June 29, 2011 9:08 PM
Posted by: Dan O'Connor
lulzsecurityIt sounds like at least one member has packed it up.
http://lulzsecexposed.blogspot.com/2011/06/topiary-gone.html
Another member was also outed, and some more information has been located. It was posted in the comments section. It appears to list the name of the web designer someone stumbled across it and I would assume through the authors vanity. You just had to go to the write domain and it appeared it the URL.
I can’t see it taking more then a week or two until we start seeing arrests.
June 26, 2011 1:32 AM
Posted by: Dan O'Connor
lulzsecurityIn case you ever want them, here is the PB releases for lulzsecurity. This should be everything.
http://thepiratebay.org/user/LulzSec
I just don’t have the motivation to download.
June 26, 2011 1:08 AM
Posted by: Dan O'Connor
lulzsecurityLooks like they have packed it in, they released a 50th day anni torrent and locked the door on the way out.
Does it mean they are gone?
Who really knows.
I would like to know more why they left.
I hope its the people that were tracking them down and just maybe one of them go pinched. But I think that is wishful thinking.
I am assuming we will get more details in a few more days, but it may have been a little bit of from both sides.
It’s been a crazy 50 days, I have been following lulz since just before the first release, and if anything they did bring out the lulz.
June 25, 2011 12:29 AM
Posted by: Dan O'Connor
zeus analysis,
zeus botnet,
zeus source code,
zeus walkthroughOur last bit we need before we hit the big red button and infect the machine is getting wireshark ready to go.
http://www.wireshark.org/download.html
I have wireshark loaded with a filter string to only capture traffic from the workstation that I will infect.
I have the workstation infected now, and I can see the traffic coming back to the server on port 80 to the web server we setup. The infected workstation is talking to the gate.php file on the web server, as expected it’s encrypted. This will be the first php file we dive in to, it should be a great start.
June 24, 2011 12:46 AM
Posted by: Dan O'Connor
xkcdHas been in top form the last few posts, start here and work your way back.
http://xkcd.com/916/
I promise I will continue with the Zeus stuff when I get some more sleep.
June 24, 2011 12:44 AM
Posted by: Dan O'Connor
hashinghttp://valerieaurora.org/hash.html
I like the key table at the bottom and how a “slashdotter” would react..
June 23, 2011 11:45 PM
Posted by: Dan O'Connor
lulzsecexposed,
lulzsecurity,
the jesterFor the last few weeks I have not been doing a whole bunch. I have really just been following these guys.
http://twitter.com/#!/lulzsec
https://th3j35t3r.wordpress.com/
http://lulzsecexposed.blogspot.com/
You may know who lulsec is, but the other two might be a stretch if you have not been following that closely.
The Jester (th3j35st3r) is actively hunting lulzsec, his last few blog posts are well worth reading.
lulzsecexposed is also doing the same but has release slightly different information.
June 22, 2011 12:12 AM
Posted by: Dan O'Connor
zeus analysis,
zeus botnet,
zeus source code,
zeus walkthroughIn case you are following at home you will need to go download the following;
- WireShark http://www.wireshark.org/download.html.
- RegShot http://sourceforge.net/projects/regshot/.
Then something to do the disk, process and memory image. I will be using Helix Pro, mainly because I have a copy. There is several other options available to do this.
You can get Helix Pro here, http://www.e-fense.com/helix3pro.php.
First order of business is to take a snapshot of the registry with RegShot. Next will be the raw disk image and process / volatile data information using Helix. I have setup a receiving server and will capturing the disk and memory over the network, then the pdf for the volatile data will be saved.
