05/18/12

bitCoin Mining Scam

gAtO fOuNd -this in the (.onion network site) BlackMarket Reload (while looking into bitCoin mining. bitCoin mining is something that people are getting into and using customize scripts to use zombie computers to generate bitCoins. Using Trojan-Downloader.win32.Agent.bmzd as a starting point it is modified to give it’s own unique hash file whoch will sometimes be overlooked by virus scans.

Then the author will insert 2 miners for him and give you the rest. At least that’s what this ad tells us. Here is a clue what a scan is it say’s it does not draw CPU power and of course if you know anything about Mining bitCoins that’s how it hashes bitCoins. So I would think that it would slow down a windows machine quite a bit. Since it modeled as a legit bitCoin Miner they tell us it’s 100% undetectable, I question that part. I also see that they are using DeepBit guild instead of the BTC guild, BTC guild will give you a little higher hashes and faster.

GREED is the reason why this little scam will work. The old saying if it’s too good to be true it’s NOT true. As bitCoins become more popular we will se others come into the bitCoin mining, but think about it. You can now take over a machine and have it mine bitCoins. It’s pretty much undetectable because the zombie machine is not being use to DdOs someone or used as a spammer machine. These zombies will be noticed when the C2 (Control and Control) is caught but in this bitCoin scam the machines will not be noticed too much from the outside world just the user will have a slow ass Windows machine- let’s face it a slow Windows machine is normal, and since this is only marketed in the deepWeb not the clearWeb less people will notice- gAtO oUt

the Ad can be found in the deepWeb- http://4eiruntyxxbgfv7o.onion/paste/show.php?id=169a828090203b12

Hi! I’m androd2 and in this site http://5onwnspjvuk7cwvk.onion/index.php?p=view_listing&id=2851

(The WELL known BlackMarket Reloaded) I sell this really.. REALLY cheap.

(you must sing up to enter… just do it as customer, enter nickname..

and you’re IN! .. then enter http://5onwnspjvuk7cwvk.onion/index.php?p=view_listing&id=2851 )

As you’ll see.. I have positive feedback.. i’m not a scamming newbie.. I just wanna spread and

get people to know what I sell!

What is it? {It’s EXTREMELY well described in the item description}

.. I will paste the item description below ;).. pelase at least visit it!

100% Coded By Myself, Undetectable, Customized… and STEALTH!

***************************************

Proof it is “undetectable”: https://www.virustotal.com/file/ef390fc5455a3a2ca07168eff05071d10bf7ed156d2455fb28e5b6eb045ddb7f/analysis/1335995324/

.. notice that the ONLY positive was from ByteHero ONLY.. and it is even a FALSE positive.. “Trojan-Downloader.win32.Agent.bmzd” because it doesn’t download anything. It passed ALL Antivirus.

***************************************

How does it work? Well…

I make a CUSTOMIZED and UNIQUE Stealth miner exe (configured with 2 worker sessions of yours), i send it to you, and you and make your victims execute it (I can disguise it as you wish just ASK… for example I spread mine in a forum. I embedded a legitimate Windows7 activator.. and while actually activating Windows7.. it , without popup of ANY kind,it generated some files.. and starts mining)

It draws a little of GPU Power form each machine, mining for you! I’ve spread mine, and in one month now I ‘ve already Passed the 2000Mhash/s!

Excellent for posting anywhere… just make me disguise the exe! , uploading to your BOT-NET, or infect with social engineering, or, if you want to, embed a useful EXE, disguise it, and while actually executing the legitimate EXE… also installing the Silent Miner.

It’s 100% made by me. It hides itself. Auto-start with windows… NO window opened. Doesn’t draw CPU power!

The victim will not notice! No strange windows, no console popup… NOTHING!

The best part: 100% Undetectable! It’s based on a modded and legitimate GPU Miner, so it can’t be detected as VIRUS!

IT DOESN’T AUTO SPREAD ITSELF… so the key is how many victims execute this… thinking a bit you’ll came with TONS of ways (ask me to change the icon, a fake screen error, embeding a legitimate binary.. ) Thanks to that,get almost 100% invisibility to Heuristics.

Once executed by the victim.. the victim can even delete the original file..because the files are already installed!

