21 July, 2016

Canadian Man Behind Popular Orcus RAT

alda
shared this article with you from Inoreader
Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here's the story of how I learned the real-life identity of Canadian man who's laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else's computer.
Earlier this week I heard from Daniel Gallagher, a security professional who occasionally enjoys analyzing new malicious software samples found in the wild. Gallagher said he and members of @malwrhunterteam and @MalwareTechBlog recently got into a Twitter fight with the author of Orcus RAT, a tool they say was explicitly designed to help users remotely compromise and control computers that don't belong to them.

A still frame from a Youtube video showing Orcus RAT's keylogging ability to steal passwords from Facebook users and other credentials.

A still frame from a Youtube video demonstrating Orcus RAT's keylogging ability to steal passwords from Facebook and other sites.
The author of Orcus — a person going by the nickname "Ciriis Mcgraw" a.k.a. "Armada" on Twitter and other social networks — claimed that his RAT was in fact a benign "remote administration tool" designed for use by network administrators and not a "remote access Trojan" as critics charged. Gallagher and others took issue with that claim, pointing out that they were increasingly encountering computers that had been infected with Orcus unbeknownst to the legitimate owners of those machines.
The malware researchers noted another reason that Mcgraw couldn't so easily distance himself from how his clients used the software: He and his team are providing ongoing technical support and help to customers who have purchased Orcus and are having trouble figuring out how to infect new machines or hide their activities online.
What's more, the range of features and plugins supported by Armada, they argued, go well beyond what a system administrator would look for in a legitimate remote administration client like Teamviewer, including the ability to launch a keylogger that records the victim's every computer keystroke, as well as a feature that lets the user peek through a victim's Web cam and disable the light on the camera that illuminates when the camera is on.
A new feature of Orcus announced July 7 lets users configure the RAT so that it evades digital forensics tools used by malware researchers, including an anti-debugger and an option that prevents the RAT from running inside of a virtual machine.
Other plugins offered directly from Orcus's tech support page (PDF) and authored by the RAT's support team include a "survey bot" designed to "make all of your clients do surveys for cash;" a "USB/.zip/.doc spreader," intended to help users "spread a file of your choice to all clients via USB/.zip/.doc macros;" a "Virustotal.com checker" made to "check a file of your choice to see if it had been scanned on VirusTotal;" and an "Adsense Injector," which will "hijack ads on pages and replace them with your Adsense ads and disable adblocker on Chrome."

WHO IS ARMADA?

Gallagher said he was so struck by the guy's "smugness" and sheer chutzpah that he decided to look closer at any clues that Ciriis Mcgraw might have left behind as to his real-world identity and location. Sure enough, he found that Ciriis Mcgraw also has a Youtube account under the same name, and that a video Mcgraw posted in July 2013 pointed to a 33-year-old security guard from Toronto, Canada.

ciriis-youtube
Gallagher noticed that the video — a bystander recording on the scene of a police shooting of a Toronto man — included a link to the domain policereview[dot]info. A search of the registration records attached to that Web site name show that the domain was registered to a John Revesz in Toronto and to the email address john.revesz@gmail.com.
A reverse WHOIS lookup ordered from Domaintools.com shows the same john.revesz@gmail.com address was used to register at least 20 other domains, including "thereveszfamily.com," "johnrevesz.com, revesztechnologies[dot]com," and — perhaps most tellingly —  "lordarmada.info".
Johnrevesz[dot]com is no longer online, but this cached copy of the site from the indispensable archive.org includes his personal résumé, which states that John Revesz is a network security administrator whose most recent job in that capacity was as an IT systems administrator for TD Bank. Revesz's LinkedIn profile indicates that for the past year at least he has served as a security guard for GardaWorld International Protective Services, a private security firm based in Montreal.
Revesz's CV also says he's the owner of the aforementioned Revesz Technologies, but it's unclear whether that business actually exists; the company's Web site currently redirects visitors to a series of sites promoting spammy and scammy surveys, come-ons and giveaways.

IT'S IN THE EULA, STUPID!

Contacted by KrebsOnSecurity, Revesz seemed surprised that I'd connected the dots, but beyond that did not try to disavow ownership of the Orcus RAT.
"Profit was never the intentional goal, however with the years of professional IT networking experience I have myself, knew that proper correct development and structure to the environment is no free venture either," Revesz wrote in reply to questions about his software. "Utilizing my 15+ years of IT experience I have helped manage Orcus through its development."
Revesz continued:
"As for your legalities question.  Orcus Remote Administrator in no ways violates Canadian laws for software development or sale.  We neither endorse, allow or authorize any form of misuse of our software.  Our EULA [end user license agreement] and TOS [terms of service] is very clear in this matter. Further we openly and candidly work with those prudent to malware removal to remove Orcus from unwanted use, and lock out offending users which may misuse our software, just as any other company would."
Revesz said none of the aforementioned plugins were supported by Orcus, and were all developed by third-party developers, and that "Orcus will never allow implementation of such features, and or plugins would be outright blocked on our part."
In an apparent contradiction to that claim, plugins that allow Orcus users to disable the Webcam light on a computer running the software and one that enables the RAT to be used as a "stresser" to knock sites and individuals users offline are available directly from Orcus Technologies' Github page.
Revesz's also offers a service to help people cover their tracks online. Using his alter ego "Armada" on the hacker forum Hackforums[dot]net, Revesz also sells a "bulletproof dynamic DNS service" that promises not to keep records of customer activity.
Dynamic DNS services allow users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because dynamic DNS services can be used to easily map the domain name to the user's new Internet address whenever it happens to change.

