Slashdot Mirror
Point and Click Cracking
An anonymous reader writes "Washingtonpost.com is running a story about a number of botnets and keylogger operations being controlled by Web-sites with point-and-click type front-end software interfaces. The sites mentioned in the story look like fairly slick PHP pages designed to sort through password data from keylog victims and update infected computers with new code or instructions. From the story: 'The hacking software also features automated tools that allow the fraudsters to make minute adjustments or sweeping changes to their networks of hacked PCs. With the click of a mouse or a drag on a pull-down menu, users can add or delete files on infected computers.'"
wouldn't happen with .net!
Most of the reasons PC's get hacked now days is that end users are still clicking on the links in phising emails and then holes in the browser being exploited. Surely it wouldn't take much for the main browser makers to put in a user idiocy filter to just say aren't you being a bit silly? Of course user education would be best but there will always be a certian newbie segment who are on the internet for the first time and will keep doing this. That software though does look pretty comprehensive
SolarVPS - Quality Windows and Linux Virtual Servers
I often migrate things to web-interfaces that were previously shell scripts. It's more convenient, 'cause I can do the things I need to do from any browser without having to ssh in (which isn't always a possibility, rare, but it does occur). Also, it's easier to show to other people without giving away a shell account. Also also, it's easier to show to people who aren't "in the know" because it looks like something.
-JesseNothing says "unprofessional job" like wrinkles in your duct tape.
Here's what I hate about news. It's all about alluding to something powerful and blinding the users with innuendo.
Stop mincing your words and just say it. Stop telling people about "some website" where "evil hackers" can "point and click" to crack your passwords. Just fucking say Rainbow Crack.
It really fucking gets my goat when someone claims to have secret knowledge. What harm could have come from just saying Metasploit or Rainbow Crack? The evil doers already know. Give JoeUser actual knowledge and let him decide for himself.
Stop pretending that you know something and the public can't be trusted with it.
I'd rather you do it wrong, than for me to have to do it at all.
*click* *click* *click* hehehe can you say 500 GB/s? [evil grin] everything is made easier with a point and click interface!
[Insert Witty Sig Here]
We've had decent network admin tools for the enterprise for a long time now. It's about time we had the same thing for botnets. ;-)
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Frost's data, along with information stolen from thousands of other victims, made its way to a Web site hosted by a Russian Internet service provider. The site is currently the home base of a network of sites designed to break into computers through a security hole in Microsoft's Internet Explorer Web browser.
So why aren't the police kicking down the doors and confiscating equipment from this ISP? Are they 'protected' or 'special?'
After reading stories like this Dutch hacker arrest,I am not sure why.
Aside from that, Microsoft needs to do something like pushing out mandatory security patches for all users of Windows and/or IE.
I am not sure why they don't do this either. I guess Microsoft thinks that all these lazy suckers deserve to be hacked.
He who knows best knows how little he knows. - Thomas Jefferson
Why if you used .net for the exploit then EVERYONE could just steal your keylog files!
This is basically a non-story. Someone at the washintingpost seems suprised that people do not print out their key logs and search them by hand. The only "new" element is that the tools are migrating to web based apps. Then again isn't that suppopsed to be the next big thing? Why should criminals ignore IT development? I am willing to bet the next one will be using AJAX.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Security by artificial intelligence will ultimately be the only defense against cyber-attacks.
Ego self-preservation for each member of the global community of AI Minds will be the mother of invention for cyber-security.
I'm sure someone has made this point already, but technological advances have a way of finding their maximum profitable use, regardless of how the original inventors intended their innovations to be used. I think these botnets are a similar phenomenon.
Case in point: Thomas Edison originally conceived of the phonograph as a tool for dictation, teaching children from recorded lessons, and a few other specific apps. You know what he never, ever thought of? Recorded music. And yet, that is the killer app that made his invention a common household object and birthed one of the most successful commercial fields of the 20th century--the whole music industry as we know it wouldn't exist without the phonograph.
We saw the same thing with the Internet, when a bunch or DARPA eggheads (no offense, I love you guys) built an academic network that turned into what may prove to be the newest and most effective mass media tool in the history of the human race. I seriously doubt that anyone involved in the original research, or even anyone engineering TCP/IP networks in the 70s and 80s, imagined what would happen after 1990.