It’s simple. All you need to give me is the data of 2 workers (recomend BIG Public Mining Pools.. for anonimity.. and quick cashout.. I used Deepbit for example) (One is backup in case the first one’s mining pool is down). That is Miner address and password {the password of the miner, not session… ask if you don’t understand this.. it’s not dangerous, because it’s the pass of the worker}. And the things you want me to do … put a custom icon? embeding a some sort of file or binary? ASK for it!

IMPORTANT: Once made the program and shipped to you, the workers address can’t be changed by ANY MEANS, because it’s embedded to the code.

I sold the first for 0.35 now it is a bit higher … Check the feedback yourself! it works! Have your Own Miner Factory… without having to spend money on hardware. With this, is extremely EASY to make much more in a day, than the price I ask for it. You’ll get that money back in NO TIME.

The price is extremely low to the Next buyers just to get positive feedbak of the product.. I’m planing to sell it for more than 2BTC or something like that. (In matter of days I got 2BTC from mine…)

. Consider this discount as a EXTREMELY good opportunity to get a 100% anonymous, decentralized, and secure way to get BTC!

CUSTOM THINGS I MAY ADD IF YOU ASK FOR (Check “Shipping options”, some of these are free, others not… if you only want the free ones,select the option one, to complete the price of the offer :) ):

*Error Message – FREE {Once the victim machine executes it, you can chose it to do nothing -silent, no popup, no window, nothing-, or if you want it to be used with Social Engineering, show some sort of error message}

*Exe’s Icon – FREE {Change the icon of the file… useful for social engineering

*Embed File/Binary – 0.09BTC Extra {You can ask me to embed -you must provide it- a file, so the victim won’t suspect it’s something weird happening. For example, I embedded a USEFUL Windows 7 Activator, and made the spread SO easy… because it actually unlocked Windows7 while infecting with the miner, so they shared it to friends and leave positive feedback on the post}

*YOU can say whatever you need and I will try to adapt this to your needs!

I’m doing it with LOW price because i want positive feedback to this product in particular {because it’s made by myself}. Then I’ll set a HIGHER Price.

If you have any doubts, please ASK… don’t keep the doubts!

- BITCOIN Silent FUD GPU Miner,UNDETECTABLE,100%Custom.

05/16/12

gAtOmAlO2 is @_th3j35t3r

gAtO iS _th3j35t3r – I as soon as a friend heard the news of the th3j35t3r and @cubespherical were at each other I went on to twitter and pick up the name. Why? As a security researcher I wanted to see if people were dumb enough to be fooled by anyone. Call it a test of a fool for the fools. Well I was surprised that people started to follow me right away, not too many fell for it but a few were confused and that is why you should always “trust but verify” .

I really don’t care what this is all about I just wanted to Social Engineer it just a wee bit to play a game of thrones. Who would suspect – who will know, who really cares. Anyway I got work to do so I need to play this out and finally come clean so I don’t have to play this game for anyone else. A few friends that I told were smiling a bit and they know I’m a lOcO gAtO so now you have it my friends. I hope I didn’t hurt anyone by this little trick, I hope you all learned something, and I did not waste 24 hours I learned what fools of Tooks they all are and remember -This is all bullShit, get over it -gAtO oUt

#th3j35t3r #cubespherical

the game goes on and on - http://pastebin.com/fKFP0qJt

So, th3j35t3r is on the run. He’s rmed everything, he’s disappeared from the net. And it’s all the doing of this Smedley Manning/@cubespherical.

But who is this hero?! What manner of man is he?!

Let’s look over his brief history.

http://topsy.com/twitter/cubespherical?nohidden=1&offset=40&om=aaaa&page=5

If you go to topsy and look at his tweets, he was solidly pro-Jester until recently. Then suddenly, he remembered a bar fight back in 2002, and as the internets is serious business and he was owned so badly in that fight he was still feeling butthurt aftershock tremors a decade later, he decided to toss all that on the fire and DOX THE JESTER AND KILL HIM FOREVER.

Once people paid him 20K bitcoins.

Riiiiiight.

Good luck with that, Smedley.

