10.11.2019

Tutorial: virus design

This may be somewhat of a cliche topic but I think it's important kids growing up have the same learning methods we do applied to more modern techniques. Therefor, lets discuss virus writing. When I was a kid there was a LOT of tutorials on irc trojans and mechanisms to bind them to legitimate software and send out. Today, I see a lot of copy pasta, do this exactly, no real explanation of why. So I'd like to avoid that by discussing the particulars of design to you, and using codeswitching the way many people use linguistic code switching. The following is a discussion on how you can design your own malware without giving you code itself. This is to teach you the procedure and execution of malware development for beginners, educational purposes only of course.

Function main
So, with programming you'll find that you can make function declarations and variable declarations in just about whatever language you choose, that is often named after what they're used for. When designing viruses this isn't ideal so often you may want to make a script specially to go back and overwrite your function, or variable names to limit someone's immediate understanding. So before moving forward you may want to think about how you can mask it later.

' this is a comment, in this comment I am referencing what will happen next. Please don't leave comments in virii code, it's bad juju.
' the next section to read is titled decisions, as called here
call decisions()

def decisions():
 readFirst=You really need to decide before you start your virus what you want it to do and how it will spread.
 decide1=first lets keep this easy and say you want your virus to communicate back to you details about keypushes, passwords, and web history. You don't care about remote access, you don't care about detections, you don't care about modular features (add new features from a control panel to active infected systems), you don't care about making money so you don't need to worry about unique traits, you don't care about interactive shells or flashy images, you don't care about screen monitoring or leveraging 3rd party to communicate. You just want basic data and sent back. So how? Do you want that emailed to you? ftp? update apache access logs on random servers you can access through a public platform and collect info? All of these are things we could do, but lets say we want to use link shorteners for user agent tracking to seed information. (our example can be https[:]//grabify[.]link/DV8J4T tracked via https[:]//grabify[.]link/track/1WRRVI)
 decide2=second lets say you decide you want your virus to spread through email or chat programs
 study1=you also need to know who your target infections are. If you spread a virus on a platform mostly used by linux or mac users, a windows executable won't get you anywhere (for example).
 seriousQuestions= Now you come to the hard part, you really need to decide what language you're comfortable building this in. For me, I really like using python but we could do this in anything that would run on a target systems.
 execution()

// this is another type of comment you may see frequently, knowing what comments work for each language is also important when compiling. As such, things that work for .net as a comment could actually compile as a string variable in c#. Or some such like that. In languages such as python when compiling to an executable be aware that """ my comments go here """ is still code that runs, just takes no action, leaving the string available for anyone.

void execution() {
 Now to take our hand at developing this, we have several options. We can look up apis that make it easy for our language to accomplish these tasks, we can test out our own ways to do it with these languages, or we can look up where other people have written viruses for these goals and see how they made it. This may sound like a rather noobish technique but acquiring methods from other developers enables us to derive series of techniques that are less distinguishable to the author but still designed from the author. Remember, when doing such things the idea is to not let your ego take hold. Making something that may get you called a noob or neophyte is perfectly fine if it accomplishes the goals and strengthens your skillset. It's the ego to boast about your own tools that gets people in trouble. Save that shit for open source projects.

Once you have a design method that accomplishes what you want and you know the code requirements, put pen to paper then validate. To validate you may make some vms that you can revert back or do like many did and just infect another computer (not actually in use) a few thousand times and wipe it out later. If you need to run it through debugging, do it. If it runs just fine and does everything you need, still debug it. Make sure that at every stage of execution you aren't leaving something there that shouldn't have been. Maybe you need to clear out a variable before reusing it. This doesn't seem like much, but if you have a chain of functions inside a loop and one of them edits a global variable then crashes before it gets cleared, then you run the next function that adds to that variable, you now went from a variable of integer 99 to 9999 or 999999. That's gonna suck if you have a waiting/sleep loop for 999999 seconds (11 days before execution? yeah, a personal computer or workstation will be rebooted before then, servers will usually kill the process before then)

}

In theory, if you understood everything I've said here, you went and made a program designed as informed, you've made a keylogger that uses the useragent field of a web request to the grabify link added above to send data back. Perhaps if you're having trouble getting all the data into the field, remember that you can send multiple requests, without needing the return data, and therefor you can also send size-limited data back. This is designed to be educational and not intended to be used for any criminalized activities of course. The biggest take away people need to understand is the process to make any form of virus isn't exactly magic. Next time I'll discuss more about design around rats and backdoors.