In the same fashion, botnets manage to apply the same basic technologies pioneered by Seti@home, distributed folding, and all of the other "beneficial" distributed computing projects that have wrung work out of the combination of 1) the popularity of the Internet, and 2) the unharnessed cycles, disk, and network I/O bandwidth of all those overpowered word processors around the world. And it's arguable that the economic productivity (at least to a few criminal types) of the botnets is overwhelmingly more than the cash made by all the originators of the concepts (yeah, I know, they're nonprofits, sheesh).
It's kind of a shame that the killer app of distributed ad-hoc networks is so generally harmful, but that's the way the cookie crumbles. Get a firewall, install you patches, and hope to God that nobody targets you with a DoS attack.
Indeed, with .NET, no cracking is required. Just Google for a security hole and you're pretty much in. :)
Aren't script-kiddies basically just unpaid volunteer workers for the (presumably blackhat) writers of these click-and-point hacking tools?
Why go to the trouble of writing an easily-countered virus when you can just make cracking tools more convenient for the hordes of script-kiddies with nothing better to do, thus having a much more damaging effect?
...and other Government agencies for a little homeland security project.
One thing I've always wondered about script kiddies: who writes their tools for them, and why? What does the actual black hat get out of the deal? It's not like script kiddies pay for things.
Is it for fame? Signal-to-noise manipulation? Are the little fuckers getting "0wn3d" by backdoors in their "1337 h4x0r t00lz"?
Or is it something else entirely?
A bug in a browser shouldn't lead to such massive breech.
Just learn to recognise the tone to know what you're dealing with, it's basic psychology.
They're called paranoiacs and are the antithesis of "open' people. They hoard, trade and restrict information and generally infest journalism, intelligence and large dinosaur corporations where the strict information heirachies are comfortable. They espouse the idea that ordinary people can't handle knowing this and that, that it's for 'security' and that it's for 'your own good'. All of this is a smokescreen to hide the rather shameful truth that their lives are built on profiting from keeping information controlled, engaging in obfuscation, misdirection, fear, uncertainty and doubt.
Invariably the defence they offer when confronted or exposed is to start calling their accusors 'paranoid', so cue tinfoil had reponses in 5, 4, 3....
Yes. Asides from the "but is it Open Source?" jokes, I'd imagine it's not difficult for anyone with the motivation to get hold of this software - and no matter what it costs, a 'customer' could easily make that amount back and more.
It just makes me think - how far do things have to go before people realise that computers are not inherently safe? I'm being careful not to imply that computers *can't* be safe, because of course they can and I'd imagine the vast majority of /. readers' are - but that it's not some whizzy technological environment where everything is great and snazzier is better.
I'm talking about end-user attitudes; for a long time, public perceptions of computers and the internet has lagged behind the realities. They've shown themselves unwilling to learn out of sheer curiousity or interest in using these new tools. They've shown themselves unwilling to learn when viruses and spyware corrupt files and destabilise operating systems. Now I wonder if they'll start to pay attention to the realities of networked devices when it hits a lot of people in the wallet.
I also wonder whether the commoditization of cracking tools will eventually shoot crackers in the foot, by making them so ubiquitous that people actually get a clue and stop falling for phishing emails. But then I remember that while crackers have the greater desire to learn and exploit, they'll always be able to stay one step ahead, and come up with some new exploit...
And no, Trusted Computing is not the answer.
My, that was a yummy potato!
I don't get it. How can these Hackers get this tools that do all these great things, and as a system admin I cannot get a application bundle and installed without having to try and move the Rock of Gibraltar.
Considering as a system Admin, I would have more time and a higher budget, you would think some corporation would make some better tools to handle the more common tasks like managing and updating applications on workstations. Instead I get to read how a hacker can control thousands of machines through a configuration more complicated than Enron's accounting procedures all with a click of the button.
Life just ain't fair.
Sounds like someone is confusing Windows' file sharing system with a security breach... oh wait...
i mean, if most of the people running botnets are young and doing it for the 'kool factor', doesn't this take away from that a bit? There are plenty of tools out there that are probably very easy to use, but once it really starts to get out that scanning ports and cracking systems is something any jerk can do with a GUI, maybe some of the 'show offs' might start declining the challenge...
