Monday, December 30, 2013

ZeuS C&C -

More work done on command & control servers listed on ZeuS Tracker
netname:        austdomains
descr:          Internet Services Network
descr:          Global Telecommunications
country:        AU

ZeuS Tracker details:



I cant get on this way, so I try something else. 

1. Drop a shell on your sandy seashore.

2. Grab mysql auth from config files. 

3. Look around (so small, sorry buddy)

4. Change admin password. (and get proper username) 

Lets try again.
Ok. Now we're in.

Confirmed. You have a small useless botnet (and penis).

Some OS statistics for Science:

Useless bots:

Some reports:
 No banking.

so silly. 

Sunday, December 29, 2013

Citadel C&C hosted on

Doing more work on the botnet command & control servers listed on ZeuS Tracker.

Citadel C&C - VolumeDrive US
Citadel bot v.
90% of bots located in India.
Evidence of stolen banking credentials.

This server panel is offline now, and its been removed from ZeuS Tracker now, so its ok to publish details about it.

Original ZeuS Tracker page:

Admin panel login:

and kick the door down..


205 bots
(143 India)

first page of bot details: 
(is that your IP?)

Evidence of stealing credentials. (Crédit Agricole Egypt - Online Banking ePayroll System)

Here are some OS statistics to show what systems get infected.
XP, Win7, Win7 x64 and Server 2008 x64

Fun fact:
AntiVirus software is commonly seen running in memory alongside the bot exe.   :-)

Some options:
encryption key: obi

The guy was in the process of updating when I broke in. Oops, sorry about that.

user_execute hxxp:// 

(volumedrive again, US PA - get your shit together)

more details on this host later..

nh.exe - cf2cfc5354b62dc0d9bf42a0a3841437
Virus Total detection 5 of 48

malware phones home to: (Ireland)
but the server has already been seen..

Interesting ports on
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1720/tcp filtered H.323/Q.931
3389/tcp open ms-term-serv

Win2k8 R2 Std
Home base for this h4x0r fucker..more on this detail later.

Saturday, December 28, 2013

ZeuS botnet -

More work on the ZeuS Tracker C&Cs - hosting small ZeuS botnet  - JumpLine, US, Ohio
Domain has Whois protection

Targets include VN and AE .gov sites
POP3 and HTTP credentials, no banking credentials seen

Config f8e2d5d42364f80332c7661dd5fbe4a3

ZeuS C&C login:


42 bots - why you so shitty and small?

OS Statistics to show what systems get hit.
note: Win7 x64

Someone left a sandy sea shell on your sea shore...

Shared hosting - wtf, really? 

$ uname -a
Linux 2.6.32-358.6.2.el6.x86_64 #1 SMP Thu May 16 20:59:36 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

$ id
uid=33351(powdered) gid=33355(powdered) groups=33355(powdered)


Reported abuse to:
postmaster( a t )
compliance( a t )

Chinese Food - TrojDropper:Win32/Swisyn (etc)

TrojDropper:Win32/Swisyn (etc)
hosted on: (China Telcom, Beijing)

This HTTPFileServer seems to be a popular choice for the Chinese to host malware on Windows servers.

I was downloading samples and the server went down for a bit.

While I waited I sent them through to get a quick analysis.






ELF executable


C&C hosting ZeuS botnet (now offline)

Working on the ZeuS Tracker C&Cs today.

New server added yesterday 27 Dec hosted on 

Control Panel login:

and now for a little B&E action..


very small botnet

 Some stats about what OS are getting hit:

Another shell.

Contacted them...and ISP

Control panel now offline.


Personally, "I-will" anything from these guys.
This box was ransacked..there were no auth logs, multiple shells, etc.
They obviously need to get their shit together.

Friday, December 20, 2013 - carding shop selling stolen cards from Target breach

In December 2013, millions of consumers' credit card information was stolen by hackers from the retail giant Target.

Brian Krebs wrote an excellent article explaining how these stolen cards are 'flooding underground markets'

This post is a look inside the carding shop that is selling stolen credit card information from the Target data breach.

It is a usual shit carding shop, buy CCs and dumps, bin lookup, checker, etc.

One interesting thing about this shop: it features an automated WU and MG account crediting system. If you want to fund your account and make a purchase from this shop, you must reserve a 'drop' person to wire money to in Lviv, Ukraine. Nice.

Here we go...

Lovely login screen for a crook shop :-)
3 admins

ICQ: 100845
JID 2:
ICQ 2: 17700
JID 3: 
ICQ 3: 10576

Senator Rescator is some asshole hacker on the underground forum Lampeduza..thus Rescator.La is his. You can see he is listed as the 3rd admin.

After login page, News

Adverts for on site - a related carder shop

News page, recent activity, active shop. 


Note: over 199k out of 200k dumps are from America.

CC and Dumps pages:

Bin Lookup


Ticketing system for support

Add money:

This is the interesting part - in order to fund your account on this shop, reserve a 'drop' and wire them the cash..

Lol at this:
P.S. Please send your transfers in non-exact amounts by adding 1-2-3-4-5-6-7 dollars. Meaning, when you want to transfer 500 dollars, please send - 508, 506, 503, 504, 505. That will help receiving funds much, much faster. 

Add money, reserve drop:

And Lol at this:
Send all your transfers to:
City: Lviv
Country: Ukraine

Friday, September 13, 2013

Who is behind BestRecovery

The Pakistani copy/paste admin of BestRecovery key spy service

 Xenon Cool

 I emailed this coward and he deleted his twitter account.

We can see from the youtube channel (pro2comp) that he is commenting on many videos about how to make VB software, how to avoid AV detection, crypters, etc.

can u make video how can we make rat like dark comet and cybergate i hope u will make i love ur videos i have sub to ur channel sir i am inspired and ur role model for me

Wow. This is sad..but really funny. 

Anyway..shall we continue?

The admin of BestRecovery posted a video about the keylogger service using the youtube account Affan Majid (hacked) / Pro2Comp -

Published on Aug 6, 2012

Connect the dots.

ainey_cool aka

The twitter account has a picture of Xenon - the Admin of BestRecovery.
(this account has been deleted. see screen shots)

Notes 14152 IN A 14362 IN A 14085 IN A 9095 IN A

Name Servers:
DNS records 14400 IN A 14400 IN A 21600 IN NS 21600 IN NS
DNS checks
# dig 1800 IN SOA
and again on the other NS
# dig 1709 IN SOA
You left your email address in your DNS record? Ok..
That email address was plastered on the front page of BestRecovery. 


he is in db dump:

I wonder if this guy is Pakistani..?

he registered 
facebook page:

(note the Vampire avitar from his Vampire Crypter)
via Xenon Cool (source)

Best Recovery-The Best Fud Keylogger

He posted screen pics of him using DarkComet on people and claiming they have $ in bank accounts.

He is also selling access to poeple bank accounts on FB - what a fucker.

 He has a link on the FB account claiming to own the 'FUD' keylogger and video for BestRecovery. 
Uber 1337


Im thinking his name is Ainey Bhai? of Lahore PK

He definately lives in Pakistan, and I believe he is or recently was a student. He used the school computers to spread the malware.

Someone will recognize this guy.
ainey cool
born 27 December 1989

Its all just so pathetic.

Get a life man.