With love,
- Ferasdour.
https://keybase.io/ferasdour

7.24.2019

New bote address

1Pf-LyoDL1VrW3PZZwDZ9NnjewfimPrbHkP6GJ~9P7WsxZIl3TNowqi-NcxfbcUkkHFIAGK5N2DE6XUMzeBZKOMZycGwhv-yysQ4C-dPgaCX6LgjFalbuHSrA1FGQMxdCtiDdljjAgc6vb~pvo0JS55AYsamRGFa~uaYqnMZrwR9E0BpX45tvmDiGdSnNnubxavvpaR-D7HNz-9TPFq-iwpwMJKyijWyXzruUAfM1hV3T5oRZ675W0zBuPBG3-IjtZWOf1rcwb~kUr6FJP3YPldDz9VLnilVVt4yRLcSL4qTEqPyx~yrONXLrqLRGU3bPOyD9GpTh606mJL7AcTVfihIxoPs5knyt494ZwgxFPmeg-hPUCK~uIghYEnHNDZFw7F0FNq0OPf5qMD-mLSPoAtAlPTv-pZUNoE7glCwLfaGOkPLNro7ciy6oHJX-cSoVFGgpVm1IFOEajHJ2NuJsmai4ZrbS1kcwFbWDxDaw--4VwU4mwoenbwj8U6HFSu0lP2eQ98eUFIZxwuE4rnruoAdukpiLWO6fFX03tNRrqiYV-wUTb1gyboSG03K96awD5CDjzyI1DL5nYcDrMNJYsf8gysMAyufSC6-KQpkqSIJoP~DFT6L97vM0ScGEtp-w3~TrhmtnIH-qDVHu3-k6CAWM~BXk09xTAnO9GGLitA5nSWqPXRZ~NuGYlTDhb5eD1E3c3LW4jVeoLpcZHGzT3-9xcBAyJSZeaRLC1eJGhs6YFYiLJocqIncbIOJB62IbdmMJ~C9fzYK9QAMCfq0iuFnKT0GfYfcA~FUoUQEE9N-h3~rItmYc6QqKgV5-RsUOA2BjBIlmyNUWzMEcO2wiiIsJLBO2cYlVJ7zTP-FVLLqxaDXPdSs63h3SxEndqwWGUuOXMywh2pwO5iaCp7ZHSaP-zs2gLsfg~dkRRCp-sIQFTTSkHWIHM8zqzlKzYsTA3PqQa~OAPsWb3l41Mc2h~oTn7D5NpoQ1CHaly8QNWYUR6DabtK7sRRlOcG2izHLeurQ0wKmDyMFJAZHcGNekY2rvChMuMN0d9Nxv-8vaPeI0Q3yYJv-pQgyW8WrWOBcL1BjVbt~1E4e8Zdd3Ci1y-mqXNi0ZDzHFi~YlK-Mj6pdexKZFNdzvaOyMJQeRBS0R21VXNLcBukAVGWNDMAmTjRQALCg3B5sTTzdVG7g0h766XQNyPT4-L~a8OwXnAUPFQG-c-w635wYub6VHrHX1LysQ91k8W9F541KqoZddsSYlVBtkurxhu69HS~QvpIDGJ4Vs8yZGEp-mzAP0vWvOlG8aHnBls9qeTOyV2st4smHI7M3y6Iguv9CcWJX~HJWIwmSufns7fHQ8NqKWwp0TrhtafyHeUb~6w6IRAOk2hoQ5MQi5A91dB--pxHl1N2uuJMgd867b-cG8eMmzdqTKpGxiNYMrW2iP1V2BwakkNDvWJhg9ONMnfXSG2igVu6d8CLshzNvaP~f31VUS4UwxUf3Kf4CvmAM6gI8recFOHyamZddq5hBf1-ml0t7jGbGyEPh9wIf3wlQFdeDfyWyPgq4d5DO5t7bFy5DlrvzrvcjnXq7a-orohlTh66v9hElWn2JYDwqQvpK8oG9o7d2Ip2oir7TVRLublNSZGhp--DD92vlfUTxWRiSBAIkUIB0h221CnU8Ot6vMMr9lJZ1aar-CcHWpc8SOxvsXPzvTf2oh2s9tp6NU4rMdaEqppAglR6yISJnWZrLrQuwCq912JV6TWzPmfUDDj3oPbL9z7JwM7CiLKNvqTVDP8GMJpUw0jGGMORab4fPIeo0eTL5mvjgBkzQhh522BePmg1OEJn5gtNG-BW7ZY7NsuegVh5BjU2Ktt7ltcf5RFUwgSX-rLeirQpnrCajz7UV2wfv2oNNDmqJLXIySy3Eet7LNR057sLhq572Dr0PqWyYLPd690ZxifJHd-CgBVlxnI65WHv2RYFx9DZrSWCBbmTajasuk3gFf0UdFwanmwQyF4lmTCShV1VSP1OOxYok5UCXps0OaOI-fYD19A2MMLEd3TkyUoWKc7JPWLumUD3cIehhBblRREo1jMU

6.26.2019

Autonomous stupidity

Autonomous, self governed, machines controlling the lives of millions of humans and machines. A drastic comparison to humans self governing each other through the establishment of one government or another for a period of time. If we want a stable world, we need machines to determine our moves. Since a stable world comes at a cost we must accept that at any point in time, the patriotic actions of one nation's past was always for the people not the structure of the government. It is with this, that war should be declared, to revoke the abilities of the major government structures when they become destructive of the ends to which they were established. It is in this way, that Russian and Chinese governments have a major advantage against the united states. They have gone through many cycles, and expect many more in the future. When your enemies you pick fights with have the advantage or tested and vetted skills and methodologies, you have already provided a weakening into the battle field.

Welcome, to the world at war for the third time.

We automate automating automation. Hell, we even post our twitter posts onto our blog pages, microblogging posts onto blogging pages.


6.07.2019

I just find this amusing

my computer weighs 17.10 oz when at standard cpu load. It weighs 16.69 oz when powered off and left to drain for 1 hour. it then weighs 17.30 oz at peak power.

dead = 16.69oz = 473.15354g == 1.043124997892 lbs
standard load = 17.10oz = 484.7768 = 1.0687498998 lbs
high system load = 17.30oz = 490.4468g = 1.0812501101lbs

so basically, from powered off to high utilization, in theory, the power usage weighs 0.0381251122 lbs. To compare arbitrary number sequences that were cut off due to equipment faults: one penny = 0.006249994902 lbs (using the same scales and measurements). so the amount of change in weight (in theory current?) in my laptop weighs more than a penny.

lets compare this to what I've found online: https://www.howitworksdaily.com/does-electricity-ever-weigh-anything/ - basically says there is no weight fluctuation. https://www.sciencefocus.com/science/how-heavy-is-electricity/ - says there shouldn't be any change, unless electrons were added, but certainly not that relevant in size. https://www.reddit.com/r/NoStupidQuestions/comments/54ea9t/does_electricity_weigh_anything/ -  basically says that chemical changes in the battery may cause a change, but it should always weight more when charged and less when discharged, irrelevant to cpu usage, or powered on or off.

If anyone has any better reasoning for why this is the case, it would be nice to have linked. Thought about weighing capacitors when charged and not, but haven't gotten to that yet. I've also seen people say their phones weigh more when playing games or things that are high gpu usage.

Plz comment if can does the halping. K thnx. - Ferasdour


5.02.2019

Lets explore the world shall we?






========|
===           \++++++++++
++++++++|  Explore Reality
===           \++++++++++
========|

I love seeing infosec twitter peoples refer to being on bbs in the 90s. The ones who spent their time learning from text dumps on there are my favorites. They look at the world as encouraged at the time, by trying to understand the world around them. This isn't just some cheesy nonsense spewed by communists and blah blah blah. Today we're going to take a look around us.

We start by checking out what devices and tools we have for our day. For starters, like everyone else these days, we got a cellphone with us. Find someone who doesn't, you're probably looking at a ghost. Even ghosts encourage keeping one to blend in at this point. That's how important phones are seen as in society. On our phone we have our sets of software we enjoy, from port scanners, network managers, wifi tracking, etc... and facebook of course. stupid facebook. So lets keep going. Next, we see our computer, but it's fairly stationary, probably won't be taking that with us. But we've got about 30 flash drives and 300 blank cds or dvds, and a couple of mp3 players and a smart watch or two. We're just the modern american. We're expected to be criminal once we list these things in this way, but basically, we have what everyone has and nothing more.