No, the real problem is systems like Windows, which promote the idea that end-users can administrate computers. It simply doesn't work, any more than it works for every driver to be their own car mechanic.
I don't believe that can happ...[hey who deleted my file?]
--
I refuse to answer that question on the grounds that I don't know the answer.
if someone told me that there was a secret receiver on the back of your head that you had no knowledge of, and i had no idea who you were, and you had no idea who i was, and i could activate it just by pushing a button, and it would cause you to twitch and spasm and yell out words tourette's style, and i know it's not good for you, what would i do?
a part of me wants to push the button, just to laugh at your suffering
over time, i could probably could come to enjoy it, sadistic pleasure from your pain
even it required a lot more effort on my part to initiate the reaction
and if it came to define my identity, this dependence on this drug (as this behavior obviously has for some) i might even fetishistically involve myself in the tools i needed initiate your suffering. i might have the magic button encrusted with diamonds. if it really represented the source of so much of my pleasure
and before you sneer at me, recognize that this aspect of human behavior and this potential for asocial manipulation exists in all of us
just look at your average kindergarten class if you think this kind of cruelty and enjoyment of others suffering, impersonal or not, is not something unfortunately intrinsic to human nature
its a dark side, and its defeat comes in recognizing it, not ignoring it
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I don't think I noticed any mention of that in their recruitment ads. Hmm, nope.
One line blog. I hear that they're called Twitters now.
Is the first thing I look for these days - everything on one page. None of this "Next >>" bullocks.
Who's your user, program?
I've got to question that assumption at least a little bit. Many (most?) of the scientists working on computer science related projects have always been fans of science fiction. Are you trying to tell me that they wouldn't have been aware of stories by Asimov, Heinlein, Clarke, Sturgeon, and others who all envisioned ubiquitous communications networks? Many of those authors wrote stories where ubiquitous computer systems of varying degrees of complexity were a factor. And some of those stories included all kinds of fascinating elements revolving around hacking past security measures. Certainly Gibson developed the themes far more completely later, but the elements were already there in the '50s at the latest.
I will concede that the original design(s) were never intended to grow into the global network that we have today. They were merely prototypes. The second one based upon IPv4 was so outstandingly successful that it took off before anyone really understood what was going on.
Suggesting that the original developers never thought about security issues also does them a disservice. They were researching communications for the DoD, for Pete's sake! The original design goal was to come up with a communications systems that would be capable of surviving a nuclear war. While that particular scenario has never been tested (thank Ghu!), faulting them for not thinking through every implication of every design choice doesn't do them justice. They still designed and built a system that just runs (partial network meltdowns are always due to economic reasons, not design). This was a truly remarkable achievement. It's especially true since we see systems in place that are essentially immune to the bulk of the common attack vectors in use today. It's not the original designers' fault that so many implementations are so badly broken. It's especially not the designers' fault that the single most dominant OS in use today is also the most porous.
I haven't researched this very well, as I don't use .net, but it seems the classes used with VS 2005 have been refined far better than the ones before them. For example, database queries *automatically* get checked for SQL injection. I tried to hack a friend's site admin section before and failed pretty bad even though he hadn't put ANY thought into checking input..etc.
As someone said before, the problems usually come in the form of exploits to the OS, and not the website itself.
If I am horribly wrong, please point me to an educating source of info.
Oh and here is a feature breakdown from a Russian bulletin board:
In English...
For those that care.... here is the site.
If you have half a clue you will figure out where to go from there.
From what I've read.. this isn't cracking at all, and it looks like some's gone through the urban dictionary with a vague understanding of what it's doing and picked a word at random..
Consider this, you buy a dedicted server with a web-based 'Control Panel' on it, this makes you no more of an administrator than any other average joe who wants to run a web hosting company.
Now.. just because you can rent a botnet, then control it via a web interface makes you no more of a cracker than anybody else out there who can point & click... This is underground marketing taken to the next level, increasing ROI, reduced management/technical overheads and enabling unskilled people to make a few illegitimate bucks.
At the end of the day, this is what all software companies are aiming for; legal or illegal, their all in the software services business, and some would agree their doing it better than the legal side of the market.
I don't believe that can happ...[hey who deleted my file?]
