03/10/13

Finding the Bad Guy’s in Tor -triangulated irregular network

gAtO ThInKiNg - a car GPS works very simple, It takes the delay time from one geo-positioned satellite and compares is to another geo-positional satellite and estimates the position of the GPS in my CAR – I think they call it satellite triangulation or something cool, it’s been done with radios to guide pilots navigate ever since they developed radios. We do it with satellite and we can use networks too.

triangulated irregular network  -So now apply this to the Tor bad guy’s websites- a hidden service!math_clouadTag

With a simple command you can get the time it takes to crawl a website, so you have one server in the U.S one is South America, one in Europe and one in Asia and we run the same command getting the delays from each location. I bet with a little math and some basic network tools we could figure out the geo-location of any given website in Tor. One of my good mentors told me that in my crawls I was capturing timing information, we all see timing information with a simple ping command in the clear web but in Tor – UDP is unsupported so it does not work -//- we must take into account the Tor network thru-put and utilization bit that’s easy to get from a number of Tor tools.

Reverse triangulation of a network server should be easy to find with a little math, just take a good sample and the longer you wait the more data you collect and the better the chance you can find a geo-location of a website. We do this in the clear web all the time we can see bad areas of the world that are bad spammers, and other like mail from Africa Prince Scams offering you millions if you send them some money to cover the transfer, or Russian and Chinese phishing attacks. So we know geo-location and some IP are more prime to bad actors and we can draw a profile, a geo-location of a place and/or  country or an ISP so not having the IP of a Tor server may not be neededto find them we could use network triangulation. “triangulated irregular network  ” So the same thing can be done with networks and timing delays of data back and forth from a // client <–> Tor OR <–>server.

I got a crazy Idea that may or may-not work, but it sounds good—//  so— Now if I can only find a government grant and a good math major to help out and we have a big business model to find the bad guy’s geo-location even in Tor - gAtO oUt…

03/7/13

Mapping Tor Websites

gATo and fRiEnDs- are am now working on the Tor-Directory Project crawling about 2000 Tor-url and getting some new information about Tor and the sites that reside in the Dark Web. Example I got a good crawl from a site and I went to double check it and now it was down, so are the sites going up and down and online just for a period of time? Are the site not available because of the browser I am using -vs- my crawler. These are some of the answers I will find out.

I expected due to the slowness of Tor to spend a lot of time running these crawls. I have now a script that I can run in about 20hr or less and scrape about 2000 sites. I thought that the slowness of Tor-Dark Web would make this a real time eater but I am wrong. Another thing is the secret Tor sites I found, I now have a fingerprint on them and these sites that hide in secret on top of being in Tor are a real interest to me and others.

The main issue is Tor is not socks-http friendly so setting up the infrastructure was a real learning curve and now I can replicate the installation so as I get more servers online this will become a little easier. Right now I am mapping the sites so I can crawl every page, the good part and bad is I am finding more and more URL that I never thought existed, so the discovery of new URL is a good thing but once again the collection becomes a real bear.

I am putting this into a db to make the search of the collected data a little easier but finding that db programing on the web is well not very user friendly but I have a good partner that is fixing all my mistakes. We will house this new Tor-only website search engine in the clear web so we can keep the speed up and well people are scared to go into Tor, so why not keep everything in the clearWeb for now.

I expect the crawls to get much longer since I now have the urls to crawl every site a little better but the information and mapping out Tor will be and invaluable tool for us. You say how about the hidden wiki, and all those sites that have Tor directory wiki sites. Well they are OK for basic stuff but I am finding new sites I never heard of and the pedophiles are all over Tor so you best beware I am putting a light on your websites and the next part will be to stop you from using Tor as a play ground for your sick crap. Tor is meant for real needs of privacy and protection and I hope my work in this will get these sick bastards to run somewhere else — gATO is watching you in Tor so beware!!!

 

11/14/12

What Are ToR Hidden Service?

gAtO tHiNkInG - anonymity serves different interest for different user groups; To a private citizen it’s privacy, to a business it’s a network security issue. A business needs to keep trade secrets or have IP (knowledge base data-centers), communicate with vendors securely and we all know that business need to keep an eye on there competition – the competition can check your stats

update -11-14-2012 -uscyberlabs.com Tor Hidden Servicehttp://otwxbdvje5ttplpv.onion gAtO built this as a test sandbox / honeypot — cool logs stats -DOWN 4 upgrade – 06-11-2013

(http://www.alexa.com/siteinfo/uscyberlabs.com) and check on how your business is doing, what keywords your using, demographics of users hitting your site—— by the way in the Tor-.onion network a web site/service cannot be monitored unless you want it…

How would a government use a ToR-network I’m asked all the time —

// if I was an (agent/business-person)state actor doing business in China (and other countries too) well I would use a ToR-.onion connection to keep my

business private from a government that is know to snoop a bit on travelers to their country. The fact is governments need anonymity for their security -think about it “What does the CIA Google for?” Maybe they us ToR??? But this is about Hidden services right.

 

What is a hidden service in ToR-.onion network?

SImply put it’s a web site/service, a place in the ToR network were we have a service like:

  • Search Engine
  • Directories
  • web / pop3 email
  • PM Private Messages
  • Drop Box’s
  • Re-mailers
  • Bulletin Boards BBS
  • Image Boards
  • Currency exchange
  • Blog
  • E-Commercce
  • Social Networks
  • Micro-Blog -

Hidden Services are called hidden, because your website’s IP in ToR is hidden- they cannot see the IP of your server — they can’t track you- if they can’t find you how are they gonna hack you???? Sorry I had to say that -((more about that later)). Now how do I keep this secret (my IP) and let you the user use my services. In the normal web if your in uscyberlabs.com your on my site,— my server -you can do a whois and get my IP and geo-location— then you can attack my website with dDoS and other IP attack vectors, you also get my location so you can physically find me- my server/my website – maybe go dumpster diving in the trash and get my company secrets— mAyBe sI – nO,

Well in the ToR-.onion network you the client ask the business website if they can use the websites service / then decide and start a handshake to a rendezvous POINT to meet  —we meet at an OR ((onion relay))-a rendezvous POINT) not at my server/ my IP — so your never ever on the business site/server when your in onionLand, you can’t do a whois and get my IP because we meet at an OR, you cannot find my geo-location…..

We have heard of the killings of Iranians and Syrian rebels being killed in todays news, when an Iranian rebel is fighting for his and his families life if they(the government) finds his IP or the IP of the website he visited // they will hunt that person down and the Iranian police/government will kill the whole family sometimes. So keeping an IP from someone is not an evil act it is an act of privacy for safety on both sides the client and the business.

you need to look at Figure 2 to explains this better:

Now let’s focus on R2 OR the yellow key. That’s the spot were you(your company’s hidden website) and your client meet — I know it’s a sneaky way of doing business but once again if they can’t get to your IP at least that is one attack vector that can’t be used to hack you or ddos you. OK they can still hack you but it’s software then. How it’s all done – the magic —the technical thingy to this is below —/this is just an outline of events of the client /hidden web/service protocol:














I goes something like this –

  • ESTABLISH RENDEZVOUS cell
  • INTRODUCE1
  • INTRODUCE2 cell
  • INTRODUCE ACK cell.
  • INTRODUCE2 cell
  • RENDEZVOUS1 cell
  • sends a RENDEZVOUS2 cell Chat
  • sends a RENDEZVOUS2 cell Blog
  • RENDEZVOUS ESTABLISHED cell

1. Whenever the rendezvous point receives a RELAY_COMMAND_RENDEZVOUS1  with the same cookie as the OR sent in the RELAY_COMMAND_INTRODUCTION1 cell it logs the reception and the IP address of the immediate transmitter of the cell. At the same time, the OR middle node monitors the circuits passing through it. Whenever it receives a DESTROY  cell over a circuit it checks:

1) whether the cell was received just after the rendezvous point received the RELAY_COMMAND_RENDEZVOUS1 cell;

2) if the next node of the circuit at the middle node coincides with the previous node of the circuit at the rendezvous point;

3) whether the number of forwarded cells is exactly 2 cells up the circuit and 52 cells down the circuit.

More Geek network kinda stuff::

1. Jun 03 20:50:02.100 [notice] Tor 0.2.1.0-alpha-dev (r14739) opening new log file.

2. Jun 03 20:50:11.151 [notice] We now have enough directory information to build circuits.

3. Jun 03 20:50:12.697 [info] rend_services_introduce(): Giving up on sabotage as intro point for stuptdu2qait65zm.

4. Jun 03 20:50:18.633 [info] rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 1560 for service stuptdu2qait65zm

5. Jun 03 20:51:18.997 [info] upload_service_descriptor(): Sending publish request for hidden service stuptdu2qait65zm

6. Jun 03 20:51:22.878 [info] connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 200 (“Service descriptor stored”))

People ask me how can these hidden services be attacked???

It’s all the same as in the surface web you find the software the hidden service is using /// let’s say Worpress (or flatPress) if they use an old version with vulnerabilities then, that site can be hacked by traditional hacking attack vectors— gAtO can’t wait till USCyberLabs.com will have a sandbox in the .onion were we can have a honeypot for people to hack and learn from.  (we need Funding for these project donate please – we will share) gAtO has not tried Backtrack 5 on ToR-.onion network – mAyBe sI -nO – uscyberlabs.com has been hacked a few times already and is consistently fighting bot’s and spammer, it goes on and on.everywhere-.-.-.-

Here are some technologies used in the ToR-.onion network:

update -11-14-2012 -uscyberlabs.com Tor Hidden Service = http://otwxbdvje5ttplpv.onion gAtO built this as a test sandbox and it turned into a honeypot — cool logs stats

TorStatusNet – http://lotjbov3gzzf23hc.onion/   is a microblogging service. It runs the StatusNet microblogging software, version 0.9.9, available under the GNU Affero General Public License.

FlatPress is a blogging engine like -Wordpress blog http://flatpress.org/home/   – http://utup22qsb6ebeejs.onion/ -

Snapp BBS works fine in OnionLand - http://4eiruntyxxbgfv7o.onion/ -

PHP BBS – http://65bgvta7yos3sce5.onion/

Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.  – http://ay5kwknh6znfmcbb.onion/torbook/

Anyway I hope this open up the mystery of a hidden service in ToR – it’s just a website, you go to a rendezvous point and do your business — your IP and the business IP are totally secure. No digital breadcrumbs. Now a word to the wise in the ToR-.onion network you have some very tech savvy people and some are very stupid be a critical-cyber user always -gAtO oUt.

11/13/12

Protocol-Level Hidden Server Discovery -WRONG

sOrRy – AROGANT gAtO - Open letter to:zhenling - jluo -wkui - xinwenfu – at seu.edu.cn cs.uvic.ca cs.uml.edu  - I wrote to you and gave you a chace to reply so her it goes for everyone to see that you rigged your lab in real life it does not work like you claim – gATO OuT – may be wrong mAyBe Si -nO 

zhenling@seu.edu.cn
jluo@seu.edu.cn
wkui@cs.uvic.ca
xinwenfu@cs.uml.edu

Protocol-Level Hidden Server Discovery

Since entry onion router is the only node that may know the real IP address of the hidden service— -note [3] The assumption was made in virtually all attacks towards the Tor network. This is reasonable because onion networks routers are set up by volunteers.

WRONG folks — So criminals work in these sterile structured surrounding – following rules and making assumptions that I’m stupid enough to not know how to control ENTRY and EXIT nodes into my Tor Website— COme on Dudes this is not school it’s the real world… otwxbdvje5ttplpv.onion here is my site now find my IP —

WHo am I – Richard Amores – @gAtOmAlO2 – I run http://uscyberlabs.com – I just finished a boot -“ The Deep Dark Web” Amazon New eBook -The Deep Dark Web – http://www.amazon.com/dp/B009VN40DU   Print Book – http://www.amazon.com/The-Deep-Dark-Web-hidden/dp/1480177598 :- I do a we bit of real life research and I disagree — I go thru a proxie and a VPN in EU… before I go into Tor so the chances that you will find my IP just went up a notch or too. But I’m a legit – Security Researcher – imagine if I run Silk Road — making a bunch of Bitcoins a DAY— how many layers do they have—

how about a basic BRIDGE RELAY — and there it goes – u can’t touch this — how about a simple modification of the torrc file with these
HiddenServiceAuthorizeClient AND – HidServAuth
with these few modification the Tor site is hidden unless you have the key (HiddenServiceAuthorizeClient) in your browser/- that was generated to match the HidServAuth)-of the server– I think that your chances of finding my mean ass hidden service ip address —are ZERO…

I like what you’ll did cool analyst and you explained it great – but this puts fear into people – dissidents will maybe not use Tor because of what you guy’s say and maybe they may get caught and killed… It’s not only CRIMINALS — I know that gets grants money — but Tor is used to communicate and it allows – Freedom of Speech in Cyberspace- I’m gonna write something about this and I want to be nice so please explain why — you can say from an educational place of knowledge and allow this – “in the box” thinking that is being hacked everyday because they say— we did everything they told us to do— this is wrong and not true —

If you could get the IP of Silk Road — or better yet – PEDO BEAR the largest PEDO directory in TOR — tell me the IP and I will take it down myself— but don’t come at me saying we are right and every hacker is wrong  — learn please our world is depending on your great minds —

later,
RickA- @gAtOmAlO2 http://uscyberlabs.com

Here is the original paper —http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf
A recent paper entitled Protocol Level Hidden Server Discovery, by Zhen Ling, Kui Wu, Xinwen Fu and Junzhou Luo.  Paper is starting to be discussed in the Tor community.  From my perspective, it is a nice attack to reveal the IP address of a hidden service.  It would require resources to actually implement effectively, but for Law enforcement trying to shutdown and arrest owners of illegal websites selling drugs, weapons, or child pornography and are hiding behind Tor, it is an option.  Of course that also means the capability to find anyone that might be doing something a government or large entity does not agree with. The paper is here.
This stuff reminds me of a statement a professor said to a class I was in once:  “Guns are not good or bad.  It depends on who is holding the gun and which end is pointed at you.”

10/25/12

The deep Dark Web -Book Release

gATO hApPy

AVAILABLE @ AMAZON - http://www.amazon.com/dp/B009VN40DU

AVAILABLE @SmashWords website  @http://www.smashwords.com/books/view/247146

I learned that I hate WORD: – but it’s the general format for publishing  - text boxes- get imbedded and you can’t format to EPUB or .mobi or anything – solution after going lOcO gAtO - was copy and paste into txt editor – save as RTF then copy paste back into a new WORD document and then reformat everything from scratch – and copy over the pictures – as you can tell I had fun-..-ugh mEoW F-F-F-F as much fun as a hairball but if it get’s the message out “FREEDOM OF SPEECH IN CYBERSPACE” then we done our job, anyway I hope you read it - Thank you Pierluigi a best friend a security gAtO ever had - gATO oUt

This Book covers the main aspects of the fabulous and dangerous world of -“The Deep Dark Web” . We are just two cyber specialists Pierluigi Paganini & Richard -gAtO- Amores, with one passion and two souls we wanted to explain the inner working of the deep dark web. We have had a long collaboration in this efforts to document our findings we made infiltrations into the dark places inaccessible to many to give a you the reader a clear vision on the major mystery of the dark hidden web that exist today in the Tor Onion network..

The Web, the Internet, mobile cell devices and social networking has become commonly used words that identify technological components of daily Internet user’s experience in the cyberspace. But how much do we really know about cyberspace? Very, very little, Google / Yahoo / Bing only show us 20% of the Internet the other 80% is hidden to the average user unless you know were to look.

The other 80% of the Internet is what this book is about the “Deep Dark Web”, three words with millions of interpretations, mysterious place on the web, the representation of the hell in the cyberspace but also the last opportunity to preserve freedom of expression from censorship. Authorities and corporation try to discourage the use of this untapped space because they don’t control it. We the people of the free world control this network of Tor -Onion Routers by volunteer around the world.

The Deep Dark Web seems to be full of crooks and cyber criminals, it is the hacker’s paradise, where there are no rule, no law, no identity in what is considered the reign of anonymity, but this is also the reason why many persecuted find refuge and have the opportunity to shout to the world their inconvenient truths.

The Deep Dark Web is a crowded space with no references but in reality it is a mine of information unimaginable, a labyrinth of knowledge in the book we will try to take you by the hand to avoid the traps and pitfalls hopefully illuminating your path in the dark.