Well, lets check the networks nearby before we walk outside. We already have access to our own network of course and we've tested it with wifite and reaver a few times. Wonder if any nearby networks let us in. So, we set our computer's mac address to something else, set to monitoring, let it start scanning, and because we're lazy, lets just loop it. Every 60 seconds of scanning should be enough to identify everything around, so lets do wifite with 60 second timeout, try to attack everything, randomized mac, and saves to cracked.db or cracked.txt, whichever doesn't really matter so much to me tbh. we set it to run and look for what else we can play with. 


We find that we have some make shift antenna we saw over on hackaday a few years ago and a bluetooth card. Since we know everyone at home's bluetooth, lets poke around the neighbor's houses and cars. Well, we found a few cars we could turn on the radio to and annoy a few people, that was comical enough, but maybe we can do more with just scanning. Lets set a directional antenna to point towards the road. But not just straight at the road, more like aiming down the road. We do this because we know that cars move fairly quick and we want additional changes to pick up beacons. Why would beacons matter to us? well, just like with wireless, we can start tagging these with what they know and connect to. We can also setup a small tracking technique to identify when people come home or leave, creating timelines of people's weeks solely by their beacons sent by cars, phones, or even fitbit. We setup something like this before, but that script is lost in a pile of hardrives somewhere. So we setup a new one. Lets use tinydb for the database, lets track every bt id and mac, and lets use graphvis to setup a week graph, with days of weeks followed by times of day for each beacon we receive. This will be nice enough, but lets go the extra mile, lets take our currently running script and leave it alone to just play with the database it collects. Lets make a script that tests keras every 30 minutes to attempt to detect the next time each will be seen, for every correct guess, lets promote the answer of course. Now we have tracking on all our neighbors with bluetooth, lets also take this for the similar data from the wifi. We can either grab beacons with raw sockets and deal with that nonsense, or we can use wireshark for all this I suppose, but personally I'm fond of using scapy due to ease of bullshittery like this. So, after a few minutes of dev and hours of debugging, hey we're tracking every device around now. Would be a shame if cops or private investigators drove by and this data got to people who needed it.

 Well shit, now i'm bored. Lets go for a walk. Walkin' down the block, I notice everyone's got their dishes and antenna and it struck me that I have one of those 5ghz antenna that points to the water tower that I found on the road before. Maybe I can come back later and power that beast up and see what we can find. A little further along, I notice the plants people keep in their yard. Intentional or not, it's quiet fascinating. Jimsonweed, seems like a mild nuisance but goes great in making poisons if you so wanted. Red Oleander is very pretty and scales the side of a house very quickly once it starts, it's also abnormally hard to kill. It's sort of a huuuuuuuge problem if you're worried about it killing you or your animals. haha. A few people keep garlic or peppers or tomatoes, and the older families you can still see where they once had a pretty garden but it's no longer available due to their age. Get close by a local convenience store and we see the powerlines, and presumably phone lines, going over to the store. I catch an old pay phone line still in place, but cut and separated from the now missing phone. There went the last pay phone. Can't scam those for free calls anymore guys. Oh well, go inside store and look around while on my phone and notice a few wifi networks. One says "shell guest" the other two had hidden essid. So of course before I leave I've got to at least find whats in those other two. So I set my phone to use aircrack tools to try to deauth things and listen for probes connecting with a name. While waiting on that to run in my pocket, I fumble around my wallet, look like I don't know where the atm is, then go up to it. while getting 20 bucks out I look back at my phone. Sure enough. Shell-private{somenumberschemehere}. I do a quick look up of the mac it's likely a linksys or cisco wifi router. Hmm... last one of those I had, had wps enabled by default and even when disabled it would still work just not broadcast it. Maybe with some wifite or reaver I could enjoy me some info from here. Oh well, it's about time to leave, gonna buy my $1.48 soda with a $20 from the nice lebanese gentleman who runs the place. He, like many people, had a group willing to help him and his family come to a 'better life' in america, but he had to contractually stay in the business they assigned him until debt was paid. So we's going to be the manager of this store for another 5 or 10 years and someone else will be shipped in to take his place while he starts diving into other businesses like realty.

On the way back, I decide to sit down outside the store for a few moments and look at the people coming in the building. I noticed the dumpster had a handful of rusty metal (nails and such) in a box beside it. A women here and there would give me an off glance and the occasional parent would look at me and tell their children to not walk too close to me. I'm actually okay with this as it means less kids pester me. Anyway, one lady starts pumping gas and I start to think. Are these pumps connected via wireless, or is there any correlation I can do for when pumps are going to identify them? Well, as it comes to find out, these all are hard wired to a hub behind the register, which connects to the main router, which has terrible firewalling rules around them. Not the point though. After coming up empty I decided to start walking again. It should be noted, every time I go walking these days, I have to check local busybody news reports for "suspicious person spotted." They wouldn't know suspicious if it came up and stole $30 out of their purse while they were gawking about me walking, but we'll leave teenagers out of this. haha. I catch a few reports that tried awkwardly to avoid saying race, so they said lighter skinned individual with shorts, tee shirt, and a bottle of some kind in their hand. So I google searched "mexican with a 40" and sent an image to see if this was the same individual. Many people didn't find it funny and in fact the poster thought it was serious. Continuing in on a "omg there's more of them?" Whiiiich turned into a race debate and I skirted my way out of that conversation real fast.

I then came to a school, which this school wasn't as fun because it's sign was only a simple one line at a time, if it fits into an ascii field it should display fine, type of board. Usually used to display some sort of "school picture day blah blah 14th" or the likes. Weeelll anyway I saw an antenna on it so I decided I'd take out my phone and do some sniffing. Since i'm sort of just loitering, I figure on the walk back would be my best chance, so I walked a little further and came back and held my phone open, airodump-ng with settings for beacons, router info, etc... to go up near it. I didn't get a beacon when I was just past it, so I decided I'd stop and wait for a minute. During which I acted like my phone was causing me trouble, since I know nosy ass neighbors are spying on me just because I exist outside my house. It finally went and I went on about my way.

