Rack of Ethernet switches.

Keeping Track of the Bad Guys

Keeping Track of the Bad Guys

When I took some Russian classes at Purdue, I was one of the few non-ROTC students in the room. In that same spirit of "know your adversary"....

Criminal Markets

There are sites where "carding" or selling stolen credit card information goes on openly. Also counterfeit currency, stolen smart phones, etc. OmertaHack is one example.

Hackers in the Classic Sense of the Term

Magazines and web sites catering to the community of bad guys, or at least security researchers plus some wannabe bad guys and posers, include 2600 and Phrack.

Hacker hangouts and groups providing information exchange and tools include the Chaos Computer Club Berlin.

Hacker Technology

There are lots and lots of ready-to-compile programs for testing your systems with the same weapons the hackers will use. Start looking at Packet Storm Security and AntiOnline

Stack smashing refers to a specific form of attack on poorly coded memory management code. There was a great paper on how to exploit poor coding via buffer overflow and related attacks in Phrack volume 49, "Smashing The Stack For Fun And Profit". Get the original paper at insecure.org Packet Storm.

There's a nice follow-up paper on writing advanced buffer overflow exploits.

Spamming and Stolen Accounts

Criminal organizations openly sell access to hacked systems and spamming software. I received the following email. "WebMails" will mean stolen webmail accounts, "Shells" mean access to hacked Linux/UNIX systems, "RDP" mean access to hacked Windows systems.

From: TOOLX.SX <info@bmw-avtoport.ru>

TOOLX.SX - Support 24/7 - WELCOME

  * WebMails : with only _10$_ .
  * Inbox Mailers : Starting from _7$_ .
  * Shells _5$_ .
  * Gold Unlimited Smtp's : _6$_ .
  * Big & Fresh Leads : Starting with _10$_ .
  * RDP's ( WIN 2008 & 2003 & 7 & XP ) : Starting with Only _10$_ .(Administrators)
  * Private Scam Pages , Tutorials , Tools , Exploits , Scripts in Sections :
    Files & Hack & More Tools Just Register on toolx.sx <http://www.toolx.sx> .
  * Go to toolx.sx <http://www.toolx.sx> , Register , ADD Funds To Your Account
    : http://toolx.sx/balance.php <http://www.toolx.sx/balance.php>

            NEW BIGG UPDATE: - RDP = USA & Worldwide [2003-2008] / Shells /
	    SMTPs / Mailers / Leads / cPanel. - Support 24/7 - WELCOME

We Currently Accept as Method of Add Funds :
*Bitcoin* & *PerfectMoney*& *Coupon Code System*
If you not have account , Free Register at *http://toolx.sx* <http://www.toolx.sx>


toolx.sx SHOP Team ©
Web: *http://toolx.sx* <http://www.toolx.sx> ******************

**********Login at our shop now: *Go to store now <http://www.toolx.sx>***********

© Toolx.sx - The Best Store 2012-2015


Let's look at the headers to see where this came from:

Return-Path: info@bmw-avtoport.ru
Received: from resimta-po-12v.sys.comcast.net (LHLO
 resimta-po-12v.sys.comcast.net) ( by
 resmail-ch2-291v.sys.comcast.net with LMTP; Thu, 16 Jun 2016 04:50:34 +0000
Received: from mail.visko-td.ru ([])
        by resimta-po-12v.sys.comcast.net with comcast
        id 7GqW1t00g58p8DG01GqXy2; Thu, 16 Jun 2016 04:50:33 +0000
X-CAA-SPAM: N00001
X-Authority-Analysis: v=2.2 cv=Z6cDJDZA c=1 sm=1 tr=0 p=CuUU-2S5AAAA:8
 p=FQcSCCfIWczPZYWNgecA:9 p=IC0bq68s7SMhLFC5:21 a=A0n+dx4VeM4CxFeTCCKc1A==:117
 a=A0n+dx4VeM4CxFeTCCKc1A==:17 a=9cW_t1CCXrUA:10 a=Dyoqhi_TatcA:10
 a=47kyEjea234A:10 a=Cfj4BQAnxiAA:10 a=QHxmGfcNzOwA:10 a=pD_ry4oyNxEA:10
 a=8AvH1LBivTgA:10 a=XH8yafb-v7IA:10 a=pnnV3C4PK3yGex1eHNS2:22
X-Xfinity-Message-Heuristics: IPv6:N
Received: from localhost ([])
        by mail.visko-td.ru (Kerio Connect 8.0.0);
        Thu, 16 Jun 2016 07:50:28 +0300
From: "TOOLX.SX"<info@bmw-avtoport.ru>
Date: Thu, 16 Jun 2016 05:50:28 +0100
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 

They're not trying to hide! This seems to have come right out of mail.visko-td.ru, and the IP block is allocated to InterTelecom ISP in Ryazan, Russia.

Software keys, serial numbers, patches

There are large searchable databases of the keys and other bits needed to unlock "warez", pirated copies of Cisco certification exams, etc., at Crack Spider and CrackWay.

This category includes license key generators for embedded engine control systems for large trucks, construction equipment, and generator sets. The illicit license key generators are sold online by operations like EPC Software.

You can see in the below that the seller uses Turkish, which isn't the dominant language at John Deere headquarters. "12 Mayıs 2011 Perşembe" means "Thursday, 12 May 2011".

Illicit license key generator software sold online by EPC Software.
Illicit license key generator software sold online by EPC Software.
Illicit license key generator software sold online by EPC Software.

Of course, many of these are scams. They either take your money and give you nothing, or they've sold you a link to download something that doesn't do what it promises, or something that's infested with malware. The epcsoftware.com operation used to be epcdvd.com, and has also operated as tukkor.com and several other URLs, according to this forum of angry people calling it out as an illegal scam. The second page of that thread lists several other URLs where heavy equipment keygens (and malware masquerading as such) is sold.

Remember that Trojan Horse construction hasn't changed since ancient Greece — make it look innocent, simultaneously doing the expected thing and some bad thing. When someone tries to get the system administrator to run some program, remember Virgil's Aenid, "Timeo Danaos et dona ferentis," or "I am wary of Greeks, even bearing gifts." Some "security scanners" may just be Trojan Horse software.

Back to the main Security Page