code:95064
Registrant Country:YE
Registrant Phone:+1.831459019
Registrant Phone Ext.:
Registrant FAX:+1.831459019
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com
Personal Domains
Archive
http://web.archive.org/web/20100109050932/http://www.hnsj.org/article.php?id=4
QQ number 55356626 is posted as contact on HNSJ.ORG
xxgchappy promoted hnsj.org on his baidu blog
http://hi.baidu.com/%BA%D3%C4%CF%CA%D6%BB%FA%CD%F8/home
His baidu profile mentions further details
http://passport.baidu.com/?business&aid=6&un=xxgchappy#0
Further search reveals other QQ and Phone contacts
http://bbs.shangdu.com/t/20080831/01004001126/126-1.htm
2008 post
慧慧数码旗舰店
http://shop36037986.taobao.com ( Shop doesn't exist now)
各种智能手机专卖
淘宝名店 钻石信誉 全国热卖
保原装 非原装赔偿精神损失50.全额退款。
百脑汇2楼2b16
QQ:55356626
旺旺:慧慧数码旗舰店
13949001667
我们的专业,值得信赖。
Phone number 13949001667 (mobile GSM card) is part of Zhengzhou City, Henan Province and name mentioned here is Zhang
http://www.hahait.com/h41328
| Company Name: | Henan phone network |
| Tel: | 0371-66900779 |
| Company Address: | Longhai Road, No. 188 Central Plains Communications Digital City A420 |
| Contact: | Mr. Zhang |
| Fax: | |
| E-mail: | |
| Company QQ: |  878,972,156 390,363,752 55,356,626 |
| Website: | http://www.hahait.com/41328 |
| Scope of business: | Phone Samsung LG Nokia |
QQ 878972156
QQ 390363752
QQ 55356626
http://www.xcar.com.cn/bbs/viewthread.php?tid=6300657
http://www.xcar.com.cn/bbs/viewthread.php?tid=1576356
爱 卡 I D:Jeno
小狮子 1。6 xmt
车牌 豫ADB922
手机号 13513899779
Whois Record- XIUXING.INFO
Domain ID:D13719670-LRMS
Domain Name:XIUXING.INFOCreated On:09-Jun-2006 06:16:29 UTC
Last Updated On:29-May-2007 01:13:12 UTC
Expiration Date:09-Jun-2009 06:16:29 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
Registrant ID:49A2353365A0954B
Registrant Name:tawnya grilth
Registrant Organization:i-tobuy.com
Registrant Street1:po box 211
Registrant Street2:
Registrant Street3:
Registrant City:sin digoo
Registrant State/Province:ca
Registrant Postal Code:92101
Registrant Country:US
Registrant Phone:+1.818926523
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com
xiuxing.info is a forum related to Buddhism.
Jeno mentions his buddhism website on his profile along the same QQ number used in HNSJ.org
Tawyna Grilth aka Eric Charles aka xxgchappy aka Jeno aka undercurrent
Personal Details
The personal email "xxgchappy@vip.sina.com" is also mentioned on a Shellcode article written by Jeno at Xfocus, a famous chinese hacking forum dated 2003.
创建时间:2003-08-31
文章属性:原创
文章提交:jeno (xxgchappy_at_vip.sina.com)
作者:jeno
Email: jeno@vip.371.net
Time: 2003-8-31
Xfocus Profile
https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35525
DOB 1980-10-1
The name Jeno and DOB 1980 makes the email Jeno_1980@hotmail.com which is used as registrant email.
Kaixin001 Chinese Social Network
http://www.kaixin001.com/home/17206761.html
Name - 张长河 Zhang Chang-he
Living in Zhengzhou, Henan Province, China.
QQ number 55356626 leads to a personal blog revealing his pic
http://55356626.qzone.qq.com
Conclusion
Jeno registered all the domains associated with espionage and considering his xfocus and rootkit.com profile we can zero on Jeno or he is some way associated with the group.