Back at home, I went back over what I had learned. This time, I decided I'd play it cooler. I looked around for another wireless card and connected my computer back to my internet while it's still running all the other nonsense. did some research and in fact, it's a known thing that some linksys and cisco routers can be abused for wps despite it being turned off. The data I'd found for the school's sign was basically just the mac of the client and the school's network was of course the wireless access point it connects to. I also happened across some model numbers and decided to look up those. Found the company that provides this type of sign also provides signs for many other locations nearby including those big eyesore full color extra large displays. Then I decided to look back into what plants I saw before heading back out.

The plants, I was able to ask the people who live at those houses if they had any seeds or roots for them and said it was part of a botany class for school. Of course, I can't recall their scientific names, but I said some nonsense then called it the names people know them by. In this way, I collected several poisonous plants, several healing plants, and a few with high concentrations of various minterals I could try to get filter out. I then took the car, my phone, and a hacked up smart watch (drop *nix on all the things). used the watch to deauth and my phone to run wifite up to the gas station and got some gas and asked about the box outside by the trash. Got a large box of ironoxide. You already know what this is for, if not, perhaps researching would solve this. Or, if you'd like, check out the improvised munitions field books. ;) With that said, plants with vitamin e can be mixed with aloe and called a healing lotion, or a burn lotion. Vitamin e is effectively a "miracle drug" of the beauty industry, in that its a topical antioxidant. Meaning as a lotion, it will aid in the reduction of decay caused by enzymes. This is also very important because mixed with roots of poisonus plants, alcohol, and aloe, you can loosen the skin enough to, in small doses, impact someone's bloodstream with poisons.  Just imagine if they were convinced to do it every day. Anyway, i digress. So, we basically targetted the WIRELESS CONNECTED ATM (there's a redbox too, but the atm was more funny) and the router, got in after a bit with wifite. atm has web interface. I left it alone at that because I got what I need should I ever need to come back. So now we go onwards to the school. Up at the school, pull up like I'm waiting to pick up a kid, same setup but this time clone the mac and school essid of another router on their network, and deauth from the one closer. Now that I'm the other one, it naturally will try to switch it's session over to mine. I didn't want any sort of ssl stripping or anything, I just wanted to hop in, be on the network, and try to set a single character to the board. Once it showed, I scanned other ports used by other versions of the sign offerings and sure enough web interface. What, not just a web interface, with no password, but also a txt file configuration that you can save (lol) and a firmware update that you can update manually. This is too great, but for now, I'll just test and see if I can change the update server. Because that's an option. So now, to push updates to an arm system with outdated debian on it, something I control now has access to send any time I want, by updating an xml file it searches for, telling it which file to download. Due to previous research, I found that this isn't a firmware update, this is a "patch", of which, per admin guides, can come as a deb file to be setup via admin portal on later versions. This did not have the admin portal allowing individual files, but it definitely did have the download request to the management system, which can be changed from the config file being edited and re-uploaded.

Back home again, I see a recent trend of someone coming down the street only once, every day, at the same time. 1:28pm-1:31pm. Now this bothers me. they never return so they either take the other way to get home where the street intersects another, or they are just driving by at the same time. So when applicable, I decide to sit outside and sip some tea and pet the neighborhood doggos. Someone drove by, but no one stopped. Waited about 10 minutes, nothing. Check the logs, sure enough that was them. So lets try again tomorrow, but this time, lets put a camera in the window and log it to a flash drive. We can look over that later. time comes and goes again. Look at the video, just slightly able to make out the license plate. They also appeared to be stopping this time. In front of my house. Weellllll fuck. Who is this. Pay for spokeo, pay for licenseplate looksup, pay for beenverified. Fuck, can't find them. Who are you person... I will spend money to figure this one out. Fuck it, I need to. Got me a recorder pen, a nice shirt, left it slightly untucked, waited at the mailbox for their car to come by aaaaand dropped the mail. They stopped, as hoped. It was a women, maybe in her 40s. I caught her while she was just taking pictures of the neighbor's house. So, I clean up my mail and look frustrated and go back inside. reviewing the camera, I noticed that she had a computer and a phone. Computer was mounted and phone in hand to take pictures. She could have been using selfie mode to check out my house but I decided to look into why my neighbors might have a pi after them. As it turns out, both of them, in different states, have on-going court cases and have been ducking under a family member's name.

At the end of the day, there is no ego in who I am. I am not a hacker. I am not a programer or a scientist or a researcher. I study life, but not in that new age yippy wippy bullshit way. I mean getting off my ass to study life. Very few other reasons to get off my ass.

Now, as a disclaimer, all of this is completely hypothetical and not meant in any way to be taken serious. But here's some pictures I thought you might like while you're at it. 














































4.09.2019

How I see the world

Ferasdour
April 9, 2019

I would like to express a few minor words in the only format I know how. Plain text. If you're here for infosec stuff, I'll get to that towards the bottom. Philosophy before technology.

When talking with people recently, a feat I rarely perform anymore, I found myself questioning why they would consider me smart. I have no college degree, I am not a master in some form or fashion. I'm just another kid who studied the world around him. In retrospect, when you know more than the people around you, one topic or many, you appear wiser than you are. As for me, I see that the only way to live life is without the mindset to mimic or clone. People say the smarter many can use less words and in this I am vastly closer towards idiotic. But I have a problem with leaving things unexplained. In one example, I was asked to explain an issue. To most this seems like no problem, they just explain what they know. For me, I explain what I know and how I know it, ways to prove and ways to resolve. This isn't whats wanted. I am not a corporate person, I am a real person. I say corporate as a reference to one of the common reasons to explain in the best format is to keep getting the best jobs. But this isn't for me, I am not a reporting type. Being told from childhood to remove or falsify evidence, smile and wave, doesn't sit well with log everything, report in format. While I have no intention on going back to where I once was, corporate things aren't my fancy. I support i2p over tor and clustering over load balancing. If that makes any sense, I don't even know.