You must be new here.It's "I don't believe that can happ...[NO CARRIER]"
I wonder why someone doesn't use these tools against the crooks. You say that isn't 100% legal? Many of the things our government (or major companies) does today aren't 100% legal either. Take one of these botnet tools and use it to knock out their websites, spy on their irc channels, flood them with bogus data, disable the spammers, use it to spread worms that fix holes and knock out malicious code on the botnet pcs. Fight fire with fire. Obviously law enforcement isn't going to come after you since they barely lift a finger against the crooks and most of these sites are overseas anyway.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I don't get it. If I buy a ridiculously designed car without locks for the doors or ignition, just press-the-button-and-drive, and park it in the dodgiest place it town, you would expect it to get stolen, right? And even if I have insurance, I most likely would not get anything back on a claim, right? In the US you might get away with blaming it on the car manufacturer? While other places you'd just have to thank yourself for the foolishness of buying such a car in the first place, and then parking it next to Fraud-R-Us.
Now tell me, how come this change when you park a flawed, unlocked, and ridiculously designed OS on the Internet? Why is neither the manufacturer nor the user to blame for this?
An unsafe user cannot be made safe by the system without serious frustration.
.)
No amount of software remediation will fix a a defective human peripheral (a clue-by-four, on the other hand . .
"PHP: The language of choice for script kiddies."
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
For those who are interested, I managed to get a couple more images of this interface here and here.
Bonus points if anybody can figure out where the shots came from and shut them down.
Send offline messages on AIM with DoorManBot
Now if someone would sell subscriptions to this botnet in the PHP interface. I'd buy a subscription and deploy out the commands needed to delete the botnet program :)
-M
when you see the word 'Linux', drink!
Conjures up an image of a zany band of fun-loving haxxorz sticking it to The Man. And they would've gotten away with it too, if it weren't for those Meddling Kids!
Just an evolution of an old idea. For about a decade now there have been cases of some bored person writing this nice user-friendly interface that makes it easy enough for a child to create zombies or other such annoyances depending on the particular medium. Unfortunately, the biggest problem is if you make it easy enough for a kid to do it, a kid WILL do it. On IRC we called them "script kiddies" because they were usually just some pre-teen with far too much time on his hands who found some nice handy little script that made it really easy for him to do channel takeovers and other such things. The kid didn't have to know anything about what he was doing or even have a decent reason for doing it. A REAL hacker does so for the challenge and will often not actually do any true harm to anything even if they leave some little message to let people know they were there, but, when you let the kids to it, they begin with the cyber vandalism.
Guess it was only a matter of time before someone created a PHP type interface for them to spread their vandalism with.
Porous
Excellent way of describing it, thanks !
I mean let's face it, what is a "window" if not a hole with a fragile layer keeping the outside out and the inside in. They may as well rechristen it "catflap". Heh.
Seriously, websites abound with cracking/booting/keylogging programs for Yahoo chat, and many other protocols, but for some reason, it seems there are more written for Yahoo chat. I'm not including IRC tools, as it seems to me to be a different class, mostly CLI tools.
:D)
:D) hack my PC.
I'll sit in a Yahoo chatroom using gyach and FreeBSD, and I'll watch my pflog monitor and see dozens of scans, boot attempts, etc within a couple hours. (I love the chatroom "tough guys" that come in and threaten to "boot" me and "bluescreen" my PC..they get *really* frustrated when their little VB booter programs fall flat against a BSD box with a PF firewall and *nix chat client
There are numerous chat "crews" that trade in "cracked" accounts/screen names. I've never had my account cracked, but I follow proper practice regarding passwords, which most don't.
I've had chatrooms I'm in fill up with an entire "crew" all trying simultaneously to "boot" me after one of their members fail. They finally tire and drift off with vague threats about cracking my account and having their "1337" friend ("..my buddy is certified by Microsoft, he'll crash your hard drive!"
Anyways, back on topic, there are hundreds of very slick-looking cracking and booting programs available for Yahoo/AIM/MSN, most free (as in beer).
If there are programs just for *chat* that are this slick GUI-wise, it doesn't shock me at all that there are similarly-polished underground tools for other tasks and protocols.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
They could have a point and click method of helping Script Kiddies with their Control issues... Come to think of it, most message board admins need that too.
EpiAdv - if you like Pokey the Penguin, try this comic!
Hahaha... funny!
hacking for noobs! I wonder how many of the machines used to order this service are actually being used for bots.