Update 16 Feb 2013
http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked
Journals published by Zhang Chang-he (2005-2011)
http://www.cnki.net/KCMS/detail/search.aspx?dbcode=CJFQ&sfield=au&skey=%E5%BC%A0%E9%95%BF%E6%B2%B3&code=22840348;20139954;21141875;
Windows Rootkit
http://www.cnki.net/KCMS/detail/detail.aspx?QueryID=5&CurRec=2&recid=&filename=XXGC200702023&dbname=cjfd2007&dbcode=CJFQ&pr=&urlid=&yx=
http://www.docin.com/p-49869286.html
Analysis of Windows Startup
http://www.cnki.net/kcms/detail/detail.aspx?filename=XXGC200903027&dbcode=CJFQ&dbname=CJFD2009
http://www.docin.com/p-253321277.html
Security Analysis of PCI device
http://www.docin.com/p-279253540.html
Capturing File Transferred or Printed Based on SMB in LAN
http://www.cnki.net/kcms/detail/detail.aspx?filename=WJSJ200606039&dbcode=CJFQ&dbname=cjfd2006
Wednesday, 29 February 2012
Chinese Threat Actor Part 2
Follow up on Joe Stewart Investigation
http://www.secureworks.com/research/threats/sindigoo/
Chinese Threat Actor Part 1
http://cyb3rsleuth.blogspot.com/2011/08/chinese-threat-actor-identified.html
king_public@hotmail.com also owns another email king_public@163.com
RootKit Database
(23025,'king-rose','e211f11c0b28434bf7f1c8fb510fa9ae','Club tom','king_public@hotmail.com',1,1106582903,'','','','','','',0,'','',1106837367,'61.51.59.63',0,0,0,1106583113,0,0,0,'BH','19800126','','','',0,'')
IP - 61.51.59.63
Location CHINA, BEIJING, BEIJING
Connection through CHINA UNICOM BEIJING PROVINCE NETWORK
IP - 123.120.127.153
20446,'king-z','e211f11c0b28434bf7f1c8fb510fa9ae','k,z,y','wzy_100@hotmail.com',1,1097652186,'','','','','','',0,'','',1284013010,'123.120.127.153',0,0,0,1284013010,0,0,0,'','','','','',0,'')
Location CHINA, BEIJING, BEIJING
Connection through CHINA UNICOM BEIJING PROVINCE NETWORK
The Kaixin profile linked to king_public@hotmail.com reveals the name Wang Liang Chen (王亮晨 ) and his other email king_public@163.com is also linked to a Kaixin profile.
Wang Zhong Yun (王仲俊)
http://www.kaixin001.com/home/22655901.html
http://www.kaixin001.com/photo/logolist.php?uid=22655901
Zodiac Sign: Pisces
http://topic.csdn.net/t/20031223/17/2594994.html
http://topic.csdn.net/t/20050926/19/4295450.html
http://www.secureworks.com/research/threats/sindigoo/
Chinese Threat Actor Part 1
http://cyb3rsleuth.blogspot.com/2011/08/chinese-threat-actor-identified.html
king_public@hotmail.com also owns another email king_public@163.com
RootKit Database
(23025,'king-rose','e211f11c0b28434bf7f1c8fb510fa9ae','Club tom','king_public@hotmail.com',1,1106582903,'','','','','','',0,'','',1106837367,'61.51.59.63',0,0,0,1106583113,0,0,0,'BH','19800126','','','',0,'')
IP - 61.51.59.63
Location CHINA, BEIJING, BEIJING
Connection through CHINA UNICOM BEIJING PROVINCE NETWORK
IP - 123.120.127.153
20446,'king-z','e211f11c0b28434bf7f1c8fb510fa9ae','k,z,y','wzy_100@hotmail.com',1,1097652186,'','','','','','',0,'','',1284013010,'123.120.127.153',0,0,0,1284013010,0,0,0,'','','','','',0,'')
Location CHINA, BEIJING, BEIJING
Connection through CHINA UNICOM BEIJING PROVINCE NETWORK
The Kaixin profile linked to king_public@hotmail.com reveals the name Wang Liang Chen (王亮晨 ) and his other email king_public@163.com is also linked to a Kaixin profile.