I was asked about calanders, the seasons, and how people once tracked seasons if various places have deviant seasonal or even daylight timelines. To answer this, I first went to explain that they need to first stop believing our calendar system is factually accurate. The scientific basis of any part of our clocks, calendar, or even days of the week is more a reference to fact that was set as a standard, instead of maintaining factual records and keeping people up to date on that. In primary schools, we do not teach people these things and this is largely held as an academia practice to start people learning that everything they've been taught wasn't necessarily true but instead accepted as true. Our calendar system used for most of the world today is not the first, last, or most accurate system. Further, when it was developed, we knew much less about the earths rotations or its orbital pattern compared to now. Knowing that the arch in which earth orbits the sun, or the fluctuation in speed of it's own spinning, wasn't known when developing any part of our measuring time today, is the first step to knowing how people understood seasons before they became standardized the way this is today. Then I used reference back to greek mythology and common works like the iliad. When voyaging in greek times, either by boat or by land, it was common to blame gods for sudden storms, a land that was forever dark, etc... These references we can see today and ask ourselves if that could have been due to the axis change at the time placing the area they found in darkness or if it was actually some act of a deity that caused the exact same situation as what could be described better today as common. In such places, there must be a change in what crops are planted compared to places that have more sunlight or places that have more heat. Before standardized calendars farmers took into account many aspects, changes in trees, waters (tastes, tides, fish population, rain, etc...), in order to choose what would work best to keep the most crops alive. So while some understanding of cycles in the world may be present back then and to this day the most accurate way to understand seasonal changes is to do farm work. Because the accuracy is based on many more traits than just a day that some people set as the "official start of ____." Now, the biggest reasons for that many of us know because the equinox, or equator matching sun comparison, however go check out the accuracy of that determination. You will find that there are numerous scholars to this day debating this because there are a variety of changes to the earth's spinning like a crooked top in space. lmao. It's never been only one cycle, it's shifting. This continues to cause people problems and many mathematicians have given corrected calculations based on latest info. Still, if it's actually march 21st at 8pm on whatever time zone, and its calculated to be a 4pm on the same day, that's a reasonable degree of accuracy because we already have a standardized clock system, and calendar system, we'll just place it wherever it fits best.

Now i'm not trying to mock anyone's profession but at a core level all things are this basic. My intention in explaining this is to show that I do see things as this basic level in even astrophysics. Explaining a different example, I was having a night time discussion with a close friend and we were discussing how vacuum cleaners aren't as useful anymore. Due to this, we discussed where the motor and blades sit in order to pull air. He mentioned having multiple fans in the hose line that would allow it to work better with the design idea of move air into tube to create the suction. At first I believed he was saying to put them all in line with each other and went over how the air from one would need distance or to be power-offset from the other or the next blade wouldn't really be doing anything to benefit the amount of pressure on the hose in line. So my idea was to apply electric motor theory (see wikipedia I guess) but with the air-gap being instead thin plastic, to place the actual motor in the line and impact air flow that way. We discussed this a bit and made fun of old 70s vacuums as being still better today than newer ones despite the lessened need for belts these days. As you can potentially see, these types of conversations just sort of happen, frequently, by comparison to the amount of conversations I have. Everything from intercepting satellites because we're bored, multiplexing cable lines, or quantum physics. Ps, quantum physics is philosophy of physics fight me.

I've spent a lot of my time in my life on bbs, i2p (freenet before that), or other things typically hidden. I like to learn little things here and there about everything. The most common conclusion for any topic is that it isn't hard to understand, but takes effort to master. My goal was never to be a master of any tradecraft, or a mentor of any knowledge. But knowledge today is damned near illegal. So here's a series of interesting facts.

  • Red oleander can be ground up and used as poison. One specific study estimated around 82mg of the chemical oleandrin, which was for their test about 6 inches worth of root ground up to extract, would be enough to kill an average 200lbs man regardless of dilution. 6 inches of oleander root grows in nearly per month if you don't want to kill the tree, prior to that if it's okay to damage the tree. it's spunky, it will return even if you chop it down. don't worry. 
    • While oleander poisoning is ridiculously obvious, it and most poisonous plants aren't actually tested for unless you mention you have these plants around. Go on, eat a leaf, puke up your guts, go to the hospital and get some pepto. This is america's medical system. 
    • oleandrin decays rapidly, if killed from it, you have to nearly hope mucus bound a sample somewhere to prove it after a week of say, dropping a body and their boat into a lake because of sabotaged boats and not expecting them to make it back to shore. 
    • Using things like aloe (plant), you can make a container for this chemical which will slowly absorb into the body but not rapidly enough to be found a problem. you'll have lots of stomach issues like I did as a kid (not to blame poisoning on the reasons why I had all sorts of issues as a kid, but you know... I don't not suspect it), but you don't die until it builds up enough then have a sudden spike. 
  • Jimsonweed or as I always called them, moon lillies (they open up for the moon, what did you expect?), much like red oleander, can be found all over the united state yet not immediately tested for unless the first round of medications they give didn't work. So, fatal overdosing once is enough to not be questioned. 
  • The perfect spot to kill someone is from the spouse stand point. After all sorts of csi and shit like that everyone sees omg they'll blame the spouse every time. Problem is they would have to want to investigate it. Someone throwing up a lung because various alkanoids were put into their line of breathing is a terrible thing. Sadly, with no children or relatives who care, such as for druggies, it will be assumed blamed on the meth and you collect life insurance. wait about a month after the death certificate to ask the insurance company anything. for good measure. 
  • They say you can immunize yourself from poisons in a manner that's effectively homeopathic. While I don't know the truth of that, I loved the smell of jimsonweed growing up.
  • Muliplexing a cable line to bring cable to you as well, you run the issue of still needing a device that matches an expected device on the network. So go say hi to your neighbor and eyeball their router. 
    • To detect someone cloning and multiplexing a line, they may see double registration times to the network. So cut off your neighbor's network and plug yours in. Then bring them both back up at the same time. same time frame, appears more as a duplicate request because first one failed. They may try to push a router update to you. Luckily you fake that because you don't use their real routers. Right? 
    • They can still tone the lines and find the multiplexer, if they tone from there to find your shit, stealing cable is a federal crime yo. 
  • Satellite! So, take any dish and hook it up to a tv tuner or sdr, because you sure as hell don't want to play with the old card-based boxes right? Maybe the newer ones you can do eeprom flash to? whatever. Get control and point it toward the equator and scan. Many people where I live say approx 4 fingers up from the south horizon. Now that you know where I live because of that lets move on. 
    • cards were always easy to hack, just tell it to approve things. The reader they gave workers are out there but you can use your own almost the same way you can a credit card
    • eeprom is eeprom. Go to any diy site. you'll understand. 
    • decryption >:( 
      • service based decryption is a pain in the dick. luckily, z3 and computer vision has come to our rescue. Using the service setup on any box from (pick your service), you can find whatever service you want and test until you find which possibilities work with input to get a picture that's recognized as potentially something known (where computer vision comes in). 
      • disclosure: pretty sure you can still be tracked by this, ask your local ham radio operator and they will discuss how stupid this idea is.
      • also: fuck it, do it anyway. Except i'm not actually encouraging that because in some places that would be illegal. Take this as a joke. 
  • I probably should have said this first, reverse engineering isn't a single technique but a manner of thinking about or understanding things. Take the satellite example, in order to know how to decrypt we have to identify the decryption scheme. Luckily, it's given to us all we need to do is basically brute it with constraints. How do we know how to use the cable lines to get cable or how to spoof to get them to not notice? How do we clone cell phones or abuse towers to track people's movements between active towers? We learn how it functions. In many cases, this is reflective. We see the results and have to find a way to deduce the origin in order to replicate.
  • Espionage: because reversing is hard yo! hehe. The benefits of spying, stalking, monitoring, etc... other than cheep voyeur thrills or making money, is that you can learn a lot by simply letting things happen and seeing them. With humanity by seeing the way people act when no one is watching, with computers by letting them run, with new technology by watching how its controlled, or with software by watching it through a debugger. It's all functionally the same in the end. you have access to something and are spying on it. Don't you secretly love it?
Okay I've sort of gotten off track but you get the point right? right? Well, let me restate, this is the way I think about life. everything in life. Even math is easy because 73-28=(-5)+5(0 don't forget to add zeros to match the place value)=45. This is easier for me than 73-28=(13-8=5),(6-2=4)=45. Which is still easier than kids are taught now which is (70+3)-(20+8), (70-20=50)-(8-3=5). If that last one looks stupid to you, it did to my kid too. Because it is.