armadadyndns

Unfortunately, these dynamic DNS providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers mange to track the attacking IP address and convince the ISP responsible for that address to disconnect the malefactor. In such cases, dynamic DNS allows the owner of the attacking domain to simply re-route the attack site to another Internet address that he controls.
Free dynamic DNS providers tend to report or block suspicious or outright malicious activity on their networks, and may well share evidence about the activity with law enforcement investigators. In contrast, Armada's dynamic DNS service is managed solely by him, and he promises in his ad on Hackforums that the service — to which he sells subscriptions of various tiers for between $30-$150 per year — will not log customer usage or report anything to law enforcement.
According to writeups by Kaspersky Lab and Heimdal Security, Revesz's dynamic DNS service has been seen used in connection with malicious botnet activity by another RAT known as Adwind.  Indeed, Revesz's service appears to involve the domain "nullroute[dot]pw", which is one of 21 domains registered to a "Ciriis Mcgraw," (as well as orcus[dot]pw and orcusrat[dot]pw).
I asked Gallagher (the researcher who originally tipped me off about Revesz's activities) whether he was persuaded at all by Revesz's arguments that Orcus was just a tool and that Revesz wasn't responsible for how it was used.
Gallagher said he and his malware researcher friends had private conversations with Revesz in which he seemed to acknowledge that some aspects of the RAT went too far, and promised to release software updates to remove certain objectionable functionalities. But Gallagher said those promises felt more like the actions of someone trying to cover himself.
"I constantly try to question my assumptions and make sure I'm playing devil's advocate and not jumping the gun," Gallagher said. "But I think he's well aware that what he's doing is hurting people, it's just now he knows he's under the microscope and trying to do and say enough to cover himself if it ever comes down to him being questioned by law enforcement."
View on the web
Inoreader is a light and fast RSS Reader. Follow us on Twitter and Facebook.
No comments:

20 July, 2016

Ammyy Admin remote admin tool repeatedly bundled with Trojans - Help Net Security

No comments:

Download a Mass of 240+ Free Technical eBooks From Microsoft


vctzytuq6s4ksui4p5j2.jpg

It's that wonderful time of year again. The Microsoft MSDN blog is offering another hefty collection of useful, totally free eBooks for you to download.

Read more...
No comments:

19 July, 2016

Flawed code hooking engines open endpoints to compromise


Six common security issues stemming from the incorrect implementation of code hooking and injection techniques have been unearthed by EnSilo researchers in over 15 different products, including anti-virus (AV) and anti-exploitation solutions, data loss prevention software (DLP) and host-based intrusion-prevention systems (HIPS). The fact that some of these issues also affect three different hooking engines, including the most popular one (Microsoft Detours), means that thousands of product are likely affected – and not just security … More
No comments:

Entire US Voters’ Registration Records Is Available Online On Dark Market For 0.5BTC Per State


Entire-US-Voters-Registration-Records-is

It's raining confidential data on the Dark Net. It seems that every few days someone is offering data on there that wouldn't be available otherwise. Recently, we discovered a seller going by the online handle of "DataDirect" is claiming to have full access to voter registration records of the citizens of the United States and offering buyers state by state voters' records where the price for each state is 0.5 BTC (340.38 US Dollar).

A hacker is selling US voters' registration records on the Dark Net and looks like the U.S. Election Assistance Commission (EAC) has no clue!

At present, it is hard to say if the offered data is legit but the same seller is also offering Thomson Reuters World-Terrorist database on the same Dark Net Marketplace "The Real Deal."

An important fact about the data is that in December 2015 security researcher Chris Vickery found 191 million US voter registration records online in an unprotected folder however it's unclear whether the DataDirect seller downloaded the data from the same place or he stole the data from some government server. Nevertheless, another important aspect of this news is that back in December, Vickery stated that there was a lack of interest shown by the authorities in recovering the data or taking the database off from public view as
Vickery said,
"I've been working with journalists and authorities for over a week to get this database shut down or secured. No luck so far."

According to the listing's description "US voter registration records. Selling the DB on a State-by-State basis. 0.5 BTC per state (you must tell me which State you want. Some people think it's unfair to make each State cost the same amount because some States are much bigger than others. I think it's just easier this way."