Cybercrime, hacktivism, intelligence, cyber warfare are all pieces of this complex puzzle in which we will try to make order, don’t forget that the Deep Dark Web has unbelievable opportunity for business and governments, it represents the largest on-line market where it is possible to sell and acquire everything, and dear reader where there is $money$  you will find also banking, financial speculators and many other sharks.

Do you believe that making  money in Deep Web is just a criminal prerogative? Wrong, the authors show you how things works in the hidden economy and which are the future perspectives of is digital currency, the Bitcoin.

This manuscript proposes both faces of the subject, it illustrates the risks but also legitimate use of anonymizing networks such as TOR adopted by journalist to send file reports before governments agents censored his work .

Here are some question we may answers to:

How many person know about the cyber criminals and their ecosystem in the deep web? 

How many have provided information on the financial systems behind the “dirty affairs”? 

How the law enforcement and governments use Dark Web?

Let’s hold your breath and start the trip in the abyss of knowledge to find answers to the above questions. We hope that with this book you can learn something new about – The Deep Dark Web.

10/22/12

Diary of a Professional Botmaster

gAtO -found this and had to share with you. If you want to know how a botMaster is created check this out. A simple software engineer becomes a botMaster sounds like “surreal Walter White in Breaking Bad”. First you will noticed that this was written in 2010 and it’s been a model of the botMaster persona. This is a fictional tale now add the Tor onion network to hide the c&c and mobile Android /iApple devices but it comes so close to the real edge, have fun reading -gAtO oUt

Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

 Diary of a Professional Botmaster 

June 20, 2009 

I’ve decided to restart the diary. I used to keep one many years ago, but stopped when I moved down to London and started my MSc in Computing & Security at King’s College – much use that degree ever turned out to be!

I found out yesterday that me and most of the team are going to be made redundant at the end of the month. It appears that the company doesn’t need so many developers after they decided to sell off the Private Banking division to some German brokerage and they ditched those annoying trader guys up on the 18th floor a couple of months back.

Anyhow, I’d better start looking for a new job. The markets pretty tight at the moment. It seems that all the banks are laying off folks and the developers are the first to go. Not surprising really. I’ve been thinking about setting up my own business for a while though. Perhaps it’s time to bite the bullet and just do it. Take that redundancy cheque and invest it in myself?

June 22, 2009 

Was down at the pub for most of the afternoon with Bill & Ted. We were tossing around ideas of businesses I could start – in particular, businesses that could make me a millionaire in a year’s time. Granted, most of the ideas were completely off the wall and would be destined to fail or end in my bankruptcy within weeks of starting them (or would likely land me in prison within short order) but some of the grey areas look like they could be pretty exciting.

Ted was going on about botnets and how they’re not really illegal. Sounds like rubbish to me, but I’ll check it out anyway.

Last year when we had that worm go around the office and the Ops guys spent a couple of weeks chasing it down and cleaning up systems – that was pretty cool, and I can see how the authors of that worm could make quite a bit of money from it with a little banking knowledge. I don’t think they ever got caught either. Ted told me that James – the lardy guy over in second-level helpdesk – said that they were still having outbreaks of that very same worm and uncovering other infected computers almost every day (after an entire year). How cool is that!

June 25, 2009

I’ve been reading up on botnets. The Internet is full of great information about them. YouTube even has tutorials on how to create the malware, deliver the bot agents, manage the Command and Control (CnC) and turn the stolen data into real money.

I did some digging on these hacker forums too. They’re pretty cool. Most are well organized and there are bundles of tutorials, guides and discussion threads on all aspects of the botnet business. There’s even entire forums dedicated to matching buyers with sellers – Craigslist style! Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

June 26, 2009

Had a great session with Demitri over IRC today. He’s been running a handful of botnets over the last couple of years and seems to know what he’s talking about. Came across his advertisement on one of the boards and was offering a free 2-hour test-drive of his botnet CnC console – so I got to play with a couple hundred computers. Some of the functionality was grayed out, but I got a chance to DDoS the companies’ website – from the comfort of my desk ?

I spoke with a couple of the company Internet ops guys afterwards – being careful in what I said of course – to see if they noticed. Apparently they did. It didn’t bring down the site, but they were alerted from their IPS. Supposedly this is a common enough occurrence and happens most weeks. I guess I’m a little disappointed with that. I wonder how many bots I’d need to take down the webserver?

Dimitri said that he normally uses about 5,000 bots to take down big websites – but 200 is more than enough to wipe out corporate VPN appliances. Handy to know!

June 27, 2009

Sat down with Jim the lawyer this afternoon. I wanted to go over the details of setting up my own contracting business. Since I haven’t had much luck on the replacement job front looking for permanent roles, I figured I’d just go down the contracting route – since there are more opportunities going for temporary software engineering positions.

There’s not much to creating your own business. Jim helped me with all the forms – so I just need to mail them off tomorrow, and I’ll be on the way to creating my first business. He also explained some of the nuances to setting up a company in some other countries and the possibilities of “offshore accounts” and tax havens. I took plenty of notes. You never know when that’ll come in useful.

June 28, 2009 

Spent all day harvesting hacker boards for tools and playing with them on a couple of old laptops. This stuff really is easy.

I even came across this guy(?) on one of the chat forums (who can’t have been more than 14 years old) who was selling a botnet of 2,000 computers for $400. The funny part though was when the flame war stated about how overpriced that was. Apparently you can pick up 2,000 computers for as low as a $50 Walmart giftcard.

June 29, 2009

I woke up this morning with an epiphany (or was it just a delayed hangover?). I’m going to start my own botnet – but not just any botnet, I’m going to do it properly and make a business from it! I’ll still pursue any legit consulting roles that crop up – still got to eat and pay the bills – but it’ll make a convenient front while I’m building botnets.

Why the botnet business? Because it’s cool! Well, actually, it’s more than that. I don’t want to work forever in a dull office job and, from what I can tell, botnet building seems to be pretty profitable – and not many people get caught. And, if they do get caught, they basically only get a slap on the wrist. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

Having read quite a few of the news articles about the folks that got caught, it looks to me that they got caught because they did something stupid and/or they clearly crossed the criminal line – and the police were forced to do something about them.

I’m pretty sure that I’m smarter than that. Didn’t any of these guys ever consider building a business plan first? Plan it all out – have a strategy and stick to it!

I’ve left the computer downloading a few tool collections I found on one of the Argentinean malware blog sites. 4Gb of tools, kits and exploits. Awesome! And it’s all free!!

June 30, 2009

Final pay date from the “old job”, and I’m now officially free of the company. Ended up with a little over £35k after taxes too – so that’ll tide me over the next few months as I pull together my new business(es).

Last night’s download worked out pretty good. There are hundreds of botnet kits in there – complete with CnC interfaces, exploit packs, phishing templates, malware creators and obfuscators. Supposedly there’s a high likelihood that many of them are backdoored, but who cares – it’s time to play! I’m going to try a couple of them out on the corporate laptop before I have to hand it back – preferably one with a good rootkit. I wonder if they’ll ever notice?

July 1, 2009

Woke up this morning having dreamed about what kind of botnet business I want to build. Also figured out a few “rules” that I want to work towards – maybe more of a “guiding principles” perspective really.

1. DON’T GET CAUGHT – which means I’m going to be damned careful in setting up everything and making sure that nothing can be traced back to me personally. Sure, there’ll be layers to the onion, but I’m not going to allow myself to be let down by poor tradecraft and bad habits. Those hackers in France and Spain got caught because they didn’t have enough layers of deniability and mixed the use of their personal systems and their botnet infrastructure.

2. DON’T DO CRIMINAL HARM – While I’m pretty far removed from planning on being a Robin Hood, I’m not going to get mixed in with the Mob or other organized crime. Similarly, I’m not going to get involved with any political or religious drivel. I also don’t want to cause any physical harm – as that’s a sure way of getting the interest of the police – and, besides, it’s not who I really am. The more legit I can make this business, the easier it’ll be to bow out after I’ve made my money.

3. RESILIENCE AND SCALABILITY ARE MY FRIENDS – Since this is going to be a business, based upon the lessons I learned from the Private Banking firm and all I’ve been reading over the last couple of weeks, it should be possible to build pretty big botnets really fast – if I plan it well.

Resilience will be even more important though. Getting back to the “don’t get caught” principle and the layers of deniability (and abstraction), if I plan for making the CnC and distribution systems robust, I’ll endeavor to split things over Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

several hosting providers and geographic regions.

Also spent some time on the hacker portals and responding to some of the threads. Some of the more interesting forums are currently closed to me because I haven’t developed a site reputation – which can be gained by posting 20, 50 and 100 messages. This’ll be pretty easy though. Lots of questions about coding problems which I can answer without too much thought.

July 3, 2009

I think I’ve managed to plan out a few more CnC infrastructure ideas. I found a few more tutorials online – and also some good message threads on domain registration tactics, Dynamic DNS operators and folks that’ll distribute malware for a few cents. It appears that a good rate at the moment is around $100 for 2,000 guaranteed installs. A little pricey if I was buying, but it sounds like good money if I was to become a seller ?

I also realized that I forgot a rather important principle for inclusion – my zero’th principle…

0. I WANT TO BE RICH – but, more to the point I want to retire rich, not be the richest bloke in jail.

Which all means that I need to do some more investigation on how to secure the money. I don’t want the money to be directly traceable to me – nor to the consulting company I’ve just created – but I’m going to need ways to pay for stuff and ways to accept payments. All deniable of course.

Made a few new connections on the hacker forums. Now that I’m posting to some threads I’m getting direct messages from some of the folks there. A couple of the guys that reached out were trying to pimp out their services – both of them malware dropper services. Someone else asked if I was with the FBI.

The USA perspective was interesting. I hadn’t realized that the guys on the forums can see/track my IP address and from there work out where I’m located. I’ll have to do some experimenting with anonymous proxies and TOR networks. I ran across a few video tutorials on the topic yesterday. That’ll be my homework for this evening – getting something setup and hiding my IP address forever more…

July 4, 2009 

Surprise in the snail mail – company papers just came back. I’m now the CEO of Thrull Networks! Cool company name huh! I wonder if anyone will ever figure it out – thought it was apt at the time. Maybe it’s a little too close to the mark. 5% on the dumbness scale I guess. Will have to be smarter in the future. I’m going to keep it though. Even saw that some related .com and .net domain names are available for registering.

Earlier this morning I went out and bought a couple of new laptops. Nothing special, just some small(ish) $800 laptops that I’m dedicating to my botnet business – and will never taint them with the Thrull Networks consulting business. Although I will be claiming them as tax deductable expenditures. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

Also spent most of today coming up with the rules I’m going to work under for achieving principles (1) and (3)… and maybe a little of (0) too.

So, the new rules…

A) Separate systems for work/pleasure/personal and botnets. The two new laptops are JUST for the botnet business. I’ve already installed a full disk encryption scheme and come up with a 44 character password. I doubt that anyone’ll be breaking that mother anytime soon.

B) Never connect to the botnet CnC or do any botnet-related business from my home network. Given the general availability of free WiFi at Starbucks and McDonald, etc., I’ll use those. A couple of additional rules there though – don’t frequent them in a regular pattern (sounds like a Tom Clancy spy novel), and don’t use stores that have CCTV setups. I was tempted to use some of the unsecured WiFi networks in the neighborhood – but that may be a little too close for comfort. Besides, the coffee will be better than what I have at home.

C) Change the MAC on the laptops regularly. I’ve already downloaded and installed a cool piece of software that does precisely that. I’ve also installed a bundle of different Web browsers – but have deliberately not installed any plug-ins etc. I was reading recently a couple of online projects that showed how they could query your Web browser through JavaScript and the DOM to build a signature of the browser – and how “unique” that became once you started installing plug-ins and how regularly you kept them patched. So I’m planning on keeping the laptops as simple and “dumb” as possible.

D) Never connect directly to the botnet infrastructure. Lesson learned yesterday. TOR and anonymous proxies are now default on all my computers – especially the two new laptops!

E) While encryption is my friend. Asymmetric crypto is going to be my live-in lover. Thanks Bruce for the tips!

July 9, 2009

Been playing around all week with the DIY kits I downloaded a couple of weeks back. The Zeus kit is pretty impressive with its polymorphic malware generator. I was running its output past some of the free online antivirus scanning portals and noting which (if any) antivirus tools detected the samples. On average, only a couple of the AV tools detected anything – and if they did, it was only some kind of generic signature such as w32.suspicious etc.

I was originally using www.virustotal.com, but when I tried to find other AV portals that might have more AV products in them I stumbled over a couple of cool threads that explained why I shouldn’t use that site (and a few others) because they share the malware samples with the AV vendors. Therefore the AV vendors will have detection signatures for the malware out within a few days. That sucks – because I probably just wasted a few dozen cool pieces of Zeus malware. Luckily there were plenty of alternative AV testing portals being recommended and (yet more) tutorials on how to set up your own malware QA testing regimes. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

I’ve settled on www.virtest.com now. They charge a few dollars for the privilege of testing the malware I submit, but they allow me to upload multiple malware samples simultaneously in bulk format. They also have some other services for checking out the malware delivery websites too – so you can check to see if the exploit packs used by the Zeus kit (and others) are correctly installed and whether the other AV components (e.g. HIPS) detect the infection. Their VIP account is $50 per month. I’ll have to figure out a good way to pay for the service. Something that can’t be traced back to me personally…

July 10, 2009 

I spent the entire morning down at the Starbucks down by the park using their “free” WiFi. Cost me about $26 in coffee for the 4 hours.

Anyway, I set up a handful of free webmail accounts. A couple of Gmail accounts, a couple of Hotmail accounts and a couple of Yahoo accounts. I entered in garbage “personal” information, but gave them all the same password – “Lucky4Me*Unlucky4U”. They’re disposable accounts for trialing out a few new concepts and learning what works.

Next, I created a couple of websites to host the Zeus CnC console pages. I had originally been worried about how I was going to have to pay for the web hosting – but a quick search for “free web hosting” revealed plenty of services – including portals that provide detailed reviews of all the providers. Woohoo.

It took me about an hour to create the sites on 0000free.com. It’s the first website I’ve ever built – and I had to learn some PHP while doing it all. On the job training if you like. The index page is just a copy/paste job from some car-parts website – and the Zeus CnC configuration and bot registration pages are off in a subfolder. They’re accessible if you know the URL, but they’re intentionally not linked to from anywhere. I don’t really want some search engine crawling the sites and flagging the Zeus CnC.

I’ll be spending some time later tonight generating some malware samples that’ll use the two new CnC URLs. That’ll be hard work – should take me all of 10 seconds ?

July 11, 2009 

A botnet is born. I’m a father!

So, this morning I headed off to the Starbucks over by the athletics center to play with my newly minted malware and the CnC services.

I originally set up a VMWare session on the laptop and infected it with the new malware bot agent and watched it reach out to the CnC server. Meanwhile I browsed to the website, logged in to the CnC console, and saw the test victim register itself – so I spent a good half hour testing out all the features of the bot agent. It’s pretty slick. Ugly, but slick. The toughest part of all this was setting up the TOR agent to provide the anonymous web access in reaching the CnC console.

To get the bot malware into play I decided to upload the samples to the Newsgroups – since they don’t require me to host the files directly and also provide anonymous Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

uploading. One file I named “Windows7KeygenCrack.exe” and the other “iTunesDRMRemover.exe”, and included some BS text about how good the tools are. They were both uploaded to a handful of different alt.binaries. groups using different email accounts and source IP addresses.

I hung around Starbuck for another hour, but didn’t see any victims appear on the Zeus console – so paid a visit to Bill & Ted and grabbed lunch with them in town. Ted’s already gotten a new job at some Scottish bank. Chose not to tell them about my botnet research. The ideas may have come from them originally, but I’m not about to share this secret.

Anyhow, I popped in to the McDonalds by the railway station at about 4pm and connected to the Internet to see how my “botnet” was coming along. Surprise, surprise, I had three new members to my botnet. How cool is that! I was well chuffed with that small success and subsequently spent an entire hour connecting to each computer and checking out what I could access on their systems. Just as I was about to pack things up and head off home a fourth computer joined my botnet.