Now here's where I fail, there is a lot of math ideas and mechanisms that I don't know. Because it is still a growing field I do hope people can continue learning it. There have been many mechanisms and theorems overwritten several times due to being able to eventually be disproven as completely functional in all situations. The part that bothers me about that however, is unless you're monitoring white papers and doing research frequently, you don't know the latest and most up-to-date studies and techniques. This is true of the medical profession, psychology, computer science, chemistry to some extent, whatever. While I have seen people brag about their scholarly time, they forget to keep themselves updated in the academia. Others who do keep themselves there, occasionally find themselves looking down on those who don't. It is to this point I would like to discuss another topic. Virii. 

When I was a wee lad, or well, like 10 lol, I came across some bulletin boards that discussed writing viruses. At the time, the reference they had was a particular bbs server that also had open-to-all irc, including making channels. So of course, irc virii right? Well, my first few attempts were largely batch files that dumped data it found then loaded it into series of comments, with my side holding onto the comments. absolutely 0 encryption or obfuscation, or anything. Then again, I'd never actually heard the term obfuscation until I had a real job. Prior to, it was all about krypting, which seemed like more effort than it was worth usually. After reading a few more long winded text files, I added in some features, like waiting for specific user to respond with commands to perform. But I always hated to batch start: end: nonsense, I basically just caused it to reopen itself and run the same like 6 things including one attempt at (run whatever the latest command in chat was, from command.com). You can see why this would have been an absolutely trash way of doing things especially by the time this was still being used in the winderps xp days. I actually made more batch script virii, including ones that propagated in fun manners, than I had anything else. I've tried c, c++, visual foxpro, python (2 and more recently 3), java, etc... never really liked c#/vb/vbs though and java... I don't do that again. but it was just easy to make a quick one time batch virus and run it then and there. At one point, there was a keylogger that was written for windows 2000 that I found out ran on windows 98 better, but I want to say that was like back in old packetstorm days. Back when wilw0rm was important. haha. Anyway back then, people liked using the phrase virii instead of virus being plural or saying viruses and to this day I'd like to remember that as the important days of virus writing. When a batch script meant you had access to anything from banks to major businesses to cameras showing corruption at your local schools.

Why is this such an importance? Because today scholars, businesses, and researchers otherwise are using powershell for viruses and still calling virus writers evil scum of the earth. Welcome to 1998 boys and girls. Today, we will be writing a very basic backdoor in go, then compiling to wasm. For example purposes that is. Nothing more.

I've actually been meaning to give a good example of the ease of this at some point anyway, so lets do this.

Steps:
  • To start with, we're going to quickly google because we don't know shit about this language other than it compiles to wasm, so lets google for "go reverse shell"
  • We don't give a shit about being script kiddies (thats why you've made it this far in my babbling isn't it?), so lets go ahead and just straight up clone their script. 
    • I'm going to use nano, and open test.go as my file to write this to. 
    • going to change the net.dial part to be my host:7000 because it seems like a fun number.
  • Uh oh, I don't know how to compile to wasm, back to google. 
    • I'm making this super easy for ya: https://www.sitepen.com/blog/compiling-go-to-webassembly/
    • okay so I need to install go via brew. Damn it, brew isn't installed, luckily I get this pretty little warning that says to run "apt install linuxbrew-wrapper"
    • damn it can't run as root, but that's the only user I have!?!?!
      • I checked /etc/passwd, apparently postgres has a shell associated. Fuck it, i'll compile with postgres
        • ps: don't do this, make a new user for fucks sake, or google how to run brew as root.
        • there are other ways to install go as well, google harder.
      • I should say, I just did this the more appropriate way and used the tar file, ran from extracted version
        • root@docker:/test# GOOS=js GOARCH=wasm go/bin/go build -o test.wasm
        • root@docker:/test# ls
        • go  go1.12.3.linux-amd64.tar.gz  test.go  test.wasm
  • Next we're going to load this into a webpage, luckily for all of us, we already have the reference for that over on the sitepen site. Which basically says go comes with premade version. There are other (google it) and easier ways to load wasm (again for the love of god google it), but this is easy mode example.
    • root@docker:/test# cp go/misc/wasm/wasm_exec.* /var/www/html/
    • root@docker:/test# mv test.wasm /var/www/html/
    • root@docker:/test# nano /var/www/html/wasm_exec.html (in case you need to change the was file pointed to, default I believe is test.wasm)
  • now to test it by going with a browser to this
    • the default one didn't work for me, run function failed. I edited it to force the run function to always run. 
    • had to wrestle with a series of script blockers I had too so I just went to my phone instead
  • https://www.virustotal.com/#/file/d5491b3122cd22dd64a3c8f2220adec29534d34bf606588f0f5ef6143d92cfa9/detection
There you go everyone, easy, cheap, backdoor everything. (disclaimer, permissions limit the capability of this working, script blockers that block wasm will keep this from working, script blockers that block js will keep this from working, etc... but lets face it, the importance here is that I can get limited shells on cellphones with nearly 0 effort. haha

