BSides Boston and RI 2013 Video (BSides RI: http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-the-booters-stressing-the-stressors-allison-nixon-and-brandon-levene)

1. The Noob Persistent
Threat
June 15, 2013

2. Who are we?
Allison Nixon (@nixon.nixoff)
• Security Consultant
• Pentesting, Incident response
• Host on the Pauldotcom podcast
• SANS GCIA Gold certified
Brandon Levene (@seraphimdomain)
• Incident Handler/Incident Response for a Cloud Provider
• Malware + Vuln analysis
• Independent Security Researcher
• SANS Certified Pentester

3. What is this Noob Persistent Threat?
• Script kiddies
o Sometimes financially motivated
o Sometimes hacking out of curiosity
o The lowest level of the criminal underground
o Low technical skills
o Often poor opsec
o Often frequent hacking forums
o Often American or EU citizens

4. ...but I don't have anything worth
stealing...
Do you have any of the following:
• Credit or Debit Card
• Bank Account
• Paypal Account
• Medical Records
• Social Media Profile
• Computer
• Digital Delivery Account(s) (Steam, Origin, Xbox)
http://www.rsa.com/products/consumer/whitepapers/11634_CYBRC12_WP_0112.pdf

5. The Noob
Renaissance
2011
Discussion Topics
Beginner Hacking/Tutorials - 25%
Hacking Tools/Programs - 22%
Website/Forum Hacking - 21%
2012
Discussion Topics
• Beginner Hacking/Tutorials - 28%
• *Hacking Methods - 5% (This is in
ADDITION to Beginner content)
• Hacking Tools/Programs - 21%
• Website/Forum Hacking - 21%
Source:
http://www.imperva.com/resources/hacker_intelligence.asp

6. A Smattering of ServicesList of Services Offered on the Underground

7. Recognize

8. Homework Service

9. Ewhoring (GIRL = Guy In Real Life)

10. Cash for Sale
...If you can get it

11. Want some
credit cards?

12. Mattfeuter.ru Arrests
http://www.scmagazine.com/police-arrest-mattfeuter-site-operators-
break-up-200m-carder-racket/article/296609/

13. Carder Shops
• Just like any other shopping web app
o Shopping cart features
o Ticket system
• Buy credit card details, Paypal accounts
• Proxies are sold to bypass region limitations

14. Bootershells

15. Power of the Gods

16. Fun for all Ages

17. PedoStresser Rebranding
• Same Staff
• Same Paypal account
• Same font used in logo
• Crosslinked Ads to PedoStresser

18. Booter source code

19. Ragebooter
Comedy
Hour

20. Going
legit?

23. Technical Analysis of Ragebooter
-Half the functions of the site didn't work
-C&C infrastructure could be discovered
-Username transmitted within
attack data for no reason

24. Sample
Flood Packets
POST Flood
ARME
CVE-2011-3192
Username is transmitted for no reason
X-forwarded-for information leakage
Obvious use of open proxies
Most flood options resulted in no traffic

25. Asylumstresser
• Another booter on the market (Deceased)
• Largely nonfunctional
o Only capable of reflected DNS and UDP flooding
• Made thousands of dollars anyways
• Accepts Paypal
• Protected by Cloudflare
• Run by children

26. Asylumstresser Earnings Report
Earnings by month:
Oct-11 $26.25
Nov-11 $477.28
Dec-11 $884.69
Jan-12 $1,243.02
Feb-12 $1,614.64
Mar-12 $1,349.52
Apr-12 $855.14
May-12 $1,438.89
Jun-12 $1,658.80
Jul-12 $1,403.94
Aug-12 $1,666.36
Sep-12 $1,812.30
Oct-12 $2,662.95
Nov-12 $3,915.85
Dec-12 $3,983.47
Jan-13 $4,109.29
Feb-13 $3,403.34
Mar-13 $2,875.81
Grand total: $35,381.54
• $23,604 earned in 2012 split between the
owner and several support staff.
• The database did not record any
chargebacks, fraud, fees, or server costs, so
the take home pay is much lower
• Conclusion: get a real job

27. Asylumstresser Earnings Report
• Analysis of customer base
o Many gaming server admins
o Ironically, some of these admins have blogged about getting DDOSed.
Are they taking up arms themselves and starting a cyber-war?
o Self-described gamers
o Very elite hackers
o I even found one connected to a police officer in
Florida

28. Additional Services
Cloudflare "resolver"
Oh, you mean the nmap
dns-brute script?
nmap --script dns-brute
www.foo.com
http://nmap.org/nsedoc/scripts/dns-
brute.html

29. Skype Resolver (API)
Searching for Skype resolver
"source" will generally result in
something akin to the script above.

30. The "api" consists of
a modified Skype
binary (cleartext
logging enabled)
located on a http
accessible server,
generally a cheap
VPS.
Here's the script
that parses the
API request and
pulls the results
from the plaintext
logs.

31. twBooter (aka Bootertw)
• This one made the news several months ago
• Allegedly used by hacker 'Phobia' to ddos
krebsonsecurity.com while he swatted its owner
• Database was leaked containing evidence of
the launched attack
• Database contained logs of 48,844 attacks
launched in two month's time

32. twBooter (aka Bootertw)
• We were able to correlate different parts of the
database to find out:
• Which account was used
• Their IP
• Their user-agent
• When the
attacks occurred

33. Jacking
• Identify gamertag
• Identify owner
• Use sites like spokeo or ssndob.ru to find
owner's details
• Call service provider in order to reset password
• ???
• Profit
This technique can be used to social engineer any
company and abuse their customers.
Famous case: Mat Honan August 2012. "How Apple and Amazon Security Flaws Led to My Epic Hacking"

34. The Krebs Cycle
1. You SWAT Brian Krebs.
2. Brian Krebs finds out everything about you,
your family, and your friends.
3. SWAT team visits your house.
(optional: DDOS his website because he made you mad)

35. The Krebs Cycle
• We were informed that 'Phobia' was suspected
• Phobia left a lot of information laying around
• Youtube channel full of bragging. "RealTeamHype"
o Full of information leakage
o Allowed us to find some of his friends
o Profile the programs, operating systems they use
o Profile them by voice
o Their VPN providers
• Phobia has been doxed before
• E-mails can be linked to Facebook
• Hackforums.net, Forumkorner profiles

36. Counter Booters?

37. OSINT for
Bads...
...or why I love poor
OPSEC

38. Maltego
is
Awesome

40. Abuse of Legitimate
Services
Paypal
“While we cannot share specifics on our
customers’ accounts due to our privacy policy,
we can confirm that we will review suspicious
accounts for malicious activity and work with
law enforcement to ensure cyber criminals are
reported properly. We take security very
seriously at PayPal and we do not condone
the use of our site in the sale or dissemination
of tools, which have the sole purpose to attack
customers and illegally take down web sites.”
-Paypal
(In response to Brian Krebs' article)
http://krebsonsecurity.com/2013/05/ddos-services-
advertise-openly-take-paypal/
Cloudflare
"I do find it troubling when there are extralegal
measures taken to determine what is and is
not going on," he said, in an apparent
reference to the investigation by Krebs, Nixon
and Levene. "How far do you go with that, if
someone assumes XYZ shouldn't be on the
Internet? Should Google remove them from
their search index?" he asked.
"We believe in due process," said Prince.
-Cloudflare CEO (Matthew Prince)
http://www.itworld.com/it-management/357306/legitimate-
online-services-enabling-ddos-attacks-hire-sites

41. “Extralegal?”

42. TOP SECRET
Its like PRISM, but lame.

43. Tying it Together

44. Questions?
Allison's perfect specimen