I couldn’t stop smiling on my way home from McDonalds. I think I may have even said “I’ve just fathered my first botnet” somewhere on the walk up the hill. Haha.

Guess where I’ll be tomorrow morning…

July 12, 2009 

Got to Starbucks early this morning and was online with my baby botnet by at least 9:30am. It had swollen over night and the counter had reached 18 computers – but I could only contact 6 of them. The others must have been turned off or something.

For the next hour (and second cup of Java) I created a couple dozen new malware bot agents and configured them to point to the same two Zeus CnC servers I’d set up yesterday. I then went on to use the same Newsgroup tactics – but picking a few other juicy social engineering file names (and descriptions) – e.g. “AcrobatProfessionalKeygen.exe”, “RossettaStoneLanguagePackUnlocker.exe”, etc.

By the time I left the coffee shop the botnet had grown to 23 computers – mostly in the US and the Netherlands, but a couple from Australia and Taiwan.

Went home afterwards to do some more studying and recon, and found some good information on how to automatically pull back account and identity information from Zeus malware clients. There are a number of scripts that you could run automatically on each botnet computer to extract their webmail credentials, anything they’ve told their IE or Firefox web browsers to remember, etc.

I also found some plug-ins for the Zeus CnC console that help to manage the data that comes back from the keylogger and other info-stealer components – which I installed on the web servers later on my return trip to Starbucks – and left CnC commands for the botnet malware to automatically start collecting and uploading the identity information. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

By 7:30pm my botnet had reached 200 members. It’s no longer a “family unit”; it’s a small village and I’m Pastor of the flock.

July 14, 2009

Had a couple of contract interviews yesterday, and hadn’t managed to check on how my baby was coming along for a couple of days. So, it was with a rather pleasant surprise I noted that the botnet had reached 3,320 computers.

Actually, I’m not so sure about the number and whether it’s a good number to rely upon. The number of computers “active” were about 450 – and I tested that I could control them OK. As for the rest, well, they were “offline” – but I did have files from all 3,000+ computers sitting on the CnC server – so I guess they were successfully compromised with my botnet agent.

I moved all the files off the two CnC servers and copied them to the laptop. When I got home I started doing some analysis.

Brief stats (for posterity)…

942 Facebook accounts

766 Twitter accounts

322 Gmail accounts

318 Hotmail accounts

193 Yahoo accounts

76 Paypal accounts

… and lots of sub-50 accounts – many for services/websites I’ve never heard of before. All told, about 5,500 different accounts.

BTW I’m not sure I like using Starbucks – I’m spending too much money on coffee there ?

July 15, 2009

The botnet’s now reached 4,000 computers.

There was an email from 0000free.com waiting for me from yesterday. Apparently I should be upgrading to a paid account because of all the traffic/hits the site has been receiving. Just as well I moved off all the identity information and files – I was almost over the file quota too!

July 16, 2009

4,300. What’s the population have to be before a village can be called a town?

Created another couple of dozen malware for release on the Newsgroups since the botnet growth appeared to be slowing down.

July 17, 2009 

I think I’m the Mayor of a small town now. I visited the Starbucks down by the strip mall this afternoon and logged in to the botnet. 11,435 computers!

At first I thought it may have been a mistake since the size jump was so large. Introducing a couple new malware downloads didn’t get that much of a leap last time. But I figured it out after about 20 minutes of probing and searching. It would seem that the new file “MichaelJacksonDeath-OfficialAutopsyReport.exe” was more successful. It also managed to make its way on to some Torrent server and plenty of people are downloading it.

New lessons learnt from yesterday’s efforts: Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

1) Tying social engineering to media and entertainment current events results yields more additions to a botnet.

2) Torrent networks can make the botnet malware reach more people faster.

July 18, 2009

Just as well I downloaded all those new files yesterday, because the botnet is dead. I’m no longer the Mayor.

This morning I popped on over at the Library for a bit of their WiFi access and tried to connect to my CnC servers. Nothing – well, more than nothing, the Zeus CnC pages had been deleted and my webserver account had been disabled. There were instructions to phone the helpdesk to discuss reactivation.

Waiting in the inbox of the webmail account I used to register the free websites was an email telling me that my site may have been hacked and was being used for malicious purposes.

A quick Google revealed that both CnC URL’s and configuration files were listed up on ZeusTracker.abuse.ch.

Bugger!

July 19, 2009 

All is not lost. I’ve still got all those identity/account detail files from all my botnet computers. The total – adding the first batch with the batch from the 17th – comes to a little shy of 19,000 unique sets of credentials. I can still access any (if not all) of those stolen accounts anytime in the future.

Better yet – there’s absolutely nothing that can be tracked back to me. Sure, the botnet is now out of my control (and computers are still being compromised with the malware which is still in circulation in the Newsgroups and Torrents), but I’m safe and have learnt a few new lessons.

That said though, it’s about time I started to focus on bringing in the money from the botnets. I’m not going to get that Porsche building botnets for botnets sake. I could easily enough find buyers for the stolen information – the hacker forums are overflowing with buyers and agents. That’s not a problem. The problem lies in converting “Internet money” into cash – and laundering those transactions sufficiently.

With that in mind, I spent all afternoon researching offshore banking and the creation of anonymous accounts. Disappointingly those infamous Swiss Numbered Accounts don’t exist anymore – at least not like they do in the movies.

I managed to narrow it down to three banking accounts and, as my finances grow, I’ll start to bring them on line. I’ve found agents that will allow me to set up Swiss banking accounts online. They require proof of address, but they provide a level of guarantee that personal information will not be supplied to anyone outside of Switzerland. The Cayman Island accounts are easier to set up – and don’t require an agent – but require a higher deposit. They’re a little too rich for my tastes at the moment – but I’ll probably add an account once I break the $100k per month revenue stream (if ever?). Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

No, the account I created online this evening was for a Panama Bearer Share Corporation account. As of an hour ago I’m now CEO of a second company – “Net Wizards LLC.”. I deposited $5,000 into the account. Not only does it provide an anonymous business front and full international banking facilities, but it comes with 4% interest and the credit cards issued against the account should be arriving in 10 days time.

July 20, 2009

I’m back in the botnet business!

I was keeping a couple of my hacker forum accounts live by responding to a few message threads and I stumbled across a couple of reputable botmasters that were in the process of selling off sections of their botnets. They were offering batches of 100 bots with dedicated CnC hosted servers for $200 each.

Most significantly though – there were alternatives to the $200 in Webmoney or PayPal funds – they’d accept hacked webmail accounts, Facebook accounts and Twitter accounts.

After a little back and forth, we agreed on the trade and exchange mode (had to use an agent that was pre-vetted on the forum – one of the administrators – who charges 10% for his time/effort). From X4cker I picked up 600 bots and two CnC servers (in the Ukraine no less) for 3,000 Gmail accounts and 1,000 Hotmail accounts. From Dankar007 I managed to procure 500 bots for the princely sum of 500 PayPal accounts. The site administrator/agent didn’t do too badly out of the deal either. I’m sure that he (or she?) now has his own copies of all those accounts.

After some quick verification and having tested the access to the two botnets, I created a new Zeus botnet agent and pushed it down to all 1,100 bots – and changed the admin credentials on the CnC servers.

Not only am I back in “business” with a brand new botnet, but I’ve still got all those account details from the previous botnet that I can continue trading/reselling to other operators.

– I just realized that this diary is now precisely one month old. In that month I lost my job, founded two companies, become a CEO, built a botnet, lost a botnet, established a reputation in the hacker communities, opened an international banking account, and just purchased my second botnet.

Time to start pulling together the business plan for constructing a profitable money-making botnet! The “march to a million” sounds like a great idea, but I’d prefer to aim for Steve Austin’s The Six Million Dollar Man. I’m pretty confident that I can reach that target over the next 11 months! What would mom say?

Original BlackHat PDF file -

http://media.blackhat.com/bh-us-10/whitepapers/Ollmann/BlackHat-USA-2010-Ollmann-6millionDollarMan-wp.pdf

ZeuS Tracker Statistics – https://zeustracker.abuse.ch/statistic.php

Note: This is a fictitious (and subtly macabre, but hopefully humorous) diary account loosely based upon real investigations of professional botnet operators and the criminal enterprises they created to monetize the data and systems under their control. It does not represent a single botnet operator, rather it represents a concatenation of notable business models, decisions and discussions from a spectrum of criminal operators. Names and places have been deliberately altered. No animals were harmed in the making of this diary.

 

10/9/12

Tor Hidden Service Setup Headaches

%67%61%74%6f%6d%61%6c%6f

gATO mEsSeD – up with my BT (backTrack5) server I am using for my Tor hidden server — otwxbdvje5ttplpv.onion — To set up a hidden service is simple but you have to have a plan and gAtO did not have one—/ as usual I just go into it AND I wiped out mysql – I mean I wiped out my whole installation – Re-Set – I had to install Windows 7, then download BackTrack5 and re-install that- but once I went back and re-installed everything – my hidden service was getting and ERROR —  NO ACCESS permissions error — This led me down a rabbit hole of things I never wanted to learn about apache2 server and linux commands but it was good at the end of 9 hours to beat the thing. OK end of Story…

LAB stuff.— My test BOX is Windows 7 and BT5 unbuntu-10.04.2 LTS

Files to Modify —

/Data/Tor/torrc

/var/apache2/apache2.conf

/var/apache2/envvars

APACHE_RUN_USER=gato

APACHE_RUN_GROUP=gat0

/var/apache2/ports.conf

/var/apache2/sites-available/default

/etc/hosts

These should be all the files to setup a hidden service in Tor. _BUT_ Tor cannot run as ROOT user so you need to create a normal user – I called it gato—

–/ gato User gets all permission for all Tor files and directories

—/ apache runs as ROOT so i run it as sudo

Apache installs it’s website  in /var/www directory – as gato-user I need access to this and creating ALL TOR directories and files so Tor has the right permissions.

But any files on apache will have to have ROOT permissions:

I had everything set up right – but I was getting permission rights error on the Tor hidden service — after I checked everything I found the error the apache user had an environmental variable set to run as someone else not the / gato-user- and I found it in the apache enviers file..

/var/apache2/envvars

APACHE_RUN_USER=gato

APACHE_RUN_GROUP=gate

This APACHE_RUN_USER was set to wstools because that’s what the BT5 installation installed but never told anyone- so I chased this permission stuff down for 4-8 hours – re-booting and Tor start-up and test every setting – THEY SHOULD TELL SOMEONE BT5

Yeah this build has owner stuff mixed up a bit – I am still working on mysql stuff but it should be up next to install mediawiki – it should be a great learning curve AGAIN – but I am having fun and learning all my unix stuff back – good because  I been working on php for the Tor directory crawler that I will be launching from this server in a few weeks…

below are my lab notes — I hope it helps someone some time —gAtO oUt

check out the site otwxbdvje5ttplpv.onion — it has BeEF and mstool for XXS and SQLi testing online and a cool C&C controller for bots. – I still don’t know why BT5 put this in the distro but I want to play with it…. https://github.com/beefproject/beef/wiki/BeEF-and-Backtrack-5

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-lab notes=-=-=-=-=-=-=-=-=-=-

Start Tor – /home/gato/Desktop/tor

./start-tor-browser 

Start apache2 –> sudo /etc/init.d/apache2 restart

For security, I recommanded to lauch the command as a service

Start Mysql –> service mysqld start

the tool to manager mysql is mysqladmin

check is mysql started

–> ps -ef | grep mysql

Start Apache

–> sudo /etc/init.d/apache2 stop

/Desktop/tor/Data/Tor$ nano torrc

root@bt:/var/www# nano index.html

root@bt:/var/www# cd /etc/apache2

root@bt:/etc/apache2# ls

apache2.conf  envvars     magic           mods-enabled  sites-available

conf.d        httpd.conf  mods-available  ports.conf    sites-enabled

root@bt:/etc/apache2# ls

#!/bin/bash

# Changes to this file will be preserved when updating the Debian package.

source /usr/share/mysql/debian-start.inc.sh

MYSQL=”/usr/bin/mysql –defaults-file=/etc/mysql/debian.cnf”

MYADMIN=”/usr/bin/mysqladmin –defaults-file=/etc/mysql/debian.cnf”

MYUPGRADE=”/usr/bin/mysql_upgrade –defaults-extra-file=/etc/mysql/debian.cnf”

MYCHECK=”/usr/bin/mysqlcheck –defaults-file=/etc/mysql/debian.cnf”

MYCHECK_SUBJECT=”WARNING: mysqlcheck has found corrupt tables”

MYCHECK_PARAMS=”–all-databases –fast –silent”

MYCHECK_RCPT=”root”

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

398  sudo /etc/init.d/apache2 status

399  sudo /etc/init.d/apache2 reload

400  sudo /etc/init.d/apache2 restart

401  sudo /etc/init.d/apache2 reload

402  sudo /etc/init.d/apache2 restart

391  sudo ps aux | grep tor

392  sudo ps aux | grep apache

393  sudo ps aux | grep apache2

394  sudo ps aux | grep mysql

395  sudo ps aux | grep apache

396  sudo ps aux | grep “tor”

397  sudo ps aux | grep “/tor”

398  sudo ps aux | grep /tor/

 

/etc/apache2/apache2.conf

port.conf

/var/www/otwxbdvje5ttplpv.onion#

uscyberlabs

< otwxbdvje5ttplpv.onion

other secret site -not working

3rtiazp6p4t2vxfn.onion

10/1/12

USCyberLabs has a hidden service Tor otwxbdvje5ttplpv.onion

gAtO wAnTeD – to get our USCyberLabs Tor .onion network -hidden service- up and running and after thinking of other future projects we decided to make our Ubuntu -BackTrack 5 machine be our Tor Server running apache2 hidden service  . My BT5 machine is running – Gnone v.2.30.2 Ubuntu build 06/25/2010 ?

Apache/2.2.14 (Ubuntu) Server at otwxbdvje5ttplpv.onion Port 80

1. First problem BT5 is designed to run as root and Tor is not so first thing is to generate a new user:

uscyberlabs - el gatoMalo

gAtO new hidden service otwxbdvje5ttplpv.onion

# adduser gato

# password gato-password

For help go to man adduser for more information

I open up terminal for everything so as SU -(SuperUser)

nano /etc/apache2/apache2.conf > file

nano /etc/apache2/ports.conf > file

nano /lib/tor/torrc -> file

nano /etc/host -> file

2. Before we change users and start to work as gato let’s set up the apache2 service

# apt-get install apache2

whizz, bang ,- wow and it’s installed next we need to modify some configuration files.

The Apache install will install /var/www/index.html <— so modify this file for your web site:

The Apache install will install /etc/apache2 and in it you will find a bunch of the configuration files:

apache2.conf and ports.conf these two files will have to be modified and Tor torrc file.

This is a great guide — from ioerror  —but don’t try the wiki – - https://github.com/ioerror/hs-wiki/tree/master/configs another guide not so good but it helped —http://www.martini.nu/blog/2010/06/tor-vbox.html    —

ports-apache2.conf 

12 NameVirtualHost 127.0.0.1:8080Listen 127.0.0.1:8080

torrc

123

4

5

6

7

8

9

10

11

12

13

14

# some information may be for future projects -# This is a very minimal Tor configuration file to be placed in# /etc/tor/torrc unless you know better.

#

# This configuration file should be used with a wiki Hidden Service on

# 127.0.0.1:8080

#

 

Log notice file /var/log/tor/wiki.log

DataDirectory /var/lib/tor

 

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 80 127.0.0.1:8080

Add your hidden Service Tor url to your host file – trust me this really helped during trouble shooting

I added my Hidden service onion ID to the

nano /etc/host -> file

127.0.0.1 otwxbdvje5ttplpv.onion 

I generated a few more hidden service keys to deploy some other sites later -Open up 2 more terminal windows – I can start stuff in background mode but during testing everything has it’s own terminal just in case.

