Keeping Track of the Bad Guys
When I took some Russian classes at Purdue, I was one of the few non-ROTC students in the room. In that same spirit of "know your adversary"....
There are sites where "carding" or selling stolen credit card information goes on openly. Also counterfeit currency, stolen smart phones, etc. OmertaHack is one example.
Hackers in the Classic Sense of the Term
Magazines and web sites catering to the community of bad guys, or at least security researchers plus some wannabe bad guys and posers, include 2600 and Phrack.
Hacker hangouts and groups providing information exchange and tools include the Chaos Computer Club Berlin.
There are lots and lots of ready-to-compile programs for testing your systems with the same weapons the hackers will use. Start looking at Packet Storm Security and AntiOnline
Stack smashing refers to a specific form of attack on poorly coded memory management code. There was a great paper on how to exploit poor coding via buffer overflow and related attacks in Phrack volume 49, "Smashing The Stack For Fun And Profit". Get the original paper at insecure.org Packet Storm.
There's a nice follow-up paper on writing advanced buffer overflow exploits.
Spamming and Stolen Accounts
Criminal organizations openly sell access to hacked systems and spamming software. I received the following email. "WebMails" will mean stolen webmail accounts, "Shells" means access to hacked Linux/UNIX systems, "RDP" means access to hacked Windows systems.
From: TOOLX.SX <firstname.lastname@example.org> Subject: FRESH SPAM TOOLS ON SHOP (SMTP UNLIMITED + RDP FRESH IP) Reply to: TOOXSHOP@YAHOO.COM TOOLX.SX - Support 24/7 - WELCOME * WebMails : with only _10$_ . * Inbox Mailers : Starting from _7$_ . * Shells _5$_ . * Gold Unlimited Smtp's : _6$_ . * Big & Fresh Leads : Starting with _10$_ . * RDP's ( WIN 2008 & 2003 & 7 & XP ) : Starting with Only _10$_ .(Administrators) * Private Scam Pages , Tutorials , Tools , Exploits , Scripts in Sections : Files & Hack & More Tools Just Register on toolx.sx <http://www.toolx.sx> . * Go to toolx.sx <http://www.toolx.sx> , Register , ADD Funds To Your Account : http://toolx.sx/balance.php <http://www.toolx.sx/balance.php> *** NEW BIGG UPDATE: - RDP = USA & Worldwide [2003-2008] / Shells / SMTPs / Mailers / Leads / cPanel. - Support 24/7 - WELCOME We Currently Accept as Method of Add Funds : *Bitcoin* & *PerfectMoney*& *Coupon Code System* If you not have account , Free Register at *http://toolx.sx* <http://www.toolx.sx> Sincerely, toolx.sx SHOP Team © Web: *http://toolx.sx* <http://www.toolx.sx> ****************** **********Login at our shop now: *Go to store now <http://www.toolx.sx>*********** © Toolx.sx - The Best Store 2012-2015 toolx.sx
Let's look at the headers to see where this came from:
Return-Path: email@example.com Received: from resimta-po-12v.sys.comcast.net (LHLO resimta-po-12v.sys.comcast.net) (184.108.40.206) by resmail-ch2-291v.sys.comcast.net with LMTP; Thu, 16 Jun 2016 04:50:34 +0000 (UTC) Received: from mail.visko-td.ru ([220.127.116.11]) by resimta-po-12v.sys.comcast.net with comcast id 7GqW1t00g58p8DG01GqXy2; Thu, 16 Jun 2016 04:50:33 +0000 X-CAA-SPAM: N00001 X-Authority-Analysis: v=2.2 cv=Z6cDJDZA c=1 sm=1 tr=0 p=CuUU-2S5AAAA:8 p=FQcSCCfIWczPZYWNgecA:9 p=IC0bq68s7SMhLFC5:21 a=A0n+dx4VeM4CxFeTCCKc1A==:117 a=A0n+dx4VeM4CxFeTCCKc1A==:17 a=9cW_t1CCXrUA:10 a=Dyoqhi_TatcA:10 a=47kyEjea234A:10 a=Cfj4BQAnxiAA:10 a=QHxmGfcNzOwA:10 a=pD_ry4oyNxEA:10 a=8AvH1LBivTgA:10 a=XH8yafb-v7IA:10 a=pnnV3C4PK3yGex1eHNS2:22 X-Xfinity-Message-Heuristics: IPv6:N Received: from localhost ([127.0.0.1]) by mail.visko-td.ru (Kerio Connect 8.0.0); Thu, 16 Jun 2016 07:50:28 +0300 Reply-To: <TOOLXSHOP@YAHOO.COM> From: "TOOLX.SX"<firstname.lastname@example.org> Subject: FRESH SPAM TOOLS ON SHOP (SMTP UNLIMITED + RDP FRESH IP) Date: Thu, 16 Jun 2016 05:50:28 +0100 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
They're not trying to hide! This seems to have come right out of mail.visko-td.ru, and the IP block 18.104.22.168/21 is allocated to InterTelecom ISP in Ryazan, Russia.
Back to the main Security Page