Wang Zhong Yun (王仲俊)
http://www.kaixin001.com/home/22655901.html
http://www.kaixin001.com/photo/logolist.php?uid=22655901
Gender: Male
Current residence: BeijingZodiac Sign: Pisces
The spacewalk picture is used as profile picture for king_public@hotmail.com kaixin.
His social network got many friends and the profile appears genuine.
Further analysis reveals that king_public@163.com is linked to many tech and hacker forums with handles "W100", "King-W" and "King-Z"
Tianya Board
Male, Beijing, Pisces
http://topic.csdn.net/t/20031223/17/2594994.html
http://topic.csdn.net/t/20050926/19/4295450.html
51CTO Blog
8dragon
Known emails and handles of the actor
king_public@hotmail.com
wzy_100@hotmail.com
king_public@163.com
king_w100@163.com
Handles - King-Z, King-W, W100, King-rose
Chinese Threat Actor Part 3
Monday, 13 February 2012
Gigabid Affiliate
Gigabid - Clickbot and Fake AV Affiliate
INCOME UP TO 400 $ - 1K US
US, GB, CA, AU, AT, BE, BG, DE, GR, DK
IE, ES, IT, CY, LU, MT, NL, PT, FI, FR, SE
STANDARD US CA GB AU
up to 90%
NEW METHOD FOR THE ENVELOPE!
Earn up to $ 830 A DAY
UP TO 20% Referral
COMPATIBLE with other software
INCOME UP TO 400 $ - 1K US
US, GB, CA, AU, AT, BE, BG, DE, GR, DK
IE, ES, IT, CY, LU, MT, NL, PT, FI, FR, SE
STANDARD US CA GB AU
up to 90%
NEW METHOD FOR THE ENVELOPE!
Earn up to $ 830 A DAY
UP TO 20% Referral
COMPATIBLE with other software
Friday, 10 February 2012
Evade Antivirus Detection
Bad Guys way
- Scan malware at multiple Anti Virus Checker that do not send samples to AV companies.
- Crypt malware with Polymorphic crypters to avoid detection.
MyAV Scan - Private AV Scanners and Crypters
About
Services
Multiple Scanners & Crypters
- Scan malware at multiple Anti Virus Checker that do not send samples to AV companies.
- Crypt malware with Polymorphic crypters to avoid detection.
MyAV Scan - Private AV Scanners and Crypters
About
Services
Multiple Scanners & Crypters
Desktop Version
Wednesday, 1 February 2012
Andromeda Bot
English translation by @Sherb1n
Coder - Waahoo - Adv on Private Forum
Description:
This versatile modular bot can be used as the foundation for a botnet with an endless variety of possibilities. The bot’s functionality can be expanded through a system of plugins, any number of which can be added at any time.
Supports unlimited number of reserve domains.
Data exchange protocol between the bot and the admin server is RC4-encrypted.
You can reconfigure your botnet to your needs at any time, by yourself.
Doesn’t overload the system, doesn’t require admin rights to install, doesn’t trigger a UAC pop-up.
The bot protects itself, so an unskilled user will not be able to remove it from the system.
Bypasses firewalls, doesn’t appear in the list of processes, injects into a trusted process.
Doesn’t produce any DLLs, doesn’t contain TLS, easy to encrypt.
Regardless of how successful the installation is, the original executable is deleted.
Works on WinXP through Win7, including x64 systems.
Very lightweight, written entirely in Assembler.
There are two versions of this bot:
01.* public inject-based, uses QueueUserAPC
02.* bypass-based; this version, unlike the one above, can get through proactive defense.
Written in PHP, bundled with MySQL.
Detects bots behind the NAT.
Keeps botnet stats: # of bots online/offline/dead, breakdown by country, breakdown by platform.
Keeps track of the number of finished/unfinished tasks.
Can set a limit on the number of times the task will be executed.
Can assign tasks to individual bots.
Assign tasks based on the bots’ countries.
Clear all stats/delete all dead bots from the DB.
Admin panel screenshots:
01.* - $200
02.* - not for sale at the moment.
Rebuild for a new URL (main URL) - $10
For each additional reserve URL - $10
We accept:
Liberty Reserve (preferred)
Webmoney.
Subscribe to:
Posts (Atom)