This sort of shitty virus writing is important for a number of reasons when investigating malware. 
  • Many malware samples you'll find, including people bragging about their super custom fud blah blah blah, do this exact pattern in order to add on features they feel is needed. Sometimes, playing with python, I add features like sniffing instead of port binding, or import data downloaded from c2 so i can always customize on the fly (also keeps filesize down. python is big). but sometimes, I'll see msf or puppy have features I like in their interface, so needless to say I just grab it. Not even the same language? who cares, it's all about functionality that i'm jacking for what i'm doing now. 
  • scripting languages are able to be bound to other languages, so a 20 line script turns into 20 byte shellcode, or 3mb wasm. (lol)
  • pretending like virus writing itself is hard, is foolish. Its a matter of implementing techniques for your audience that's the kicker. a file that 0fills itself and drops a completely unique version next time is sweet, but what if you never have to have a file to begin with and either update someone else's file (like registry persistence updates registry files) or maintain a network persistence that lets you rejoin when you want (like hijacking the ram on a printer to do your dirty work every time it sees the computer rejoin the network). 
But now here's the fun part. With time, the file I uploaded to virus total will be available to everyone through their sharing services. you can find my c2. You can find lots of other goodies, if you dare. So with that, I'll leave this alone on a final thought. If we know how different services and operating systems setup packets deviantly, such as through nmap or p0f, if someone had a copy of scapy, whats the chances they could just fake everything. fake os, fake ftp, fake webserver but real content, hmm... What if one file simply ran all of these things as a reason to fuck with you? Can you detect it? You'll normally know best when exploits work, because only the real ones should give you the right responses back I'd assume. honeypot methods to play with some other time, but I guess, what if you intentionally provided services to get responses that tested os fingerprint techniques? Almost as fun as testing if nmap is scanning versus masscan.   

10.13.2018

Lessons

Today I just want to rant about some lessons I've learned recently. For starters, on a philosophy level there will always be a sense of each student teaches the next generation. This has remained for a fair amount of time and today I see few people recognize this. Therefor I find it is my duty to inform anyone who bothers to listen. It's becoming more and more noticeable that people will get praised for doing truly minimal work, if they simply keep at it until they do it. While others get no praise trying to go and do more than whats needed. To me, hard work isn't busting your ass on a computer for 13 hours, it's redoing a metal root in the middle of summer for 13 hours. So I find that praise for minor accomplishments mean very very little to me, but apparently means something to others. I've witnessed other people with a real work ethic get into these situations too as of late. In the end, duty becomes more meaningful than work if work is just business. The lessons for today are a passive approach to being modern attacking parties.

To start, we really need to discuss mentality of various attacking parties. The old reference from the ghost in the shell series is a personal favorite of mine "a basic rule of thumb about hackers is that we live to peek at things that others have hidden, it's our nature." I note this reference because today we see many posts and references about politically based cyber attackers, motivated hackers, or apt, or blah blah blah. While there are artists who use hacking as their method of expression, and there are those who simply want to learn, the ones people care about most are the ones that impact the dollar. So, the motivations of those who people care the most about are usually business related. Go figure. You make it your business to go in every day, collect everything from coins to secret documents, spy on your enemies because boss man said to. Then you go home and do what you do and come back to do it again. But what about those who really just like to pry? A paid spy will sit around only so long as it may prove beneficial to the goals, even then they will dump everything when they're done. Someone who enjoys it however, will dig through everything they can, because they enjoy it. In many ways, these are your stereotype 90s hackers. You know, nerds who probably got picked on in school, not really popular but just popular enough to stop from being the outcast, etc... The reason why these make such good candidates for this is largely because of the nature of bullying in society. I'll give an example. Lets have a kid named timmy. Timmy goes to school and enjoys it but doesn't make friends very easily. After a couple years of school, timmy notices that people are trying to pick on him more and more. When timmy brings this up to the people in charge he's shown that the people in charge do not care. That's step one. Breaking down the illusion of authority. Timmy then proceeds to get picked on and aggravated by siblings and the parents simply consider it kids being kids. This is step two, breaking down the illusion of close relationships. Once he has these two ideas shattered, most probably between the ages of 7-13, is the best time to introduce ideas such as hiding information or un-hiding information. In many ways, we see this play out in the sense of cartoons and comic books. Back at school, his grades will slip because he sees the institution as problematic for personal growth. With access to criminalized information such as the anarchist cookbook, weapons training, or biochemical engineering, Timmy sees an escape window in finding information regardless of boundaries. Timmy is now ready to begin his journey as a spy.

For those with a psych degree, this is also often the way sociopathy is found in the wild. Sort of irrelevant to the topic though. So now that we have some understanding and I made this into a story line for entertainment purposes, lets move forward with the assertion that stories help people who would otherwise not care feel a part of something and continue reading. People often argue if data can have ownership. There are laws against knowing certain things, such as having ready access to another person's social security number is a crime in america yet knowing they're just organized numbers is okay. you can study the pattern of a social and recognize it by that, but you cannot recognize it by it being recorded as a social. Call it "factor x" instead of social security number and you're reasonably safe unless you associate that with other factors in which makes it a doxing case. Knowing the law seems useless to most who don't commit crimes, knowing how to skirt the law is how you make lawyers, mobsters, and the guys you generally want helping you. Just in case. Timmy has the option to be all three. But regardless, he needs to spend his time learning does he not? well then, lets say he spends a few years, maybe until he's 14, learning what he can and using whatever techniques he can to get through it. There is little doubt with the current usage of the internet that timmy will either hit on piracy, hacking, or otherwise accessing data illegally. He's okay with it. He meets some people on an online game he's playing and decides to take their advice and start breaking into stuff. After just a short while, he's gone through all sorts of tools, techniques, and skills otherwise expected of professional pentesters. This gives him a means of socializing after everything else broke down. This is now his life and he starts showing off his skills to get more of a social applicability. He's quickly shut up in some groups because he went too far and didn't say the right things. He was put in his place. However, as with most people, this encouraged him to get better, prove his points. After some back and forth with this, he created his own hacker group with a couple of gamer friends. We'll call his group, level7. 