To install Tor on unbuntu linux — https://www.torproject.org/docs/tor-doc-unix.html.en  —

To start Tor

./start-tor-browser

To start Apache web server

sudo /etc/init.d/apache2 start

I’m not going to give you my directory structure but just a heads up :

DataDirectory  /var/lib/tor/

HiddenServiceDir /var/www/web_hidden_service

HiddenServicePort 80:127.0.0.1:8080

Since I’m testing I log to my terminal but a log error file will work better

Log notice stdout

So ok now comes the test – I have a static html website – a hidden service in the Tor .onion network. I did not go to icann for an domain name and pay them- I don’t have to pay InMotion for hosting service – just my cox-internet connection and a spare machine and I have a website in the dark web – This machine will host other websites – hidden services like wordpress, a bb bulletin board- or maybe some other web service – It will host my BotNet for the Tor Directory Project – Oh yeah I want to build a few bot’s for GOOD and map out the Tor Directory and make each Bot an OR (onion Router) so it helps the cause and gives back a bit. I plan to also run OnionOO – Arm – Atlas – mOnionO Compass and Weather.

SO if your out an about in Tor Land come on by and kick the tires and peek and poke my Tor hidden service website – otwxbdvje5ttplpv.onion  if you find any openings let me know.pls As I add new features I will tell you about them -gAtO oUt 

09/23/12

Free Bot-Nets Anyone

gAtO wAs - looking for code for bot’s to see how they work and I want to tell you it’s been kinda easy to find lots of bots…bots, code and DIY kits./ OK [1] below is the list of the Bots I found downloaded and playing with them to see how they work. Another part of this problem is it’s not just code and DIY kits, but code_mixer is a library that allows you to generate new Virus, undetectable to AV software. I also found different versions of Bots and different type of networks, IRC bots, http_bots, p2p_bots and on top of all this I found all kinds of discussions about how to make them ToR enable which has been going on for a while. Hiding a sophisticated c&c Bot-Master server in ToR ONION NETWORK IS EASY.

gAtOs –/ bot-net collection /–

I also wanted to know if these bot’s and code was not just old code stuff- well some is old by Internet years 2009 – that’s a long time in cyber pirate years but polymorphing code works no matter when it was created and it hides virus and worms really easy from AV systems especially if it’s a new version of the bots . Another thing I wanted to find is STUXNET, DUQU, FLAME SkyWriter and other famous Bots. Well I found samples of these — not just one but hundreds of version of these bot’s- and it was easy I included a list of some of the more newer bot codes.[2]…//

Oh I forgot ToR and Bots including  STUXNET, DUQU, FLAME SkyWriter and others do run in Tor onion network just check out the – insert date – First seen – Last seen – dates on this list . you may also check out —https://zeustracker.abuse.ch/statistic.php  — I found that my builder version showed that I had found Zeus 2.0.8.9 and is the number one version of zeus bot-net.  

One easy bot design is to use Tor2Web as a way to access a c&c server in Tor without running Tor on the infected client. The Tor network is getting more popular and people see that they can’t be caught in Tor so they are building lot’s of new Bots that run all over Tor – p2p and http and they are starting also new places like i2p networks and running bots—/   -gAtO oUt

[1] the list of Bots and code 

  1. _blackShades_4.8 Net -
  2. Black Pro _LostDoor v5.1
  3. BlackShade 4.8
  4. Blackshades NET v4.2
  5. Blackshades NET v3.8.1
  6. Blackshades_Archive
  7. Botnet Packet
  8. dark_Comet_1342319517
  9. ebookskayla-1
  10. G-Bot_1.7
  11. INCREDULiTY – ClientMesh
  12. ISR Stealer 0.4
  13. KnollKeylogger-1
  14. LostDoor Black Pro v5.1
  15. open source Exploit Pack
  16. optima10_ddos
  17. ProRat_v1.9 SE
  18. Spy-Net v2.7 Final
  19. SpyEye 1.3.45 Loader
  20. spyeye_tutorial
  21. Stuxnet_Laurelai-decompile-dump-2e11313
  22. Ultimate_Spy-Net v2.7 Final
  23. x_1ST-SECTION FILE INFECTOR, library+example,
  24. x_007
  25. x_arclib
  26. x_avp_troj
  27. x_code_mixer
  28. x_dscript
  29. x_eicar
  30. x_http ASM
  31. x_infecting *.HLP files (example/description)
  32. x_m1
  33. x_mistfall
  34. x_Mistfall.ZOMBIE-z10d
  35. x_pgpmorf1
  36. x_pgpmorf2
  37. x_tp_com
  38. x_zhello
  39. ZeuS 2.0.8-1.9
  40. Zeus collection
  41. ZBOT
  42. zeus 1.2.7.19
  43. ZeuS 2.0.8.9 – experimental
  44. Zeus Analysis Website

—[2] STUXNET, DUQU, FLAME SkyWriter and a few more bots in the wild check out the last seen date…

 

 

 

 

 

 

Flamer Bots  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
d73fe5f9f8dc2fc68aea57ba5c0353f4 2012-07-16 2012-06-07 09:11:15 2012-06-19 20:28:53 Win32/Flamer.A Win32:Skywiper- N [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Trojan:Win32/Fl ame.A!cert
06a84ad28bbc9365eb9e08c697555154 2012-06-26 2012-06-05 11:24:36 2012-06-08 12:08:30 Win32/Flamer.A Win32:Skywiper- K [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!D Armadillo v1.71
0a17040c18a6646d485bde9ce899789f 2012-06-20 2012-05-30 12:45:05 2012-06-29 21:10:27 a variant of Win32/Flamer.A Win32:Skywiper- H [Trj] HEUR:Worm.Win32 .Flame.gen Trojan.Flame.A Worm:Win32/Flam e.gen!A
581f2ef2e3ba164281b562e435882eb5 2012-06-20 2012-06-01 06:09:15 2012-06-08 21:49:22 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
5a002eb0491ff2b5f275a73f43edf19e 2012-06-20 2012-06-01 08:13:39 2012-06-29 21:15:07 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
7551635b101b63b215512b00d60e00f3 2012-06-20 2006-07-18 04:31:57 2012-06-20 04:19:30 probably a variant of Win32/Agent.IGOUUZX Win32:Trojan-ge n Backdoor.Win32. Bifrose.cgfb Trojan.DialUpPa sswordMailer.A Trojan:Win32/Du twiper Aspack ASPack v1.08.03
75de82289ac8c816e27f3215a4613698 2012-06-20 2012-06-01 06:17:01 2012-06-21 06:36:16 Win32/Flamer.A Win32:Skywiper- L [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
8ed3846d189c51c6a0d69bdc4e66c1a5 2012-06-20 2010-10-05 03:56:52 2012-06-21 06:21:20 Win32/Flamer.A Win32:Malware-g en Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
bddbc6974eb8279613b833804eda12f9 2012-06-20 2012-06-01 03:37:00 2012-06-21 06:23:32 Win32/Flamer.A Win32:Skywiper- K [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!D Armadillo v1.71
c09306141c326ce96d39532c9388d764 2012-06-20 2012-06-01 08:09:24 2012-06-21 06:43:33 Win32/Flamer.A Win32:Skywiper- L [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
cc54006c114d51ec47c173baea51213d 2012-06-20 2012-06-01 08:13:46 2012-06-01 10:05:08 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!C
e5a49547191e16b0a69f633e16b96560 2012-06-20 2012-05-30 14:22:32 2012-06-28 00:41:49 a variant of Win32/Flamer.A Win32:Skywiper- H [Trj] HEUR:Worm.Win32 .Flame.gen Trojan.Flame.A Worm:Win32/Flam e.gen!A
f0a654f7c485ae195ccf81a72fe083a2 2012-06-20 2012-05-28 14:37:54 2012-06-24 11:31:16 Win32/Flamer.A Win32:Skywiper- A [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!B
cb5 2012-06-19 2010-07-20 13:41:34 2012-06-24 11:30:50 Win32/Flamer.A Win32:Skywiper- I [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
0464e1fabcf2ef8b24d6fb63b19f1064 2012-06-18 2012-06-11 08:06:23 2012-06-11 08:06:23 Win32:Skywiper- A [Trj]
09d6740fd9be06cbb5182d02a851807d 2012-06-18 2012-06-11 08:14:24 2012-06-11 08:14:24 Win32:Skywiper- C [Trj]
780c5bc598054a365a75d10ac05a3157 2012-06-18 2012-06-11 07:50:56 2012-06-11 07:50:56 Win32:Skywiper- D [Trj]
cb98cca16865aa2330d2cf93fd6886ff 2012-06-18 2012-06-11 07:41:19 2012-06-11 07:41:19 Win32:Skywiper- E [Trj]
fac96cf0f5a43980635f6a6017a5edb0 2012-06-18 2012-08-04 06:42:23 2012-08-04 06:42:23 Win32:Skywiper- F [Trj]
bb4bf0681a582245bd379e4ace30274b 2012-06-16 2012-05-28 14:37:53 2012-07-25 19:03:03 Win32:Skywiper- D [Trj] Trojan.Generic. KDV.641104
Checked on VT at 2012-07-25 02:22:38

—DUQU Bot  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
2f5a23b67e6928d58df136fb3431c1a2 2012-08-27 2012-06-27 09:06:34 2012-06-27 09:06:34 Win32/Packed.ASProtect.CEC Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.fxan Backdoor.PCClie nt.1 Armadillo v1.xx – v2.xx
362b306967fa08fa204e968613c48b54 2012-08-27 2012-06-25 19:17:57 2012-06-25 19:17:57 a variant of Win32/PcClient.NDO Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.cfwz Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Themida Xtreme-Protecto r v1.05
5a8b8b55e7d12bcaee50af462d70e4f1 2012-08-27 2012-03-23 03:56:59 2012-03-24 06:50:48 a variant of Win32/TrojanDropper.Delf.NXY Win32:Duqu-I [Rtk] Trojan-Dropper. Win32.Agent.wzj Trojan.Generic. 2087186 Backdoor:Win32/ Delf.RAN
71c91c34ef08b0222a7385a9fc91a156 2012-08-27 2010-01-07 16:30:15 2012-08-01 21:30:31 Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.ptdr Backdoor.PCClie nt.1 NSPack NsPacK V3.7 -> LiuXingPing
78efa3d89fa835c2d841ca021ba04f9a 2012-08-27 2012-06-20 16:29:55 2012-06-20 16:29:55 Win32/PcClient Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.akqr Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient NSPack
7e995e30b3c752d55708ba70b64c576d 2012-08-27 2012-07-01 03:18:29 2012-07-01 03:18:29 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
8fb8994eb25f35d1e4f62ab00871170b 2012-08-27 2011-11-30 06:35:32 2011-11-30 06:35:32 Win32/PcClient.NCD Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
90fc2ddf9985d14d4252b016018852af 2012-08-27 2012-06-27 06:46:46 2012-06-27 06:46:46 a variant of Win32/PcClient Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.dire Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient
9a9e77d2b7792fbbddcd7ce05a4eb26e 2012-08-27 2011-11-02 03:07:36 2011-11-02 03:16:28 Win32/Duqu.A Win32:Malware-g en Trojan.Win32.In ject.bjyg Trojan.Generic. 6658401 Trojan:Win32/Hi deproc.G UPX_LZMA
9d00bebb4be61eb425ef8adfa05968fd 2012-08-27 2012-05-23 12:23:42 2012-05-27 21:59:18 a variant of Win32/PcClient.NBG Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.hnp Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
9dc323e0595caf5e5152b6353c6c7b58 2012-08-27 2012-07-01 09:01:29 2012-07-01 09:01:29 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
b25cc61de1a0d2086356d7757b26e2ef 2012-08-27 2012-06-23 15:43:36 2012-06-23 15:43:36 Win32/PcClient.NBI Win32:Duqu-L [Rtk] Backdoor.Win32. Hupigon.bxjm Backdoor.PCClie nt.1 Backdoor:Win32/ Hupigon.ZQ.dll Aspack ASPack v2.12
bb9c97fe54b85179f9a83ca4cfdd24f3 2012-08-27 2012-07-02 11:06:55 2012-07-02 11:06:55 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
ca7b6963a5b45b67e1bfa1a0f415eb24 2012-08-27 2012-06-29 01:20:37 2012-06-29 01:20:37 Win32/PcClient.NCD Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
5d8932237d14019ae81e97c5b8951ef8 2012-08-15 2012-08-18 11:59:04 2012-08-18 11:59:04 Win32:Duqu-L [Rtk] HEUR:Trojan.Win 32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient NSPack
6416039108bd666f073d51db5328f6c9 2012-08-15 2012-08-18 14:07:59 2012-08-18 14:07:59 Win32:Duqu-L [Rtk] HEUR:Backdoor.W in32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
774c19f455cff3a443e7f3a58983a12b 2012-08-15 2012-08-18 18:18:21 2012-08-18 18:18:21 Win32:Duqu-I [Rtk] Backdoor.Win32. Hupigon2.ja Trojan.Generic. 826880 Backdoor:Win32/ Delf.RAN
b19fe4b53d01d2746eb83e9fddd1eb67 2012-08-15 2012-07-16 12:33:52 2012-07-16 12:33:52 Win32:Duqu-L [Rtk] HEUR:Backdoor.W in32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
f41b0a33d2ca4ba05a95b1a9a40e7e28 2012-08-15 2012-08-19 15:09:26 2012-08-19 15:09:26 Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.agyu Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient
2f4e30a497ae6183aabfe8ba23068c1b 2012-06-20 2012-06-11 17:02:50 2012-07-15 11:59:26 Win32/Stuxnet.A Win32:Malware-g en Worm.Win32.Stux net.v Win32.Worm.Stux net.E embedded  

 

 

 

 

the

 

—zeus  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0a295bb2cbb44d9ba2e18bbfeb511d1d 2012-08-27 2011-02-24 10:59:09 2012-05-12 09:37:44 WinCE/Zbot.A Win32:Malware-g en Trojan-Spy.WinC E.Zitmo.a Backdoor.Bot.13 4855 Trojan:WinCE/Zi tmo.A
2b2dcecfd882efb2100ce28d09c89f75 2012-08-27 2009-01-30 05:49:27 2009-07-02 06:23:46 a variant of Win32/Spy.Zbot.JF Win32:Zbot-BCW Trojan.Spy.Zeus .C PWS:Win32/Zbot
33a6fef6d2487a95af539e532be424b2 2012-08-27 2011-09-03 03:28:17 2012-02-21 21:41:11 a variant of Win32/Zeus.B Win32:Malware-g en Backdoor.Win32. BotNet.ac Gen:Variant.Kaz y.8986 PWS:Win32/Zbot. TV UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
4153a07347b3bdf74b527e51cc63a843 2012-08-27 2010-05-16 15:01:27 2010-05-18 21:58:47 a variant of Win32/Spy.Agent.PZ Win32:Zbot-gen Trojan-Spy.Win3 2.Zbot.myj Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. gen!A
4fe9b3febda0dd9e8f89ed29b1a39560 2012-08-27 2012-03-27 07:25:01 2012-03-28 09:48:26 a variant of Win32/Spy.Agent.PZ Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
7b470095ce2887377e6f9e37fd0471dc 2012-08-27 2012-06-30 09:12:53 2012-06-30 09:12:53 a variant of Win32/Spy.Agent.PZ Win32:Zbot-gen [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
831d2fdb9ad258f68ce5924b1feac10a 2012-08-27 2011-10-17 02:49:20 2012-04-30 22:09:54 a variant of Win32/Spy.Agent.PZ Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
9eb88298f93809ea7d733e29bb3d466b 2012-08-27 2007-11-16 20:51:16 2011-08-09 00:18:04 a variant of Win32/Spy.Agent.PZ Win32:Tibs-BND [Trj] Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
9faf0c526795ee01839ecb51074dd7ae 2012-08-27 2012-06-23 06:47:46 2012-06-23 06:47:46 a variant of Win32/Spy.Agent.PZ Win32:Tibs-BNF [Trj] Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
a05211df243da8a9e628b4767aafc989 2012-08-27 2007-11-17 13:55:10 2011-08-08 23:43:09 Win32/Spy.Agent.NDY Win32:Zbot-AG [Trj] Trojan-Spy.Win3 2.Zbot.po Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
aa874f7c37962240569ff35a030c2e71 2012-08-27 2012-06-26 08:59:57 2012-06-26 08:59:57 a variant of Win32/Kryptik.OV Win32:Zbot-FS [Trj] Trojan-Spy.Win3 2.Zbot.xw Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. gen!B
b484264bca4286f65d5cb68efefa9dc4 2012-08-27 2008-08-22 19:29:43 2009-01-08 08:22:34 Trojan.Spy.Zeus .1.Gen TrojanSpy:Win32 /Zbot.gen!C
c38412218981ddc0cd93d5d98971a781 2012-08-27 2009-12-19 06:17:33 2009-12-31 15:13:34 a variant of Win32/Spy.Zbot.UN Win32:Zbot-BCW Trojan-Spy.Win3 2.Zbot.aadb Trojan.Spy.Zeus .C PWS:Win32/Zbot. gen!R
c4905c4610b9c2992bc395429b7365ab 2012-08-27 2009-09-04 15:24:05 2009-09-04 15:24:05 Win32:Zbot-BCW Heur.Trojan.Gen eric Trojan.Spy.Zeus .C PWS:Win32/Zbot. gen!R
c70db2b312a23e11b5e671cac70db98f 2012-08-27 2008-02-19 12:29:14 2012-02-19 14:34:25 PS/MPC-Zeus-753 Virus.DOS.PS-MP C-based PS-MPC.0753.DN. Gen Virus:DOS/PSMPC .753
d16a1870603a0f7111c64584e6eb5deb 2012-08-27 2012-02-20 19:36:30 2012-03-02 01:50:10 Win32/PSW.Agent.NTM Win32:Zeus-A [Trj] Trojan.Win32.Ag ent2.fadw Gen:Variant.Zlo b.1 PWS:Win32/Farei t.gen!C
d1db75d0b93b0f1bda856242c8ab1264 2012-08-27 2009-10-15 20:31:08 2009-10-17 14:14:20 a variant of Win32/Spy.Zbot.UN Win32:Zbot-BCW Heur.Trojan.Gen eric Trojan.Spy.Zeus .C PWS:Win32/Zbot. QA
d5a75c535b33fc09f1ab6e181d59fc84 2012-08-27 2011-06-18 10:59:14 2011-12-09 01:49:01 a variant of Win32/Spy.Zbot.XO Win32:Zbot-ATL [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. C
e806cfe7d3257bf61f5b95215e3ec23e 2012-08-27 2012-06-23 03:56:28 2012-06-23 03:56:28 a variant of Win32/Spy.Agent.PZ Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
078b7684cbc5cd14770fb2c842ece7e4 2012-08-15 2012-08-04 03:55:52 2012-08-09 17:09:00 Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh

—gBot  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0017c17069fcd00a8c13e2e1bb955494 2012-08-27 2011-11-16 12:17:45 2011-12-14 17:33:12 a variant of Win32/Kryptik.VNB Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rtt Trojan.Generic. 6903230 Backdoor:Win32/ Cycbot.G
0033496f9baa6c05dc709db64a7b8cef 2012-08-27 2011-11-19 12:30:08 2011-12-16 01:08:42 a variant of Win32/Kryptik.VZB Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rwf Trojan.Generic. 6914846 Backdoor:Win32/ Cycbot.G
00392a6a7919d425e512c4466984f8f3 2012-08-27 2011-10-05 04:29:14 2011-11-29 18:00:26 a variant of Win32/Kryptik.TEV Win32:Cybota [Trj] Backdoor.Win32. Gbot.osk Gen:Variant.Kaz y.38517 Backdoor:Win32/ Cycbot.G
004ed94e35b42f7b76fb4b729573a123 2012-08-27 2012-01-13 03:41:13 2012-02-11 12:53:50 a variant of Win32/Kryptik.YBH Win32:Cybota [Trj] Backdoor.Win32. Gbot.qwk Gen:Variant.Kaz y.50582 Backdoor:Win32/ Cycbot.G
00b66b966778139c0b83721c5e307695 2012-08-27 2011-11-24 01:24:42 2012-01-02 23:04:36 Win32/Cycbot.AF Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.qwn Gen:Heur.Kelios .1 Backdoor:Win32/ Cycbot.G
00c789e5ae793c6be65482d4b472f0f0 2012-08-27 2011-11-18 16:42:21 2011-12-15 14:43:24 Win32/Cycbot.AK Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rvk Backdoor.Bot.14 6893 Backdoor:Win32/ Cycbot.G
00daf7e9577d84c5949439b02f11af74 2012-08-27 2011-03-23 02:31:51 2011-07-20 22:11:40 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.aed Gen:Trojan.Heur .KS.1 Backdoor:Win32/ Cycbot.B
00ddbd4723ec6394f278fd5d3275a952 2012-08-27 2012-02-02 18:46:53 2012-03-29 17:13:40 Win32/Cycbot.AK Win32:Cybota [Trj] Backdoor.Win32. Gbot.qwt Gen:Variant.Kaz y.53272 Backdoor:Win32/ Cycbot.G
00deb18fb207bc020a30ff7b7550f279 2012-08-27 2011-03-19 21:01:29 2011-07-12 08:53:49 a variant of Win32/Kryptik.LOJ Win32:Cybota [Trj] Backdoor.Win32. Gbot.adk Gen:Trojan.Heur .KS.1 Backdoor:Win32/ Cycbot.B
00e762e7fe180b096207c7b72f608cc3 2012-08-27 2012-06-20 11:30:59 2012-06-20 11:30:59 a variant of Win32/AGbot.V Win32:SdBot-FJH [Trj] Backdoor.Win32. SdBot.ozd Gen:Win32.IRC-B ackdoor.fmW@aih z9oj Backdoor:Win32/ Gaertob.A Armadillo v1.71
00f3359898621f36a5251759a3a89495 2012-08-27 2011-11-11 20:35:02 2011-11-16 04:05:08 Win32/Adware.WinAntiVirus.AD Win32:Gbot-M [Trj] Trojan-Download er.Win32.Fdvm.b Application.Gen eric.386031 Trojan:Win32/Si refef.P
00f83d49831dc202e04478f670b96d50 2012-08-27 2011-12-14 07:28:20 2011-12-14 07:28:20 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.qmi Backdoor.Gbot.I Backdoor:Win32/ Cycbot.G
00fc1e69ca9031e5c47dfcde78dc0537 2012-08-27 2011-09-09 05:34:05 2012-02-11 20:04:14 a variant of Win32/Kryptik.RWA Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.iag Gen:Variant.Kaz y.34336 Backdoor:Win32/ Cycbot.G
0117b98cb2114c51c4d51831820cc8e4 2012-08-27 2011-04-02 06:56:59 2011-07-21 00:22:16 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.ahq Trojan.Generic. KD.163287 Backdoor:Win32/ Cycbot.B
016d69d4cbd779b63bb6927fa9c19730 2012-08-27 2012-03-10 20:03:49 2012-04-30 20:29:18 a variant of Win32/Kryptik.SUP Win32:Cybota [Trj] Backdoor.Win32. Gbot.oep Gen:Heur.Conjar .5 Backdoor:Win32/ Cycbot.G
0189fd7b339df01d4a4be1113520ad46 2012-08-27 2010-02-19 22:20:06 2012-06-09 04:12:35 a variant of MSIL/TrojanDropper.Agent.JF Win32:Malware-g en Trojan-Dropper. MSIL.Agent.fws Trojan.Generic. 3812196 VirTool:Win32/O bfuscator.NC
01e118c11c4145710ff1801f34a44bc7 2012-08-27 2012-07-05 15:25:49 2012-07-05 15:25:49 a variant of Win32/Kryptik.ACYA Win32:MalOb-IF [Cryp] Backdoor.Win32. Gbot.wkt Gen:Variant.Bar ys.3481 TrojanDownloade r:Win32/Carberp .C
021817e91793fa15bee2937fe2befddd 2012-08-27 2011-12-06 03:55:36 2012-01-03 16:39:38 a variant of Win32/Kryptik.VCE Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.qxq Gen:Variant.Kaz y.42337 Backdoor:Win32/ Cycbot.G
0229d3256bd2309f1d581533febdc1e7 2012-08-27 2012-01-31 17:40:43 2012-02-21 13:59:28 a variant of Win32/Kryptik.UVF Win32:KadrBot [Trj] Trojan.Win32.Jo rik.ZAccess.no Gen:Variant.Kaz y.41897 Trojan:Win32/Si refef.J
0296357c2952eafb29b2edeaf776a787 2012-08-27 2011-09-13 21:55:14 2012-02-12 16:34:09 a variant of Win32/Kryptik.RLK Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.epv Gen:Variant.Kaz y.33354 Backdoor:Win32/ Cycbot.G

 

—spyeye  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
004df992aa00f6a83388aeb55cf806bb 2012-08-27 2012-03-17 18:33:21 2012-04-25 11:55:35 a variant of Win32/Kryptik.VMB Win32:MalOb-IV [Cryp] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.43891 Trojan:Win32/Dy namer!dtc
0050771f197d912b1fd2767c9b07b0d9 2012-08-27 2012-01-22 05:30:06 2012-01-22 05:30:06 Win32:MalOb-IJ [Cryp] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.46466
0055add5c7c8778b1e97e0bc2cdb34fd 2012-08-27 2011-04-05 09:52:34 2012-08-17 14:32:46 Win32:Karagany- E [Trj] Trojan-Spy.Win3 2.SpyEyes.gaf Gen:Variant.Kaz y.154 TrojanDownloade r:Win32/Karagan y.A
00881bfd664c40bd17f00da4e2b1707e 2012-08-27 2012-01-30 20:45:05 2012-03-25 16:25:27 Win32/Ramnit.A Win32:Vitro HEUR:Trojan.Win 32.Generic Gen:Heur.FKP.1 Trojan:Win32/Ra mnit.A
009f01b994bd6211d8b79775decc5854 2012-08-27 2012-06-25 07:23:14 2012-06-25 07:23:14 Win32/Spy.SpyEye.CA Win32:Regrun-JI [Trj] Trojan.Win32.Me nti.kxpm Trojan.Generic. 6382824 Trojan:Win32/Ey eStye.N Armadillo v1.71
00bbce9dac6dec8f16547da20c09594c 2012-08-27 2011-11-11 04:55:40 2011-11-11 04:55:40 a variant of Win32/AutoRun.Injector.AM Win32:Spyeye-ZL [Trj] HEUR:Trojan.Win 32.Generic Worm.Generic.35 0922 Armadillo v1.71
00db3ed3ba79dcc6627b13f5c0557f46 2012-08-27 2012-06-25 13:26:56 2012-06-25 13:26:56 a variant of Win32/Kryptik.HJW Win32:Zbot-MVW [Trj] Trojan-Download er.Win32.Piker. cqy Gen:Variant.Kaz y.1690 TrojanDownloade r:Win32/Bredola b.AC
00ffd9a941c6fe8d57210bf82c674943 2012-08-27 2011-06-26 15:23:06 2011-07-19 07:46:49 Win32/Bamital.FA Win32:Trojan-ge n Trojan.Win32.Of icla.nbt Trojan.Generic. KD.225389 Trojan:Win32/Me redrop UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
012cca77918ab828662e9b726c97319c 2012-08-27 2011-11-03 13:55:46 2012-01-28 16:05:29 a variant of Win32/Injector.KLZ Win32:Spyeye-YV [Trj] Trojan.Win32.In ject.bpoa Gen:Variant.Gra ftor.3243 VirTool:Win32/D elfInject.gen!C M
01341c165ed887fa134250750b2218c4 2012-08-27 2011-12-15 08:45:54 2012-01-19 04:40:25 Win32/AutoRun.Spy.Banker.M Win32:Spyware-g en [Spy] Trojan-Dropper. Win32.Dapato.sd d Trojan.Generic. KDV.479801 Worm:Win32/Crid ex.B Armadillo v1.71
014e076ae37f2e5e612ae748dd9e4177 2012-08-27 2011-11-11 03:24:24 2011-11-24 20:34:32 a variant of Win32/Injector.JMN Win32:Crypt-KLY [Trj] Trojan.Win32.Bu zus.iofc Trojan.Generic. 6686401 TrojanDropper:W in32/Sirefef.B
01525755f4b3c800560bdc4ac3c80cbd 2012-08-27 2011-03-09 19:58:13 2011-03-19 04:41:56 a variant of Win32/Injector.FBK Win32:Spyware-g en Trojan-Spy.Win3 2.SpyEyes.fqu Trojan.Generic. KDV.152375
019f9a5668d3de770f4c0a741a4f0c4a 2012-08-27 2012-03-28 01:18:38 2012-03-28 05:03:51 a variant of Win32/Injector.KCP Win32:Regrun-JI [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Gra ftor.1584 Armadillo v1.71
01b36ef0ca621293f6c74c7b2950946a 2012-08-27 2012-01-06 23:55:08 2012-06-07 08:19:28 Win32/AutoRun.IRCBot.HO Win32:Malware-g en Trojan-Dropper. Win32.Injector. boyd Backdoor.Agent. ABAV Worm:Win32/Phor piex.B
01ceff3646dd40eaa11ed4cf7a75d495 2012-08-27 2012-03-21 00:04:37 2012-03-22 04:53:17 a variant of Win32/Kryptik.ACTR Win32:Spyeye-AC T [Trj] Trojan-FakeAV.W in32.Agent.dks Gen:Variant.Bre do.21 Rogue:Win32/Win websec
01d1d9f8c314a19e9f5cc7dc06693ea5 2012-08-27 2012-06-20 01:29:52 2012-06-20 01:29:52 Win32:Spyeye-WC [Trj] Trojan.Win32.Ge nome.acnzw Gen:Variant.Kaz y.37631 VirTool:Win32/O bfuscator.TT
01ef0b349a8b2c598f24fad77bb7d506 2012-08-27 2012-06-27 04:01:59 2012-06-27 04:01:59 a variant of Win32/Kryptik.HCV Win32:Malware-g en Trojan-Spy.Win3 2.SpyEyes.evw Trojan.Generic. KD.45757 Rogue:Win32/Win websec
02084edaa51e7bd688fc95c0ae86a29a 2012-08-27 2011-11-18 19:01:09 2011-11-21 15:55:16 a variant of Win32/Injector.KTW Win32:Spyeye-ZI [Trj] Trojan-Spy.Win3 2.SpyEyes.qmg Trojan.Generic. KDV.399472 Trojan:Win32/Or sam!rts
022abced09dc8142069c88ce2ee06e55 2012-08-27 2012-06-22 23:18:26 2012-06-22 23:18:26 Win32/Spy.SpyEye.CA Win32:Zbot-NES [Trj] Net-Worm.Win32. Koobface.jcb Gen:Variant.Kaz y.25416
0234f794047645d090a47550cf229bd4 2012-08-27 2012-04-08 05:38:21 2012-06-13 10:50:56 probably a variant of Win32/Injector.KNA Win32:Malware-g en HEUR:Trojan.Win 32.Generic Gen:Trojan.Heur .VP2.eu0baiVzqp ii VirTool:Win32/V BInject.UG ASPack v2.12

 