I’ve already commented on him probably being th3j35t3r here http://pastebin.com/jwYt7Hyf. tl;dr: th3j35t3r appears to be running some kind of half-witted psyops gambit. They both using the same OS (but different browsers, dohoho), they both speak more or less the same, both use bitcoins, the Smedley Manning account acted like a sockpuppet prior to this, the truck he posted came from a car dealer’s website (http://www.beckhamsautos.com/web/vehicle_photos/1951320/#1).

Also, I don’t think anyone apart from th3j35t3r’s supporters (and a handful of Anons who were annoyed by him for 20 minutes) have ever actually taken him that seriously, to be honest. God forbid anyone would think his identity was worth 100K. He’s got enemies, sure, but most of the retaliation will consist of sending him hookers and pizzas; the Taliban and radical jihadists have bigger fish to fry. Taking down a website for 30 minutes and giving them free publicity by bragging about it probably isn’t going to put him on the INFIDELS WE’VE REALLY GOT TO CRUSH, WITH FIRE AND BOMBS, unless the US .gov reveal that they got Osama just before he finished recording his “th3j35t3r, NUMBER ONE ENEMY OF ISLAM” video.

Protip: They won’t.

Anyway. I don’t know what th3j35t3r is trying to accomplish with this little scheme. I strongly suspect it’s all about money, like those wristbands, and the adf.ly links on his blog that must have made him a tidy dollar every time the media reported on his latest drama. I could be wrong, of course. It’s happened once before.

[*] WHAT COMES NEXT

- From where I’m sitting, on top of my Keyboard Warrior throne, there are three likely outcomes for this, no matter what the original goal is, and I’d like to predict them right now, so that he can’t use any of them to weasel out of this.

1) He’ll reactivate his normal account and claim it was all a Psyops operation all along, and that he was tracking bitcoin usage by “bad guys”, trying to map them out and connect them to various twitter handles, or some variant of that story. It’ll be alright, though, because he’ll definitely have “donated all the money to the Wounded Warriors” project. Definitely. Totally legit. This, I suspect, may have been his original plan, but that’s just a suspicion based on his previous actions.

2) He’s going to make Smedley Manning look like a total villain, probably an Anon (like he’s doing now), and then pop up with his normal account, claim the dox was fake, and that he was gone dark in order to get enough time to notify this poor .mil dude that some crazy nemesis was after him, because he’s a hero like that. I figure this is now the mostly likely move.

3) He’s going to actually disappear. Whether it’s because he doesn’t want to disclose the truth about Saladin, whether it was all part of his plan all along, or whether he wants to run with the Smedley Manning coverstory, who knows. This is my favourite outcome.

Anyway, sit back, grab a beer, get some popcorn, and watch the Serious Business unfold. Brace for the oncoming shitstorm.

http://pastebin.com/fKFP0qJt

04/6/12

Supply Chain Cyber Attack

gATO rEaDiNg - 2012 Maindiant “An Evolving Threat” and Trend-Micro LuckyCat ReDux reports. Great reading for any security geek but most important it’s about the business side of the hack. Take the old smash and grab of financial information and split town, process the financial windfall and party like it’s 2999. Now it’s more beneficial for the criminals to stay inside the victims servers and collect intelligence and espionage. Ok let the gAtO break it down for you, not as a criminal that’s easy, as a state actor I would go after AeroSpace, Energy, Shipping, Military Research, Engineering, India and Tibetan Activist… Wait a minute a India, a Tibetan Activist group, oh yeah you know it’s China but this is to be expected from China. Now the new spin is why would they go into a banks and use advanced persistent threats (APTs) hacks, well as gAtO understands it the Chinese have a shit load of MONEY— follow the money is not only an american thing it’s for every player in the world.

We have to look at the data through 3 different set of eye’s (magnifying glass with gAtO’s old EyE’s) but it’s still the same – Your data (ALL- your little company secrets) needs protection.

Here is the Score-Card your Business — versus – Competition, Government, Criminals, Hacktavist, Economic Espionage, Nuisance Hackers. On top of all this 94% of victims were notified by an external entity that they were hacked. If that doesn’t send chills down every board member in every company in the world, nothing does.