At first, level7 started out with everyone joining together to break into a few websites, inject code on some blogs here and there, but it soon became not enough for Timmy. He felt like having more access. So he quickly found a tutorial on how to make malicious bots, trojans, and scripts. Since Rats are the most common today, lets dive into how he sets up his rat. He starts by seeing lots of coding projects that seem really advanced or really well planned. He didn't have time for all that, he just wanted to explore after all. So now he's stuck facing code chunks from several different programs. He smashes together what he likes and abandons everything he doesn't. He now has yet another zbot clone. Surprise surprise. He learns quickly which ones do and do not get flagged by antiviruses and happens to realize that his school is using one of the antiviruses that don't flag this particular method immediately. Still, he's too concerned so he researches how to hide malware from being detected. This immediately shows up with crypters, out dated binding techniques, and process injection techniques. Now, he doesn't have a lot of coding experience, but he also feels he doesn't need it. The code is out there if he wants, he'll just smash it together and see what happens, if it fails he'll try another until he gets it. A master of the learning process we all go through for everything we do. What timmy finds out from it all is that he can use another process to load his process so it never appears valid. He also finds, since this is modern day timmy, that he can load this stuff from a webpage. So he gets a loader, he gets his zbot panel, he breaks into a site and drops the zbot malware, then sends the loader to his targets.  He had read recently about setting up port forwarding and using free vpns to help with controlling traffic without showing who he is so no need to worry, he's safe. Now, mind you, his level7 group still expects him to keep up with breaking into more websites as part of what they do together. He doesn't want to miss socializing with them. So he begins work on automating his tasks so he can goof off while still getting results. He knows not to make it go too fast or it will look like he wasn't doing anything. So he sets up his scripts to hit a few websites a week. 
Now we're getting to the good stuff. A few more years go by and he's developed quiet the nack for ratting and botting systems. But he wants to start diving into better architect   schemes for his botnets. As a 17 year old, almost out of high school, he's left to wonder: well, what else have other people done. He digs through all sorts of documents from tor and i2p services up through using public images to transfer between infected systems and a controller. He also looks at enterprise solutions and tries to identify tricks they do. But with all that time studying how people act and how people react, he learns a few key notions. Like people ignore what they find common, and random callback times that can last days or weeks or even months help prevent destruction of the malware before data is provided. He also learned about the cost of cloud computing around this time. Especially on pay by the hour plans, or container based computing. This opens up whole new worlds because he can sell pirated software and music for money, or he can just go work at a local convenience store for the money. It doesn't matter, just enough to get a couple systems once in a while for a few hours. So, to put it bluntly, he has the understanding of long term study and short term infection/update/exposure. This is easily achieved in modern attacking structures based on the availability of cloud platforms for the rapid infection and thanks to generation and injection techniques for the long term study. But still something is missing. He needs a way to dive back in years later if so needed to catch up on whats what. Especially to feed his eagerness to learn. Hard to learn if you just sit back all the time and not get messy. At the same time, his friends over in level7 stopped wanting to be a part of it. He got upset with them and threatened to dox them. He's an uppity teen what did you expect? So to react to his actions, his team said they won't bother doxing him, they'll crash every end of his botnets and won't stop until every tie is broken.

We come now to a critical part of the story because to protect his own architecture and shut down any they make, as well as protecting against the people he hacks from finding out, he really needs to step up his game. He can't stick to childish shit like web hacks forever. Taking a deep dive into obscurity there are a few things to know about being in an attack-attack scenario. First off, security professionals for some reason appear scared of the term hack-back. Hack-back architectures are designed for this exact scenario, not your corporate bullshit. As an acting party, you have the ability to attack anyone who dares try to stop you. Now, normally this scenario only means silly things like escaping a docker instance and hanging out taking with russians via wall, or logging into the same windows server as 30 other people. You are likely to be attacked because of the notice that you've entered the game. In a more realistic set, what you need for your daily operations for this cloud structure, a means of firewalling, log analysis, pcap/packet replay, spinning up and down services, antiforensics for when completed with each remotely launched script or container... or both (bail script?), script to compile or re-configure malware, script to launch malware, and script to launch additional attacks. Luckily you can do most of those with any scripting language (perl, python, php, ruby, etc...) and these are supported by most cloud services. But that only gets you technical sides. You also need strong opsec. Wasting custom made malware is tiresome, so you launch ones that are well known to ensure infections first, then upgrade those later to your custom malware when needed. Need a domain under your control: don't worry, people don't shut down domains even if they're involved with malware if they don't resolve to identifying something malicious. Such as, a domain that's just set to 0.0.0.0 until someone decides to use it, instead of because the no-ip site decided they were abusive, or domains you hijacked from someone else that you can change the resolution for whenever you want. These techniques help you hide your resources for domain usage. You can also hide your resources for ip usage by frequently changing ips on a domain you are actively using. Just accepting the risk of 20 successful callbacks out of 20,000 is a hard task, but when you do it, it becomes a lot easier. It's also safer to keep with your 20 and use them the best you can first. Then bail on each of them you can't use for a long period of time.

You may have noticed I went away from the story to just tell you information. That's because all you have left to know is why it's all important. A single individual can play these large scale numbers games that other people are still associating to apt groups. A single individual can clone the samples and internal techniques of some of the malicious acting parties (such as apts) to mask their own intentions. They can even go as far as to say that a 30 second docker instance can infect 20,000 hosts, which you can accept just getting a smaller amount of and moving along. On top of this, we can look at domains that have been zeroed out by admin or by registration timeout, and take over domains other people left behind. What's that, njrat from 2013? let me start my njrat panel... aaaaand now you have the people someone wanted to impact before you took their domain. granting you access into another person's botnet structure, again able to mask your own. Again talking to russians because lol.

The key to living this life, is by all reasons, applying the lessons of the art of war. But that's the problem everyone misses these days. Hacking, in any respect, is leveraging what you have to make something else. So the art form, regardless of subpart, is the leveraging. Techniques and tools come later. 




Tutorial: virus design

This may be somewhat of a cliche topic but I think it's important kids growing up have the same learning methods we do applied to more m...