BSides Boston and RI 2013
Video (BSides RI: http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-the-booters-stressing-the-stressors-allison-nixon-and-brandon-levene)
2. Who are we?
Allison Nixon (@nixon.nixoff)
• Security Consultant
• Pentesting, Incident response
• Host on the Pauldotcom podcast
• SANS GCIA Gold certified
Brandon Levene (@seraphimdomain)
• Incident Handler/Incident Response for a Cloud Provider
• Malware + Vuln analysis
• Independent Security Researcher
• SANS Certified Pentester
3. What is this Noob Persistent Threat?
• Script kiddies
o Sometimes financially motivated
o Sometimes hacking out of curiosity
o The lowest level of the criminal underground
o Low technical skills
o Often poor opsec
o Often frequent hacking forums
o Often American or EU citizens
4. ...but I don't have anything worth
stealing...
Do you have any of the following:
• Credit or Debit Card
• Bank Account
• Paypal Account
• Medical Records
• Social Media Profile
• Computer
• Digital Delivery Account(s) (Steam, Origin, Xbox)
http://www.rsa.com/products/consumer/whitepapers/11634_CYBRC12_WP_0112.pdf
13. Carder Shops
• Just like any other shopping web app
o Shopping cart features
o Ticket system
• Buy credit card details, Paypal accounts
• Proxies are sold to bypass region limitations
23. Technical Analysis of Ragebooter
-Half the functions of the site didn't work
-C&C infrastructure could be discovered
-Username transmitted within
attack data for no reason
25. Asylumstresser
• Another booter on the market (Deceased)
• Largely nonfunctional
o Only capable of reflected DNS and UDP flooding
• Made thousands of dollars anyways
• Accepts Paypal
• Protected by Cloudflare
• Run by children
26. Asylumstresser Earnings Report
Earnings by month:
Oct-11 $26.25
Nov-11 $477.28
Dec-11 $884.69
Jan-12 $1,243.02
Feb-12 $1,614.64
Mar-12 $1,349.52
Apr-12 $855.14
May-12 $1,438.89
Jun-12 $1,658.80
Jul-12 $1,403.94
Aug-12 $1,666.36
Sep-12 $1,812.30
Oct-12 $2,662.95
Nov-12 $3,915.85
Dec-12 $3,983.47
Jan-13 $4,109.29
Feb-13 $3,403.34
Mar-13 $2,875.81
Grand total: $35,381.54
• $23,604 earned in 2012 split between the
owner and several support staff.
• The database did not record any
chargebacks, fraud, fees, or server costs, so
the take home pay is much lower
• Conclusion: get a real job
27. Asylumstresser Earnings Report
• Analysis of customer base
o Many gaming server admins
o Ironically, some of these admins have blogged about getting DDOSed.
Are they taking up arms themselves and starting a cyber-war?
o Self-described gamers
o Very elite hackers
o I even found one connected to a police officer in
Florida
30. The "api" consists of
a modified Skype
binary (cleartext
logging enabled)
located on a http
accessible server,
generally a cheap
VPS.
Here's the script
that parses the
API request and
pulls the results
from the plaintext
logs.
31. twBooter (aka Bootertw)
• This one made the news several months ago
• Allegedly used by hacker 'Phobia' to ddos
krebsonsecurity.com while he swatted its owner
• Database was leaked containing evidence of
the launched attack
• Database contained logs of 48,844 attacks
launched in two month's time
32. twBooter (aka Bootertw)
• We were able to correlate different parts of the
database to find out:
• Which account was used
• Their IP
• Their user-agent
• When the
attacks occurred
33. Jacking
• Identify gamertag
• Identify owner
• Use sites like spokeo or ssndob.ru to find
owner's details
• Call service provider in order to reset password
• ???
• Profit
This technique can be used to social engineer any
company and abuse their customers.
Famous case: Mat Honan August 2012. "How Apple and Amazon Security Flaws Led to My Epic Hacking"
34. The Krebs Cycle
1. You SWAT Brian Krebs.
2. Brian Krebs finds out everything about you,
your family, and your friends.
3. SWAT team visits your house.
(optional: DDOS his website because he made you mad)
35. The Krebs Cycle
• We were informed that 'Phobia' was suspected
• Phobia left a lot of information laying around
• Youtube channel full of bragging. "RealTeamHype"
o Full of information leakage
o Allowed us to find some of his friends
o Profile the programs, operating systems they use
o Profile them by voice
o Their VPN providers
• Phobia has been doxed before
• E-mails can be linked to Facebook
• Hackforums.net, Forumkorner profiles
40. Abuse of Legitimate
Services
Paypal
“While we cannot share specifics on our
customers’ accounts due to our privacy policy,
we can confirm that we will review suspicious
accounts for malicious activity and work with
law enforcement to ensure cyber criminals are
reported properly. We take security very
seriously at PayPal and we do not condone
the use of our site in the sale or dissemination
of tools, which have the sole purpose to attack
customers and illegally take down web sites.”
-Paypal
(In response to Brian Krebs' article)
http://krebsonsecurity.com/2013/05/ddos-services-
advertise-openly-take-paypal/
Cloudflare
"I do find it troubling when there are extralegal
measures taken to determine what is and is
not going on," he said, in an apparent
reference to the investigation by Krebs, Nixon
and Levene. "How far do you go with that, if
someone assumes XYZ shouldn't be on the
Internet? Should Google remove them from
their search index?" he asked.
"We believe in due process," said Prince.
-Cloudflare CEO (Matthew Prince)
http://www.itworld.com/it-management/357306/legitimate-
online-services-enabling-ddos-attacks-hire-sites