—AVP  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
00ada89f87db0db0f3939271c34f865e 2012-08-27 2008-09-18 18:15:52 2009-04-27 12:34:23 probably a variant of Win32/Adware.RogueApp Win32:Adware-ge n not-a-virus:Fra udTool.Win32.Ag ent.r Adware.AntivirP rotection.A Program:Win32/A ntivirusProtect ion
0106605d11d29384522bfa17164fd943 2012-08-27 2012-03-22 10:32:32 2012-03-22 21:11:40 Win32:Dialer-AV P [Trj] Trojan.Win32.Di aler.qn Trojan.Mezzia.G en Trojan:Win32/Ad ialer.OP
014596c2ff3198b690bf2f3debcb0711 2012-08-27 2011-12-03 03:58:24 2011-12-05 21:04:13 Win32/Spy.Zbot.YW Win32:Trojan-ge n Trojan-Spy.Win3 2.Zbot.coxf Trojan.Spy.Zbot .ETB PWS:Win32/Zbot UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
01b37e56720a5bf5a85c103878100388 2012-08-27 2012-06-11 04:52:22 2012-06-11 04:52:22 Win32/Kryptik.AGSY Win32:Kryptik-I XH [Trj] Trojan-Spy.Win3 2.Zbot.dyuc Trojan.Agent.AV PE
01cd13a561ff5396604b8718e911b49f 2012-08-27 2011-11-17 13:29:53 2012-07-25 21:46:15 Win32:Trojan-ge n Trojan-Spy.Win3 2.Zbot.coxf Trojan.Spy.Zbot .ETB PWS:Win32/Zbot UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
01f699ef8a648642084f7d665c3c265e 2012-08-27 2011-10-15 19:56:04 2011-10-25 08:10:00 Win32/Olmarik.AVP Win32:Alureon-A FI [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.27650 Trojan:Win32/Al ureon.DX
0267027dd9091a7054ff9c46384c6654 2012-08-27 2012-02-04 10:24:19 2012-03-31 17:43:08 a variant of Win32/Kryptik.YVK Win32:MalOb-JA [Cryp] Gen:Variant.Kaz y.52638 Rogue:Win32/Fak eRean
03ceb31131f1a47c1388e9c8a53feca0 2012-08-27 2010-08-10 20:27:10 2011-02-05 09:10:23 a variant of Win32/Injector.CLG Win32:Malware-g en Trojan-Download er.Win32.Banloa d.bekw Worm.Generic.27 2239 TrojanSpy:Win32 /Swisyn.B
05740edf8ef59dfdcb3660b35e76052c 2012-08-27 2010-06-02 22:16:22 2012-08-01 23:09:46 Win32:Rootkit-g en [Rtk] Trojan.Win32.Sw isyn.avpt Trojan.Generic. KD.14612 Trojan:Win32/Tr ufip!rts Armadillo v1.71
06daf98aa5504f124d1f19bb23d8aa2b 2012-08-27 2012-02-20 01:00:55 2012-02-20 01:00:55 a variant of Win32/Kryptik.YMJ Win32:MalOb-IG [Cryp] Trojan.Win32.Fa keAV.kbsd Gen:Variant.Kaz y.51804 Rogue:Win32/Fak eRean
07837d8689d093ddfb90e0e873a40403 2012-08-27 2012-02-06 12:01:38 2012-08-04 03:14:45 Win32:FakeAlert -EM [Trj] Trojan-FakeAV.W in32.VirusDocto r.v Gen:Variant.Urs nif.2 Rogue:Win32/Fak eVimes
07ca5974da6c583b74870b97ca4418ba 2012-08-27 2011-02-04 10:40:03 2012-05-10 04:07:38 a variant of Win32/Spy.VB.NJM Win32:VB-QXQ [Spy] Trojan.Win32.VB Krypt.bavp Gen:Trojan.Heur .fm0@s5JEYbfih Trojan:Win32/Bu mat!rts
087347abfd1f071bcbd9ed2cd83742c3 2012-08-27 2011-11-15 22:10:35 2011-12-16 17:26:10 a variant of Win32/Agent.TCI Win32:Crypt-KWZ [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Buz y.4378 Trojan:Win32/In ject.AL
089204eee8ae33f0301b90c43c55aef4 2012-08-27 2011-11-15 12:43:41 2011-12-06 23:11:43 a variant of Win32/Kryptik.VPK Win32:Gbot-M [Trj] Trojan-FakeAV.W in32.OpenCloud. p Trojan.Generic. 6850089 Rogue:Win32/Fak eScanti
09ee083b59b68fa0807dde46be7938a4 2012-08-27 2011-03-19 05:31:23 2011-03-20 00:07:52 Win32/Sirefef.C Win32:Delf-OHT Trojan.Win32.Fa keAV.avpj Trojan.Generic. KD.138388 Worm:Win32/Sire fef.gen!A
0a58fdc81e8bb0e2be92c805846f082e 2012-08-27 2012-01-28 19:43:01 2012-01-28 19:43:01 a variant of Win32/Kryptik.ZAZ Win32:ZAccess-E F [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.53282 Rogue:Win32/Fak eRean
0aa08ce7021f950a13167728fe7386a6 2012-08-27 2012-03-24 13:06:08 2012-05-30 19:28:26 a variant of Win32/Injector.PLK Win32:Crypt-MCG [Trj] HEUR:Trojan.Win 32.Generic Trojan.Generic. 7394229 Worm:Win32/Nayr abot.gen!A
0b3daa6dcf816fa34179197d6be16c21 2012-08-27 2012-01-17 00:16:22 2012-02-01 14:32:17 a variant of Win32/Kryptik.ZAZ Win32:ZAccess-E F [Trj] Trojan.Win32.Fa keAV.kmpm Gen:Variant.Kaz y.53282 Rogue:Win32/Fak eRean
0ce67f90dd1a936cbc08a6dea0e4d8ae 2012-08-27 2011-11-17 02:06:29 2012-02-09 06:37:16 a variant of Win32/Agent.TCI Win32:Crypt-KWZ [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Buz y.4378 Trojan:Win32/In ject.AL
0cf1f914d2805a4cafa33ba9088424a2 2012-08-27 2012-01-17 13:30:31 2012-01-17 13:30:31 a variant of Win32/Kryptik.YWV Win32:Downloade r-MHD [Trj] Trojan.Win32.Fa keAV.kjsd Gen:Variant.Gra ftor.12856 Rogue:Win32/Fak eRean

 

—EICAR  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
14eb13beba07c82ba1851bce503cb034 2012-08-27 2011-09-06 11:15:30 2011-12-17 19:44:11 Eicar test file EICAR Test-NOT virus!!! EICAR-Test-File EICAR-Test-File (not a virus) Virus:DOS/EICAR _Test_File
16f8c3d67250837bc2e400ad19e0b72a 2012-08-27 2012-08-10 18:19:02 2012-08-15 16:50:23 BV:BVCK-gen3 P2P-Worm.BAT.Co pybat.ag UPX, PKLITE
2c64f48e5135fbaa944172202d236c7d 2012-08-27 2006-06-01 07:00:05 2012-08-20 00:47:44 EICAR Test-NOT virus!!! EICAR-Test-File EICAR-Test-File (not a virus) Virus:DOS/EICAR _Test_File
317c6356b04926b4cf107df145289435 2012-08-27 2010-12-14 12:22:14 2012-08-12 02:15:31 AntiAVP-Avbad [Trj] Trojan.DOS.Avba d Trojan.Avbad.A Trojan:DOS/Avba d LZEXE, PKLITE
5c770e1490835247d0a541474ee51c50 2012-08-27 2012-07-26 12:10:50 2012-07-27 20:06:32 EICAR Test-NOT virus!!! EICAR-Test-File
5e67103aa3baadde488fc8a66915610e 2012-08-27 2012-02-07 23:35:55 2012-04-07 06:45:15 EICAR-Test-File Virus:DOS/EICAR _Test_File
613a4ae52be7190a18c340f0ffa78fbd 2012-08-27 2012-07-21 14:15:28 2012-07-24 20:16:28 EICAR Test-NOT virus!!! EICAR-Test-File
67cafd0c5fb22dc93815700230d368c3 2012-08-27 2012-07-26 12:19:57 2012-07-27 20:06:19 EICAR Test-NOT virus!!! EICAR-Test-File
72015abc47f25b8f624a0b1b2eb3ebe0 2012-08-27 2012-01-30 00:23:27 2012-04-18 14:37:09 EICAR Test-NOT virus!!! HEUR:Trojan.Win 32.Generic Trojan.Generic. 7358064 Virus:DOS/EICAR _Test_File
79449529d738e9a3ef5893efaf048da5 2012-08-27 2012-07-26 12:27:02 2012-07-27 20:05:41 EICAR Test-NOT virus!!! EICAR-Test-File
82a83e6e1799f3886123614014ef07f4 2012-08-27 2012-07-21 15:02:40 2012-07-24 19:45:51 EICAR Test-NOT virus!!! EICAR-Test-File
934162a08d4a38711083345ef0b57d14 2012-08-27 2008-03-22 05:39:27 2012-05-16 01:40:33 EICAR-Test-File Virus:DOS/EICAR _Test_File
9590348417ce24e4c1d0e1d8af4c4939 2012-08-27 2012-08-04 04:10:00 2012-08-09 00:43:00 EICAR Test-NOT virus!!! EICAR-Test-File Virus:BAT/Mouse Disable.D
96cb4955ea6bab5f3c8524528401413c 2012-08-27 2009-11-30 16:14:16 2011-09-07 03:48:37 probably a variant of Win32/Agent.XRUNPA Win32:Malware-g en Trojan.Win32.Ge nome.qcad Trojan.Generic. 3199186 Trojan:Win32/Me redrop
a27ee916c22a51179c9e2f1ae67aa7eb 2012-08-27 2012-07-21 16:02:15 2012-07-24 19:45:21 EICAR Test-NOT virus!!! EICAR-Test-File
a911a87a26153abe77c3b25c28615218 2012-08-27 2010-09-02 12:41:52 2010-09-02 23:44:58 Win32:Malware-g en Trojan.Win32.Co smu.dry Dropped:EICAR-T est-File (not a virus)
ac2ff734c993884834c5bb820d21f3f1 2012-08-27 2011-11-19 09:10:49 2012-07-30 18:46:08 EICAR Test-NOT virus!!! EICAR-Test-File
b07e6f95ddf91415897164d7b3eb4736 2012-08-27 2011-10-05 23:16:00 2011-10-05 23:16:00 Trojan.Script.7 133
c29bc4713727d469886ea655115dd177 2012-08-27 2012-08-04 04:28:58 2012-08-08 21:33:18 BV:Malware-gen IRC-Worm.BAT.Ge neric Trojan.Batzz99. A Virus:BAT/Adiou s.A embedded
c9357c00c4da9e9fd8add93e917c57c6 2012-08-27 2012-07-21 17:35:39 2012-07-26 20:06:19 EICAR Test-NOT virus!!!

 

 

—mistfall  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
31484725213be800bc1d69cb0ece77aa 2012-08-27 2012-08-10 18:00:33 2012-08-13 13:48:27 Win32:Mistfall [Tool] VirTool.Win32.M istfall VirTool:Win32/M istfall
50e4913a0d73f61279101d08a6e983a5 1970-01-01 2006-06-11 16:14:34 2012-04-15 22:14:43 Win32/VirTool.Mistfall Win32:Mistfall [Tool] VirTool.Win32.M istfall VirTool:Win32/M istfall

 

 

 

 

 

—rBot =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
2af4783aba321f53082085e8937b2567 2012-08-28 2012-07-11 23:52:26 2012-08-26 04:26:41 Win32:Virtob Backdoor.Win32. Rbot.adqd Trojan.Generic. 5333379 Virus:Win32/Vir ut.AC
865915650a85e7c27cdd11850a13f86e 2012-08-28 2006-09-03 07:01:30 2012-06-17 17:26:56 Win32/Rbot Win32:Rbot-GKN [Trj] Net-Worm.Win32. Kolab.aefe IRC-Worm.Generi c.22084 Backdoor:Win32/ Rbot
00157f6de1c95255bb781e45088d9a21 2012-08-27 2012-06-24 18:13:49 2012-06-24 18:13:49 Win32/Rbot.YM Trojan.Win32.Ge nome.dnsq IRC-Worm.Generi c.15028 Backdoor:Win32/ Rbot
0024542e9282e2fe0c0ca9b0c0b6f43a 2012-08-27 2012-02-18 10:11:27 2012-04-16 16:12:13 Win32/Virut.NBP Win32:Rbot-GQG [Trj] Backdoor.Win32. LolBot.xzd Worm.Generic.29 8540 Trojan:Win32/Fa kefolder.B
002984263e0d36042f0a4e613f9b9b46 2012-08-27 2009-02-24 07:24:34 2009-02-24 07:24:34 probably a variant of Win32/Rbot Win32:Trojan-ge n {Other} Backdoor.Win32. Rbot.fat Backdoor.Bot.17 676 ASProtect v1.23 RC1
002d88dc3184ac1cc52018a4a34d02c4 2012-08-27 2011-09-15 04:06:24 2011-09-15 04:06:24 a variant of Win32/Injector.IIQ Win32:Sality Worm.Win32.Ngrb ot.cnh Trojan.Generic. KDV.304762 Worm:Win32/Dork bot.gen!A Armadillo v1.71
00423373be53630ab1ceea85fa574939 2012-08-27 2011-04-02 04:52:43 2012-08-17 14:22:42 Trojan.Generic. 6907346 Backdoor:Win32/ Rbot.gen!G
00492917b6eb3d9c6d62f86f9acc6bce 2012-08-27 2012-06-25 00:19:05 2012-06-25 00:19:05 Backdoor.Win32. Rbot.umw Backdoor.Bot.60 974 Dev-C++ 4.9.9.2 -> Bloodshed Software
0052a28dc60cac68b54ddf8f02d5aa5d 2012-08-27 2010-07-18 23:41:47 2010-07-18 23:41:47 a variant of Win32/Packed.Themida Gen:Trojan.Heur .RqX@5Gy!Zup Backdoor:Win32/ Bifrose.gen!C
0066ad4c5a1206fb6563a285f2ce14a0 2012-08-27 2012-06-22 19:57:07 2012-06-22 19:57:07 a variant of Win32/Packed.Themida Backdoor.Win32. Rbot.akio Trojan.Generic. 7352279 Themida
006e7190f10953306ba5846d272af457 2012-08-27 2011-03-13 17:31:06 2012-02-11 09:09:57 probably a variant of Win32/Agent.COLWWTQ Win32:Spyware-g en [Spy] Backdoor.Win32. Rbot.alyk Gen:Trojan.Heur .GM.0140430082 Backdoor:Win32/ Ursap!rts
006f203bee46359995b68b8f0f95dea1 2012-08-27 2011-12-03 11:22:06 2012-02-11 09:20:43 Win32/TrojanDropper.Delf.NJH Win32:Bifrose-D YN [Trj] Backdoor.Win32. Rbot.hyj Trojan.Keylogge r.ADY TrojanDropper:W in32/Agent.BAD
008e7e1d54316b2f2e6aebd0861a37fe 2012-08-27 2012-06-24 02:14:52 2012-06-24 02:14:52 a variant of Win32/Rbot Win32:EggDrop-A C [Trj] Backdoor.Win32. Rbot.boz Backdoor.Rbot.E UT Backdoor:Win32/ Rbot.gen!F
00a649781cf7d8153bd9af03d0ce5cd9 2012-08-27 2012-06-25 01:54:32 2012-06-25 01:54:32 a variant of Win32/Injector.OI Win32:Rbot-GLC [Trj] Trojan.Win32.Bu zus.bnsz Trojan.Generic. 1809892 VirTool:Win32/I njector.gen!B Armadillo v1.71
00ad7e4470086e1345b017876fd41619 2012-08-27 2011-09-11 16:46:41 2011-11-14 20:47:48 a variant of Win32/Packed.MoleboxUltra Win32:Malware-g en Backdoor.Win32. Rbot.hyj Trojan.Generic. 4200368 TrojanDropper:W in32/Agent.BAD
00d753fcbad0dc47101d3818d491a7e7 2012-08-27 2012-06-21 13:36:05 2012-06-21 13:36:05 Win32/TrojanDownloader.Agent.OST Win32:Trojan-ge n not-a-virus:AdW are.Win32.ZenoS earch.ky Trojan.Generic. 1385769 Trojan:Win32/Vu ndo
00e9816f69922b9c43f89dc0a92a99d1 2012-08-27 2008-12-27 13:34:07 2010-01-22 01:10:12 Backdoor.Bot.89 803 Xtreme-Protecto r v1.05
00eee20b71e92f57ded4b497e5dbdaf1 2012-08-27 2008-05-05 22:13:17 2008-05-05 22:13:17 Win32:Small-BHA Backdoor.Prorat .C Armadillo v1.71
00fc84692d5b22e4ecb3d8022ea86698 2012-08-27 2012-06-27 09:22:01 2012-06-27 09:22:01 a variant of Win32/Spy.Delf.NLM Win32:Agent-ACQ U [Trj] Backdoor.Win32. Rbot.agyp Gen:Trojan.Heur .PT.ei4abKk10V Trojan:Win32/De lf.EZ Malware_Prot.AJ themida 1.0.0.5 -> http://www.orea ns.com
00fc850b10d54e404cc1ff521ad10ea6 2012-08-27 2008-04-28 16:59:58 2008-05-06 12:24:21 Xtreme-Protecto r v1.05
Checked on VT at 2012-09-10 12:39:43
Scanned at 2012-08-26 04:26:41
Fi

 