Here are two screenshots shared by the seller showing sample data! The first screenshot shows personal and voting details of a native from the State of California.In order to protect user's privacy we have blurred the crucial information.


Entire-US-Voters-Registration-Records-is

This screenshot shows state by state files in .JSON format where az stands for the state of Arizona and so on. The hacker claims to have access to voters' data from all 50 states.

Entire-US-Voters-Registration-Records-is

By looking at the sample screenshots it seems the data is legit and if it really is, this is a massive blow to the U.S. Election Assistance Commission (EAC) and users themselves. If scammers, Chinese, Russian hackers or anyone else for that matter got access to this database you can expect a cyber 9/11 just like the ex-NSA chief claimed a couple of years ago.

No comments:

18 July, 2013

Trolls' characteristicae



1) They have a lot of free time, they are mostly lonely people.
2) They often ingratiate themselves to a person or two on the group and use them to stay in the group. They may protest with these "friends" that their right to free speech is being curtailed.
3) They sometimes use "socketpuppets", i.e. fake identities that may be used to sustain, or to inflame the troll's position or theory or attack. At times the socket puppets' names are anagrams or similar to the troll name. Thus a troll may engage in artificial conversations with himself. However impersonating multiple people is frowned upon by the more able trolls and is considered the lowest of the possible troll tactics.



are trolls useful? ...Yes...

Yes (as somebody wrote long ago), much like hyenaes: if a messageboard is strong and vibrant, with healthy ideas and intelligent discussion among posters, then these tend to be too interested in what is going on to pay much attention to the trolls. However, once a forum begins to show signs of decay - usually due to bickering amoung the regular visitors - then the trolls run rampant and it is only a matter of time before the forum disintegrates.
Moreover: "Trolls remind us that this is not private space. Lurkers are everywhere but it is easy to forget that. Chatting away on a thread with an old buddy it is easy to reveal personal details about one's life that you might not really want public. Trolls remind us that in a public forum anyone can read what we write."

Moreover, as we have seen in Trolls and Schopenhauer and with the debunking example above, trolls DO deliver us many useful findings about "Eristic Dialectic stratagems". Findings that we can easily apply outside the world of Usenet :-)

...and no

This said, trolls and (even more) shills are very often de facto and/or de jure just lackeys of the commercial powers that be. What all trolls have in common is that they flood newsgroups with inappropriate material in an effort to suppress discussion they don't want taking place. If it were radio, you would call it "jamming" and everybody would agree it was censorship. But on Usenet or on messageboards, the effect is more subtle and the mechanism more complex (involving user interface limitations of newsreading software) so it hasn'e been widely recognized yet. Some of the most determined destroyers are professionals trollers connected to people that stand to lose if a specific Usenet newsgroup (or any given specific messageboard) proves to be a viable alternative to the(ir) controlled channels of mass communications.
Let's see how to (try to) destroy them...

(stolen without permission from Fr***a+) sorry!
No comments:

21 July, 2008

Navy agrees to camouflage 'swastika' base

Dan Glaister in Los Angeles
Thursday September 27, 2007
The Guardian





Painting a swastika on a public building is a hate crime. But what happens when the building itself is the swastika? While appearing innocuous from the ground, the striking shape of a construction in San Diego, now on view to internet users accessing Google Earth, is unmistakable - it resembles the Nazi symbol.

Ground-breaking began for the six-building complex at the Coronado US navy base in southern California in 1967. While the original plans called for two central buildings and a single L-shaped barracks, Naval Amphibious Base Complex 320-325 evolved in design. By the time it was finished in 1970 it had four L-shaped buildings - set at right angles. That was when the problem was spotted.

The scheme's architect, John Mock, said this week that while he was aware of the shape as viewed from above he did not think it a true swastika. "We knew what it was going to look like, but it isn't that. It's four L-shaped buildings ... looking at it from the ground or the air, it still is."

Forgotten about after the initial controversy, the buildings' form has emerged again as an issue thanks to the internet and Google Earth. It has led an unlikely alliance - of bloggers, anti-discrimination activists, lawmakers and one talk-radio host - to take action. And now the navy has added $600,000 (£300,000) to its 2008 budget for camouflage. Landscaping, rock structures and solar panels should help disguise its shape.

"We take this very seriously," said Scott Sutherland, deputy public affairs officer for the Navy Region Southwest. "We don't want to be associated with something as symbolic and hateful as a swastika."

But the remedy may not stop conspiracy theorists. The buildings, surmise some bloggers, were put up by German POWs as a Hitler tribute. Others say that nearby buildings look like planes pointing at the swastika. One theory has it that, sideways, the buildings resemble Calvary crosses. And the crosses point to Jerusalem.


Blogged with the Flock Browser
No comments:
Subscribe to: Posts (Atom)

stats