Here you are doing your business and let’s be frank some business well they walk a thin line sometimes like dumping medical and radioactive waste on a beach in New Jersey ( I know Snooki lives there) . IS your company maybe polluting the ground water for a 100 mile radius of the plant. This is not the information that they want hackers, or the press to get a hold of. “Remmember Rudolf Murdock News Hacking Empire- hey hack anyone for a buck”

Protect Customer Data yeah companies and governments want to protect it, but their little illegal/legal stuff companies do like hiding the report of the of shore oil well that just blew up and spilled all kinds of stuff all over the Gulf coast. These are the real thing that keep business people up at night worrying about hackers, it’s plain and simple cover your ass and let’s get that no bid government contract after we pay off the senator and we better encrypt that information…..

Hackers come in all flavors but if you look at the LuckyCat crewz these are very unique. Not only real computer scientist but marketing campaign and project management. They dual tier C&C (Command and Control), they use the victims supply chain to move laterally across trusted networks in order to be more invisible. Invisible takes a new trend here these hacker hide their code in plain site, they used older malware as insertion points sometimes and of course social engineering to gain access.

Bottom line these new hackers- they are business-men, -they are governments, -they are commercial criminals, -they are hacktivist or -they are a lone wolf hacker. Companies are finally getting the message. Protect your data, not just your customer’s data, but all your little secrets because if your online– someone is watching you and these can be a 15 year old kid or a Dual Master degree in computer technology that is unemployed or works for a government. Trust but verify takes on a new meaning now -gAtO oUt

lab notes - The report, which is based on hundreds of advanced threat investigations conducted over the past year, includes analysis, statistics and case studies that highlight how advanced and motivated attackers are stealing sensitive intellectual property and financial assets.

Malware Only Tells Half of the Story Organizations’ investments in malware detection and antivirus capabilities, while effective in detecting characteristics associated with common worms, botnets, and drive-by downloads, do little to help defend against targeted intrusions.

The use of these publicly available tools has added some complexity to identifying threat actors because when organizations identify a piece of publicly available malware they often cleanse the file and — in the process — obscure what could be a larger incident.

It’s unclear why banks wouldn’t already be looking for unusual settlement activity and conducting daily monitoring, but there it is. At any rate, “high-risk” merchants generally handle the dicey and vicey types of online commerce, such as Internet gaming, adult Web sites, rogue anti-virus software sales and online pharmacies. Might be a good idea to keep an extra close eye out for these types of unauthorized charges over the next few days

02/19/12

gAtO aLmOsT -got hacked

gAtO aLmOsT -got hacked WHY? after a nice kitty nap I woke up and found my site uscyberlabs.com was suspended. I could not get into my site or get any email so I called my hosting provider. We soon found out that someone was trying to do a brute force trying to get into my admin panel. (see logs—below) To top it off someone called my provider and tried to social engineer them into resetting my password. From my simple SEO plug-ins I could see that it was a ToR connection the IP 72.14.182.266 running a Python-urllib/2.7 script. You can see the timestamp and the delay’s give it away to a ToR connection. Of course my hosting Service is doing some research to see what they can find out but the IP as well as the phone call were non-traceable (or were they).

gAtOmAlO sAy's

Since gAto writes about Anonymous I assume at first that the FBI was going to kick down my door but that made no sense since everything I publish is available online Open-Source. I did notice a few days ago a tweet warning of a grayHat that needed a Dox – http://whatismyipaddress.com/ip/72.14.182.226 this is a little info about the IP address it shows Dallas, TX but my internal SEO places it in Newark, NJ.

Why is the question did I piss someone off, was I getting close. I HAVE a lot of information about Anonymous and the crew(z) that I do not publish, just because “gAtO is No SnItCh”. Maybe @MissRevolution_ got pissed because of her money problems or Xgirlfriend, in Chi-town I could go on and on but The OpCashBack Twitter of Banks that I published was to get the world out. Why so many banks have twitter I still find that interesting. Oh Well back to the SaltMines -

Ok so is GaTo’s words so powerful that you want to hack his site…. gAtO feel so important —naw.. just messing.. -gAtO oUt

http domain 72.14.182.226 Hostip (subject) more info

Country: UNITED STATES (US)

City: Newark, NJ

IP: 72.14.182.226

li45-226.members.linode.com

Python-urllib/2.7

February 19, 2012 15:06:44