Looks like they have packed it in, they released a 50th day anni torrent and locked the door on the way out.
Does it mean they are gone?
Who really knows.
I would like to know more why they left.
I hope its the people that were tracking them down and just maybe one of them go pinched. But I think that is wishful thinking.
I am assuming we will get more details in a few more days, but it may have been a little bit of from both sides.
It’s been a crazy 50 days, I have been following lulz since just before the first release, and if anything they did bring out the lulz.
Our last bit we need before we hit the big red button and infect the machine is getting wireshark ready to go.
I have wireshark loaded with a filter string to only capture traffic from the workstation that I will infect.
I have the workstation infected now, and I can see the traffic coming back to the server on port 80 to the web server we setup. The infected workstation is talking to the gate.php file on the web server, as expected it’s encrypted. This will be the first php file we dive in to, it should be a great start.
Has been in top form the last few posts, start here and work your way back.
I promise I will continue with the Zeus stuff when I get some more sleep.
I like the key table at the bottom and how a “slashdotter” would react..
From CNN of all places…
I wrote about his way way back.
For the last few weeks I have not been doing a whole bunch. I have really just been following these guys.
You may know who lulsec is, but the other two might be a stretch if you have not been following that closely.
The Jester (th3j35st3r) is actively hunting lulzsec, his last few blog posts are well worth reading.
lulzsecexposed is also doing the same but has release slightly different information.
In case you are following at home you will need to go download the following;
- WireShark http://www.wireshark.org/download.html.
- RegShot http://sourceforge.net/projects/regshot/.
Then something to do the disk, process and memory image. I will be using Helix Pro, mainly because I have a copy. There is several other options available to do this.
You can get Helix Pro here, http://www.e-fense.com/helix3pro.php.
First order of business is to take a snapshot of the registry with RegShot. Next will be the raw disk image and process / volatile data information using Helix. I have setup a receiving server and will capturing the disk and memory over the network, then the pdf for the volatile data will be saved.
I am just at the point where I am ready to take our bot we built and see if we can get it to run on the target machine. But I want to make sure we are going to collect every little thing we can.
What we are going to setup to do is the following.
After the fact of building my bot, it’s worth looking at what the basic config file looks like.
entry "StaticConfig" ;botnet "btn1" timer_config 60 1 timer_logs 1 1 timer_stats 20 1 url_config "http://localhost/config.bin" remove_certs 1 disable_tcpserver 0 encryption_key "secret key" end entry "DynamicConfig" url_loader "http://localhost/bot.exe" url_server "http://localhost/gate.php" file_webinjects "webinjects.txt" entry "AdvancedConfigs" ;"http://advdomain/cfg1.bin" end entry "WebFilters" "!*.microsoft.com/*" "!http://*myspace.com*" "https://www.gruposantander.es/*" "!http://*odnoklassniki.ru/*" "!http://vkontakte.ru/*" "@*/login.osmp.ru/*" "@*/atl.osmp.ru/*" end entry "WebDataFilters" ;"http://mail.rambler.ru/*" "passw;login" end entry "WebFakes" ;"http://www.google.com" "http://www.yahoo.com" "GP" "" "" end end
At this point we know what the encryption key, url_config, url_loader and url_server is. The rest will have to be tracked back in the source code when we get there.
I am very interested in the webFakes listing.