—proRAT  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0023b2d76c606328688afa5ade9c0acf 2012-08-27 2009-10-25 02:21:28 2009-10-25 02:21:28 a variant of Win32/Packed.Themida Win32:Bifrose-D RI Gen:Trojan.Heur .dvXarDpNMyoi Backdoor:Win32/ Prorat.AH
0043b0517c628ef897f477e4345fd7a3 2012-08-27 2010-07-02 02:34:55 2012-02-11 12:45:38 a variant of Win32/Packed.Themida Win32:Malware-g en Backdoor.Win32. Prorat.uft Backdoor:Win32/ Ursap!rts
0054c6b833c013f32bced841e1e6739d 2012-08-27 2009-10-19 17:19:55 2009-10-19 17:19:55 probably unknown NewHeur_PE Win32:Trojan-ge n MemScan:Backdoo r.Agent.ZNH Backdoor:Win32/ Prorat.AM
0073d646cf945a4b5b3ba513b87a3c60 2012-08-27 2012-06-20 00:16:55 2012-06-20 00:16:55 a variant of Win32/Prorat.19.NAC Win32:Malware-g en Backdoor.Win32. Prorat.efu MemScan:Backdoo r.Delf.HBZ Backdoor:Win32/ Prorat.AM Obsidium V1.3.0.4 -> Obsidium Software
008e37fd9125255f6a25e19fc7640bea 2012-08-27 2012-06-05 10:42:20 2012-06-05 10:42:20 Win32:Spyware-g en [Spy] Backdoor.Win32. Prorat.het Trojan.Generic. 4484805
0090c0275880256778d156f7b08e8f03 2012-08-27 2011-03-15 10:52:42 2011-04-13 18:37:22 Backdoor.Win32. Prorat.rft Gen:Trojan.Heur .dr3a4ScZqsdi
00a490a8595793e54caa7e9a38768891 2012-08-27 2008-10-01 16:13:23 2008-10-01 16:13:23 probably unknown NewHeur_PE Win32:Agent-ONW MemScan:Backdoo r.Agent.ZNH ASProtect v1.23 RC1
00eee20b71e92f57ded4b497e5dbdaf1 2012-08-27 2008-05-05 22:13:17 2008-05-05 22:13:17 Win32:Small-BHA Backdoor.Prorat .C Armadillo v1.71
00fc839a3e3d2986cceca58ae900ce13 2012-08-27 2010-08-18 21:00:24 2010-08-24 10:54:38 Win32/Packed.Themida.A Win32:Malware-g en Backdoor.Win32. Prorat.19.dht Trojan.Packed.L ibix.Gen.2 VirTool:Win32/O bfuscator.XX
0100ca070eda3acfbdfbf2424612cc5f 2012-08-27 2010-12-14 03:58:20 2012-06-07 07:22:17 a variant of Win32/Injector.BLB Win32:VB-PJN [Drp] Backdoor.Win32. Prorat.hhw Backdoor.Generi c.319260 Trojan:Win32/VB Inject.E
0121a89cb657a11e5dd092883bfd7825 2012-08-27 2010-07-17 07:37:48 2010-07-17 07:37:48 a variant of Win32/TrojanDropper.Delf.NFK Win32:Prorat-JE Gen:Trojan.Heur .GM.0408470024
017d509b8598921ed40744e0ca829db6 2012-08-27 2009-06-22 12:28:25 2009-06-22 12:28:25 Win32:Trojan-ge n {Other} Gen:Trojan.Heur .VB.1025DA9A9A Trojan:Win32/Ma lat
01e7cbd34f8bd3cf5fa608baf2fa6d60 2012-08-27 2011-11-15 13:23:32 2012-02-12 07:10:28 Win32/Prorat.NAH Win32:Prorat-FE [Trj] Backdoor.Win32. Prorat.dz Backdoor.Generi c.21020 Backdoor:Win32/ Prorat.K
01e93b84d7df6bac7cde630ffffd043f 2012-08-27 2010-05-20 13:53:52 2012-06-09 12:47:16 a variant of Win32/RemoteAnything.AA Win32:Trojan-ge n Backdoor.Win32. Prorat.hoj Packer.Malware. NSAnti.1 Backdoor:Win32/ VB.OF
01ea64f575a9f95563ffeef45fb09ca2 2012-08-27 2012-06-27 09:46:59 2012-06-27 09:46:59 Win32/Prorat.19 Win32:Prorat-BH [Trj] Backdoor.Win32. Prorat.kcm Backdoor.Prorat .19.I Backdoor:Win32/ Prorat.Z ASPack v2.12
02119a21b4b339dd367769c2aebd622c 2012-08-27 2008-11-04 18:23:06 2009-12-05 01:59:16 probably a variant of Win32/Agent Win32:Trojan-ge n Backdoor.Win32. ProRat.cqf Trojan.Generic. 1859606
022cb4ec9e03596701cdc5252c09d0e9 2012-08-27 2012-06-25 18:49:03 2012-06-25 18:49:03 a variant of Win32/Injector.EJM Win32:Trojan-ge n Backdoor.Win32. Prorat.efy Gen:Trojan.Heur .Dropper.bm0@aa gNUVni VirTool:Win32/V BInject.AZ
0247d8561b2a3b8338aa2eff5632f212 2012-08-27 2009-10-13 11:06:04 2009-11-08 22:05:55 Win32:Prorat-IR Backdoor.Win32. ProRat.fns MemScan:Backdoo r.Agent.ZNH Backdoor:Win32/ Prorat
0248b3729a47c970cbd5c43e7298d3dc 2012-08-27 2012-06-21 15:25:52 2012-06-21 15:25:52 a variant of Win32/GameHack.AL Win32:Trojan-ge n Backdoor.Win32. Prorat.fwr Backdoor.Turkoj an.AF Backdoor:Win32/ Turkojan.AI
024c8882871ba3921c2f243ad96e3956 2012-08-27 2012-06-19 17:50:01 2012-06-19 17:50:01 probably a variant of Win32/Agent.LTWPXFW Win32:Trojan-ge n Backdoor.Win32. Prorat.evo MemScan:Backdoo r.ProRat.TG Backdoor:Win32/ Prorat.U

—lostDoor – proRAT kinda  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
cb5c84f6f7e682d9cba2ecba677336c4 1970-01-01 2010-12-04 10:25:27 2012-04-04 22:06:55 a variant of Win32/Spy.KeyLogger.NHM Win32:Agent-ABM I [Trj] Trojan-Spy.Win3 2.VBChuchelo.ah Trojan.Generic. 161562 TrojanSpy:Win32 /Choochie.K

 

 

—Ultimate_Spy-Net  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0058368c1856f88556e881d203441805 2012-08-27 2012-06-24 11:10:36 2012-06-24 11:10:36 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B [Cryp] Trojan.Win32.Vi lsel.mfb Packer.Malware. Lighty.I TrojanDownloade r:Win32/Renos
00adc990cbf1e4733fdf3afbdf54938a 2012-08-27 2012-06-23 11:17:18 2012-06-23 11:17:18 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B [Cryp] Backdoor.Win32. UltimateDefende r.hiw Packer.Malware. Lighty.I Trojan:Win32/Wa ntvi.I
00c547fb1918bcef0a864161b33f0ead 2012-08-27 2010-12-30 22:38:00 2012-02-11 06:34:55 a variant of Win32/Adware.Antivirus2008 Win32:FakeAV-M [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.g Trojan.Generic. 365345 Rogue:Win32/Fak eSecSen ASPack v2.12
00cbcdff13e5c710341393a19d260da6 2012-08-27 2008-07-28 12:42:05 2009-10-16 10:45:20 probably a variant of Win32/Adware.Antivirus2008 Win32:Trojan-ge n not-a-virus:Fra udTool.Win32.Ul timateAntivirus .ag Trojan.Generic. 669380 Trojan:Win32/Fa keSecSen ASProtect v1.23 RC1
0279f3e2593cb0130e2616de1e4ebb76 2012-08-27 2008-06-18 11:50:19 2012-02-12 23:45:25 Win32/Adware.WinAntiVirus Win32:FakeAV-M [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.cl Adware.Rogue.Ad vancedAntivirus .A Rogue:Win32/Fak eSecSen Armadillo v1.xx – v2.xx
029eea83722c549f099d423418b8a54a 2012-08-27 2008-10-17 23:58:48 2011-02-26 10:22:25 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B Trojan-Dropper. Win32.Wlord.ahu Packer.Malware. Lighty.I TrojanDropper:W in32/Rooter.B
0305fbcff971eabd81d5ddadd29e6ec1 2012-08-27 2008-08-22 16:42:43 2011-07-18 05:11:41 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bi Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12
0358ecdc802150626cec39052e43132b 2012-08-27 2008-11-03 08:08:58 2011-08-26 21:27:41 Win32/TrojanDownloader.FakeAlert.PL.Gen Win32:Lighty-D [Cryp] Backdoor.Win32. UltimateDefende r.gsv Trojan.FakeAler t.ANE TrojanDownloade r:Win32/Renos.F J
0452ca3a273127a940c491a87806b047 2012-08-27 2008-08-28 06:23:10 2008-10-22 05:12:57 not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bu Program:Win32/A ntivirus2008 ASPack v2.12
057abdd8f6d1f61eef9434b5e7daa4c6 2012-08-27 2011-07-27 19:30:35 2011-10-20 22:26:38 Win32/Adware.UltimateDefender Win32:FraudTool -GY [Tool] Backdoor.Win32. UltimateDefende r.pq Trojan.Generic. 6410781 Trojan:Win32/An omaly.gen!A UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
06fbf01caa783f46421a0bbedf97719e 2012-08-27 2012-06-19 23:11:45 2012-06-19 23:11:45 probably a variant of Win32/Kryptik.FD Win32:Lighty-E [Cryp] Backdoor.Win32. UltimateDefende r.hwp Trojan.FakeAler t.ANE Trojan:Win32/Wa ntvi.I
08226ab7f48461cb78d33b985ec2fa4f 2012-08-27 2008-08-25 12:55:04 2009-05-01 22:36:49 Win32/Adware.Antivirus2008 Win32:Neptunia- AGB not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bq Trojan.Fakealer t.ALL Trojan:Win32/Fa keSecSen ASPack v2.12
085381cd16ef4f9c6cf03ce79f77b35f 2012-08-27 2009-04-16 21:00:47 2009-04-16 21:00:47 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB not-a-virus:Fra udTool.Win32.Ul timateAntivirus .by Trojan.Fakeav.B C Trojan:Win32/Fa keSecSen ASPack v2.12
09cb0a224418027c40f9552c56180750 2012-08-27 2008-12-02 10:46:37 2009-09-12 07:57:49 a variant of Win32/Kryptik.CH Win32:Lighty-H Backdoor.Win32. UltimateDefende r.hki Trojan.Generic. 1730997 TrojanDownloade r:Win32/Renos.F J
0b55b43d8ec5898f408707ac069300b6 2012-08-27 2008-07-10 12:31:24 2011-08-15 04:38:12 Win32/Adware.Antivirus2008 Win32:FakeAlert -S [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.dp Trojan.FakeAv.B U Rogue:Win32/Fak eSecSen ASProtect v1.23 RC1
0c243bffc29aab2ea6e4abb65319f33c 2012-08-27 2008-09-19 14:03:15 2012-02-09 08:34:42 Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.cp Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12
0e4eaff4a610c160e9cfbe4b01463295 2012-08-27 2009-07-21 00:34:56 2009-11-15 11:49:01 probably a variant of Win32/UltimateDefender.A Win32:Agent-QNI Backdoor.Win32. UltimateDefende r.ieq Generic.Malware .P!.6473D4B8 VirTool:WinNT/X antvi.gen!A
0f27d07f89550dcae7050f3c100137f3 2012-08-27 2008-03-29 22:49:29 2008-10-29 15:07:04 not-a-virus:Fra udTool.Win32.Ul timateDefender. cm Trojan.Crypt.AN Trojan:Win32/Ti bs.gen!H
0f388783e9960156399c343ea7a70e24 2012-08-27 2008-11-03 20:53:28 2009-05-26 21:41:40 Win32/TrojanDownloader.FakeAlert.PL.Gen Win32:Lighty-D Backdoor.Win32. UltimateDefende r.gky Trojan.FakeAler t.ANE TrojanClicker:W in32/Klik
102009d4b848bd264753f877dae939a4 2012-08-27 2008-08-27 07:34:09 2012-01-24 08:11:37 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.bw Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12

 

 

09/17/12

Tor setup- torrc file configuration

gAtO bEen- working on Tor stuff and wanted to find the right torrc commands and configuration for Tor. So I started to look around and found these files. I guess if we look at these we could come up with maybe all the configurations keywords for Tor. gAtO is working on Tor and maybe some bot’s woking in Tor-land. The word is out and many are working on Tor botnets the good thing is most all are beginners, but the interest of people not wanting to rent a bot but build a bot is getting stronger. People wanting to learn code. Script kiddies with code this is not going to be pretty folks – hope you enjoy the torrc stuff- gAtO oUt

File 1

## Configuration file for a typical Tor user

## Last updated 17 September 2012 @gAtOmAlO2 .

## (May or may not work for much older or much newer versions of Tor.)

##

## Lines that begin with “## ” try to explain what’s going on. Lines

## that begin with just “#” are disabled commands: you can enable them

## by removing the “#” symbol.

##

## See the man page, or https://svn.torproject.org/svn/tor/tags/tor-0_0_9_5/src/config/torrc.sample.in ,

## for more options you can use in this file.

##

## Tor will look for this file in various places based on your platform:

## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc

## Replace this with “SocksPort 0″ if you plan to run Tor only as a

## server, and not make any local application connections yourself.

SocksPort 9050 # what port to open for local application connections

SocksListenAddress 127.0.0.1 # accept connections only from localhost

#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also

 

## Entry policies to allow/deny SOCKS requests based on IP address.

## First entry that matches wins. If no SocksPolicy is set, we accept

## all (and only) requests from SocksListenAddress.

#SocksPolicy accept 192.168.0.0/16

#SocksPolicy reject *

 

## Logs go to stdout at level “notice” unless redirected by something

## else, like one of the below lines. You can have as many Log lines as

## you want.

##

## We advise using “notice” in most cases, since anything more verbose

## may provide sensitive information to an attacker who obtains the logs.

##

## Send all messages of level ‘notice’ or higher to /var/log/tor/notices.log

#Log notice file /var/log/tor/notices.log

## Send every possible message to /var/log/tor/debug.log

#Log debug file /var/log/tor/debug.log

## Use the system log instead of Tor’s logfiles

#Log notice syslog

## To send all messages to stderr:

#Log debug stderr

 

## Uncomment this to start the process in the background… or use

## –runasdaemon 1 on the command line. This is ignored on Windows;

## see the FAQ entry if you want Tor to run as an NT service.

#RunAsDaemon 1

 

## Tor only trusts directories signed with one of these keys, and

## uses the given addresses to connect to the trusted directory

## servers. If no DirServer lines are specified, Tor uses the built-in

## defaults (moria1, moria2, tor26), so you can leave this alone unless

## you need to change it.

#DirServer 18.244.0.188:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441

#DirServer 18.244.0.114:80 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF

#DirServer 62.116.124.106:9030 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D

 

## The directory for keeping all the keys/etc. By default, we store

## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

#DataDirectory @LOCALSTATEDIR@/lib/tor

 

## The directory for keeping all the keys/etc. By default, we store

## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

#DataDirectory /var/lib/tor

 

## The port on which Tor will listen for local connections from Tor

## controller applications, as documented in control-spec.txt.

#ControlPort 9051

 

############### bypass open DNS ###############

##

## ACRYLIC DNS PROXY ==
## http://sourceforge.net/projects/acrylic/
##
## Step 1 INSTALL TOR
## Step 2 INSTALL ACRYLIC DNS PROXY

##

Acrylic is a local DNS proxy which improves the performance of your computer by caching the responses coming from your DNS servers. When you browse a Web page a portion of the loading time is dedicated to name resolution (usually from a few milliseconds to 1 second or even more) while the rest is dedicated to the transfer of the page contents to your browser. What Acrylic does is to reduce the time dedicated to name resolution for frequently visited addresses as close to zero as possible. With Acrylic you can also gracefully overcome short downtimes of your DNS servers without disrupting your work, because in this case you will at least be able to connect to your favourite sites and to your email server. In addition Acrylic can help you to effectively block unwanted ads prior to their download through the use of a custom HOSTS files, optimizing your navigation experience even further.

## Copy the following and paste it in TOR BROWSER\Data\TOR\torrc

## DNSPort 9053
## AutomapHostsOnResolve 1
## AutomapHostsSuffixes .exit,.onion

##

##

##

############### bypass open DNS ###############

############### This section is just for location-hidden services ###

## Look in …/hidden_service/hostname for the address to tell people.

## HiddenServicePort x y:z says to redirect a port x request from the

## client to y:z.

 

#HiddenServiceDir @LOCALSTATEDIR@/lib/tor/hidden_service/

#HiddenServicePort 80 127.0.0.1:80

 

#HiddenServiceDir @LOCALSTATEDIR@/lib/tor/other_hidden_service/

#HiddenServicePort 80 127.0.0.1:80

#HiddenServicePort 22 127.0.0.1:22

#HiddenServiceNodes moria1,moria2

#HiddenServiceExcludeNodes bad,otherbad

## Once you have configured a hidden service, you can look at the

## contents of the file “…/hidden_service/hostname” for the address

## to tell people.

##

## HiddenServicePort x y:z says to redirect requests on port x to the

## address y:z.

 

#HiddenServiceDir /var/lib/tor/hidden_service/

#HiddenServicePort 80 127.0.0.1:80

 

#HiddenServiceDir /var/lib/tor/other_hidden_service/

#HiddenServicePort 80 127.0.0.1:80

#HiddenServicePort 22 127.0.0.1:22

 

################ This section is just for relays ###################

## See https://www.torproject.org/docs/tor-doc-relay for details.

 

## A unique handle for your server.

 

#Nickname ididnteditheconfig

 

## The IP or FQDN for your server. Leave commented out and Tor will guess.

 

#Address noname.example.com

 

## Define these to limit the bandwidth usage of relayed (server)

## traffic. Your own traffic is still unthrottled.

## Note that RelayBandwidthRate must be at least 20 KB.

 

#RelayBandwidthRate 100 KBytes  # Throttle traffic to 100KB/s (800Kbps)

#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps)

 

## Contact info to be published in the directory, so we can contact you

## if your server is misconfigured or something else goes wrong.

#ContactInfo Random Person <nobody AT example dot com>

## You might also include your PGP or GPG fingerprint if you have one:

 

#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com>

 

## Required: what port to advertise for Tor connections.

#ORPort 9001

## If you need to listen on a port other than the one advertised

## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the

## line below too. You’ll need to do ipchains or other port forwarding

## yourself to make this work.

 

#ORListenAddress 0.0.0.0:9090

 

## Uncomment this to mirror directory information for others. Please do

## if you have enough bandwidth.

#DirPort 9030 # what port to advertise for directory connections

## If you need to listen on a port other than the one advertised

## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line

## below too. You’ll need to do ipchains or other port forwarding yourself

## to make this work.

 

#DirListenAddress 0.0.0.0:9091

 

## Uncomment this if you run more than one Tor server, and add the

## nickname of each Tor server you control, even if they’re on different

## networks. You declare it here so Tor clients can avoid using more than

## one of your servers in a single circuit. See

## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers

 

#MyFamily nickname1,nickname2,…

 

## A comma-separated list of exit policies. They’re considered first

## to last, and the first match wins. If you want to _replace_

## the default exit policy, end this with either a reject *:* or an

## accept *:*. Otherwise, you’re _augmenting_ (prepending to) the

## default exit policy. Leave commented to just use the default, which is

## available in the man page or at https://www.torproject.org/documentation.html

##

## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses

## for issues you might encounter if you use the default exit policy.

##

## If certain IPs and ports are blocked externally, e.g. by your firewall,

## you should update your exit policy to reflect this — otherwise Tor

## users will be told that those destinations are down.

##

#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more

#ExitPolicy accept *:119 # accept nntp as well as default exit policy

#ExitPolicy reject *:* # no exits allowed

#

################ This section is just for bridge relays ##############

#

## Bridge relays (or “bridges” ) are Tor relays that aren’t listed in the

## main directory. Since there is no complete public list of them, even if an

## ISP is filtering connections to all the known Tor relays, they probably

## won’t be able to block all the bridges. Unlike running an exit relay,

## running a bridge relay just passes data to and from the Tor network –

## so it shouldn’t expose the operator to abuse complaints.

 

#ORPort 443

#BridgeRelay 1

#RelayBandwidthRate 50KBytes

#ExitPolicy reject *:*

 

File 2

################ This section is just for servers #####################

 

## NOTE: If you enable these, you should consider mailing your identity

## key fingerprint to the tor-ops, so we can add you to the list of

## servers that clients will trust. See the README for details.

 

## Required: A unique handle for this server

#Nickname ididnteditheconfig

 

## The IP or fqdn for this server. Leave blank and Tor will guess.

#Address noname.example.com

 

#ContactInfo 1234D/FFFFFFFF Random Person <nobody@example.com>

 

## Required: what port to advertise for tor connections

#ORPort 9001

## If you want to listen on a port other than the one advertised

## in ORPort, uncomment the line below. You’ll need to do ipchains

## or other port forwarding yourself to make this work.

#ORBindAddress 0.0.0.0:9090

 

## Uncomment this to mirror the directory for others (please do)

#DirPort 9030 # what port to advertise for directory connections

## If you want to listen on a port other than the one advertised

## in DirPort, uncomment the line below. You’ll need to do ipchains

## or other port forwarding yourself to make this work.

#DirBindAddress 0.0.0.0:9091

 

## A comma-separated list of exit policies. They’re considered first

## to last, and the first match wins. If you want to *replace*

## the default exit policy, end this with either a reject *:* or an

## accept *:*. Otherwise, you’re *augmenting* (prepending to) the

## default exit policy. Leave commented to just use the default.

#ExitPolicy accept *:6660-6667

#ExitPolicy reject 192.168.0.1:*

#ExitPolicy reject *:*

 

#BridgeRelay 1

#ExitPolicy reject *:*

 

File 3

Index: torrc.sample.in

===================================================================

RCS file: /home/or/cvsroot/src/config/torrc.sample.in,v

retrieving revision 1.31

retrieving revision 1.32

diff -u -d -r1.31 -r1.32

— torrc.sample.in 10 Nov 2004 00:14:02 -0000 1.31

+++ torrc.sample.in 12 Nov 2004 04:00:07 -0000 1.32

@@ -1,73 +1,76 @@

-# Configuration file for a typical tor user

+## Configuration file for a typical tor user

 

-# Replace this with “SocksPort 0″ if you don’t want clients to connect.

+## Replace this with “SocksPort 0″ if you don’t want clients to connect.

SocksPort 9050 # what port to advertise for application connections

SocksBindAddress 127.0.0.1 # accept connections only from localhost

#SocksBindAddress 192.168.0.1:9100 # listen on a chosen IP/port

 

-# Entry policies to allow/deny SOCKS requests based on IP address.

-# First entry that matches wins. If no SocksPolicy is set, we accept

-# all (and only) requests from SocksBindAddress.

-#

+## Entry policies to allow/deny SOCKS requests based on IP address.

+## First entry that matches wins. If no SocksPolicy is set, we accept

+## all (and only) requests from SocksBindAddress.

#SocksPolicy accept 192.168.0.1/16

#SocksPolicy reject *

 

-# Allow no-name routers (ones that the dirserver operators don’t

-# know anything about) in only these positions in your circuits.

-# Other choices (not advised) are entry,exit,introduction.

+## Allow no-name routers (ones that the dirserver operators don’t

+## know anything about) in only these positions in your circuits.

+## Other choices (not advised) are entry,exit,introduction.

AllowUnverifiedNodes middle,rendezvous

 

-# Logs go to stdout unless redirected by something else, like one of

-# the below lines, or –logfile on the command line.

-### Send all messages of level ‘warn’ or higher to @LOCALSTATEDIR@/log/tor/warnings

-#Log warn file @LOCALSTATEDIR@/log/tor/warnings

-### Send all debug and info messages to @LOCALSTATEDIR@/log/tor/debug

-#Log debug-info file @LOCALSTATEDIR@/log/tor/debug

-### Send all debug messages ONLY to @LOCALSTATEDIR@/log/tor/debug

-#Log debug-debug file @LOCALSTATEDIR@/log/tor/debug

-### To use the system log instead of Tor’s logfiles, uncomment these lines:

+## Logs go to stdout unless redirected by something else, like one of

+## the below lines.

+## Send all messages of level ‘warn’ or higher to @LOCALSTATEDIR@/log/tor/warnings

+#Log warn file @LOCALSTATEDIR@/log/tor/warnings.log

+## Send all debug and info messages to @LOCALSTATEDIR@/log/tor/debug

+#Log debug-info file @LOCALSTATEDIR@/log/tor/debug.log

+## Send all debug messages ONLY to @LOCALSTATEDIR@/log/tor/debug

+#Log debug-debug file @LOCALSTATEDIR@/log/tor/debug.log

+## To use the system log instead of Tor’s logfiles, uncomment these lines:

#Log notice syslog

-### To send all messages to stderr:

+## To send all messages to stderr:

#Log debug-err stderr

 

-# Uncomment this to start the process in the background… or use

-# –runasdaemon 1 on the command line.

+## Uncomment this to start the process in the background… or use

+## –runasdaemon 1 on the command line.

#RunAsDaemon 1

 

-# Tor only trusts directories signed with one of these keys, and

-# uses the given addresses to connect to the trusted directory

-# servers. If no DirServer lines are specified, Tor uses the built-in

-# defaults (moria1, moria2, tor26), so you can leave this alone unless

-# you need to change it.

+## Tor only trusts directories signed with one of these keys, and

+## uses the given addresses to connect to the trusted directory

+## servers. If no DirServer lines are specified, Tor uses the built-in

+## defaults (moria1, moria2, tor26), so you can leave this alone unless

+## you need to change it.

#DirServer 18.244.0.188:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441

#DirServer 18.244.0.114:80 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF

#DirServer 62.116.124.106:9030 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D

 

-# The directory for keeping all the keys/etc. By default, we store

-# things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

+## The directory for keeping all the keys/etc. By default, we store

+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

#DataDirectory @LOCALSTATEDIR@/lib/tor

 

##################### Below is just for servers #####################

 

-## NOTE: If you enable these, you should consider mailing your

-## identity key fingerprint to the tor-ops, so we can verify

-## your configuration. See the README for details.

+## NOTE: If you enable these, you should consider mailing your identity

+## key fingerprint to the tor-ops, so we can add you to the list of

+## servers that clients will trust. See the README for details.

+

+## A unique handle for this server

+#Nickname ididnteditheconfig

+

+## The IP or fqdn for this server. Leave blank and Tor will guess.

+#Address noname.example.com

 

-#Nickname ididnteditheconfig       # A unique handle for this server

-#Address noname.example.com        # The IP or fqdn for this server

#ContactInfo 1234D/FFFFFFFF Random Person <nobody@example.com>

 

#ORPort 9001 # what port to advertise for tor connections

-# If you want to listen on a port other than the one advertised

-# in ORPort, uncomment the line below. You’ll need to do ipchains

-# or other port forwarding yourself to make this work.

+## If you want to listen on a port other than the one advertised

+## in ORPort, uncomment the line below. You’ll need to do ipchains

+## or other port forwarding yourself to make this work.

#ORBindAddress 0.0.0.0:9090

-# Uncomment this to mirror the directory for others (please do)

+## Uncomment this to mirror the directory for others (please do)

#DirPort 9030 # what port to advertise for directory connections

-# If you want to listen on a port other than the one advertised

-# in DirPort, uncomment the line below. You’ll need to do ipchains

-# or other port forwarding yourself to make this work.

+## If you want to listen on a port other than the one advertised

+## in DirPort, uncomment the line below. You’ll need to do ipchains

+## or other port forwarding yourself to make this work.

#DirBindAddress 0.0.0.0:9091

## A comma-separated list of exit policies. They’re considered first

File 4

############### This section is just for location-hidden services ###
64
65 ## Look in …/hidden_service/hostname for the address to tell people.
66 ## HiddenServicePort x y:z says to redirect a port x request from the
67 ## client to y:z.
68
69 #HiddenServiceDir /data/Data/projekte/DilloTor/tor-0.1.1.23/binary/var/lib/tor/hidden_service/
70 #HiddenServicePort 80 127.0.0.1:80
71
72 #HiddenServiceDir /data/Data/projekte/DilloTor/tor-0.1.1.23/binary/var/lib/tor/other_hidden_service/
73 #HiddenServicePort 80 127.0.0.1:80
74 #HiddenServicePort 22 127.0.0.1:22
75 #HiddenServiceNodes moria1,moria2
76 #HiddenServiceExcludeNodes bad,otherbad
77

File 5

— src/config/torrc.sample.in.orig 2007-01-27 23:41:23.000000000 +0000
+++ src/config/torrc.sample.in 2007-01-27 23:43:47.000000000 +0000
@@ -18,6 +18,11 @@
 ## With the default Mac OS X installer, Tor will look in ~/.tor/torrc or
 ## /Library/Tor/torrc
+## Default username and group the server will run as
+User tor
+Group tor
+
+PIDFile /var/run/tor/tor.pid
 ## Replace this with “SocksPort 0″ if you plan to run Tor only as a
 ## server, and not make any local application connections yourself.
@@ -46,6 +51,7 @@
 #Log notice syslog
 ## To send all messages to stderr:
 #Log debug stderr
+Log notice file /var/log/tor/tor.log
 ## Uncomment this to start the process in the background… or use
 ## –runasdaemon 1 on the command line. This is ignored on Windows;
@@ -55,6 +61,7 @@
 ## The directory for keeping all the keys/etc. By default, we store
 ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
 #DataDirectory @LOCALSTATEDIR@/lib/tor
+DataDirectory   /var/lib/tor/data
 ## The port on which Tor will listen for local connections from Tor
 ## controller applications, as documented in control-spec.txt.

 

— a/src/config/torrc.sample.in
2 +++ b/src/config/torrc.sample.in
3 @@ -44,11 +44,11 @@ SocksListenAddress 127.0.0.1 # accept co
4  ## Uncomment this to start the process in the background… or use
5  ## –runasdaemon 1 on the command line. This is ignored on Windows;
6  ## see the FAQ entry if you want Tor to run as an NT service.
7 -#RunAsDaemon 1
8 +RunAsDaemon 1
9
10  ## The directory for keeping all the keys/etc. By default, we store
11  ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
12 -#DataDirectory @LOCALSTATEDIR@/lib/tor
13 +DataDirectory @LOCALSTATEDIR@/lib/tor
14
15  ## The port on which Tor will listen for local connections from Tor
16  ## controller applications, as documented in control-spec.txt.
17 @@ -168,3 +168,5 @@ SocksListenAddress 127.0.0.1 # accept co
18  #BridgeRelay 1
19  #ExitPolicy reject *:*
20
21 +User tor
22 +PidFile @LOCALSTATEDIR@/run/tor/tor.pid

File 6

Configuration tips

Using the same exit for persistant connections

Some websites will log you out if you re-visit (while loggined in using a cookie to identify you) from a different IP. Tor has a feature called long lived ports. You could add the following to torrc to make connections to given ports use the same circut for a long period of time:

LongLivedPorts 80,23,21,22,706,1863,5050,5190,5222,5223,6667,8300,8888

A good alternative to LongLivedPorts is to use MapAddress for given sites. It allows you to make sure every connection to a given site goes through the same connection. This is also a good option if you need given sites to be visited from a given country.

For example,

MapAddress www.nsa.gov www.nsa.gov.nadia.exit

will make all visits to www.nsa.gov always use the edit node nadia, which is located in the US. There are anonymity issues with this; if you’re the only one using it then www.nsa.gov can at least figure out that it’s the same guy who’s visiting when connections are coming from that exit node.

=== Make Tor act faster ====

It is also possible to make Tor connections seem faster by setting CircuitBuildTimeout. Setting this number lower than the default (60 seconds) makes Tor give up and try other paths if it takes longer than the limit to build a circut. A circut which takes 50 seconds to build will be slower than a circut that takes 15 seconds to build. For example, you could set:

CircuitBuildTimeout 10

However, it must be mentioned that you will be using a whole lot more different servers if you allow circuts who take 50 seconds to build than if you set the limit to 10 seconds. There isn’t much solid research on exactly how this impacts traffic analysis resistance, but you’re – generally speaking – better off using a lot of slow servers than a few fast ones.

File 7

https://svn.torproject.org/svn/tor/tags/tor-0_0_9_5/src/config/torrc.sample.in