Developers Club geek daily blog

2 years, 10 months ago
imageKevin Poulsen, the editor of the WIRED log, and in blackhat childhood the hacker of Dark Dante, wrote the book about "one acquaintance".

In the book the way from the teenage geek (but at the same time rolling), to the experienced cyberkingpin, and also some methods of work of intelligence agencies on capture of hackers and crankcases is shown.

The quest on transfer of the book began in the summer in Itshny camp for seniors — "The Pin: school students translate the book about hackers", then were connected to transfer also Habrayuzera and even a few edition.

Chapter 24. "Exposure"

(for transfer thanks of satandyh)

Accusation

"The Tea, these little girls — white garbage. Be not on friendly terms with them better," — Chris told — "Brains at them others."

They sat in "Naan and Carry", 24-hour Indian-Pakistani small restaurant in the theatrical district of San Francisco. It occurred three months later since that moment when Tea got acquainted with Chris and was with it on one of its trips to the region of the Bay where he met the mysterious friend hacker of "Sam", just before dawn. They were in only four quarters from the safe house of Chris, but Tea still was not provided to the hacker — neither now, nor before. Nobody met Sam personally.

She was fascinated by that as all this worked: the non-cash nature of crimes and a method to which Chris organized the command. He told it everything when decided that it is ready, but he never asked it to make purchases in shops as the others. It was special. He did not even like to dangle with it and with the command of cashing in at the same time, for concern that they somehow can do much harm it.

The Tea was also the only worker to whom do not pay. After she refused 40 dollars left by Chris on a bedside table, he decided that Tea will not take from it any money, despite long hours which she spent on CardersMarket and on the Russian bulletin boards for crimes. Chris cared for lease of the house Tea, bought by it clothes and paid its travel, but it nevertheless found such existence a little strange: life online, travel by means of confirmations, but not tickets for airplanes. It became the ghost, her body was in the Orange country, and the reason was most often projected to Ukraine and Russia, giving support to leaders of organized cybercrime as the emissary of Iceman — i.e. the world of crankcases of the West.

She decided that Iceman was pleasantly cold to it. It always was valid and friendly. When Chris and his partner left on one of the battles, each person began to whine and gossip Tea about others via ICQ, just like children. Since some moment of Iceman told it a heap of shit and suggested it to go to own business, such step forced Chris to popsikhovat irritably.

Somehow Chris and Tea dangled in the Indian snack bar; from the street the tall person with a braid came and proceeded in hall depth to cash desk, his eyes slipped on them all for a moment before it took away a bag on carrying out and disappeared.

Chris smiled: "It was Sam."

Returning to the Orange country: there were enough made false operations of Chris to send his children to private schools, to cover apartments of Tea and in July to begin to look for big and good housing to it and his family. He moved off in searches of the house with Dzhennon and in the coastal town Kapistrano-Bich found the leased spacious two-storeyed house towering on the rock over the sandy beach at the end of the quiet road deadlock. There were friendly neighbors hanging over garages basketball rings, and the boat moored to the neighboring mooring. Moving was assigned to July 15.

Dzhennon flew back for holidays in honor of July 4 — the last holiday of Chris in its old apartments — but was forced to return back to the house Tea while Chris spent time with a family. It occurred all the time; Dzhennon had to fly to John Wayne's airport, expecting to potusit in clubs with Chris, and instead it was forced or to disappear from one commands, or to stay the nurse of boys of Chris at his place. The Tea was quite tolerant, unlike that part of the cheap little girls cashing Chris's cards, but time in Dan Poynt's apartment was actually played.

He called Chris and complained that it is boring for it. "Come to the house," — Chris told, they were in the pool — "The wife with children here."
Dzhennon invited Tea who never saw hotel complex of Chris located everything in four miles from it. When they came, Chris, Klara and couple of boys lapped in the pool, enjoying the sun. Dzhennon and Tea told hi and were located on chaise lounges at the house.

Chris was dumbfounded. "I look you brought the girlfriend," — he with irritation told Dzhennon.

Klara knew Dzhennon, the nurse, but never saw Tea. She looked at the stranger, then at Dzhennon, then again at the Mongol, and here understanding and anger warped her face.

Dzhennon reached that he did a stupid thing. Both women looked strange similar. The Tea was the young version of the wife of Chris, and, judging by the first look, Klara knew that her husband slept with this woman.

Chris pulled out himself from the pool and with the neutral person walked to the place where they were located. He sat down on hunkers before Dzhennon, water from his hair dripped on concrete. "You what you create?" — a low voice he said: "You bring down from here."

They left. For the first time, since that moment as it joined Chris to Aragon and its gang, Tea felt dirty.

Chris was not angry — yes he is guilty, but he enjoyed as an alpha male from Tea and Klara's show in one place. But nevertheless the hobby of Tea became a problem. It really on the present became attached to it and its unusual habits, but it became unwanted complication.

He found an ideal way out of the provision. He just purchased it a plane ticket in long issue on its homeland: literally banished the flame mistress to External Mongolia.

While Chris was distracted by the confused love life, CardersMarket consumed more and more time of Max, it still ran the business in a role of "Digits", running. Now it worked in the industry of public catering, and it with interest paid off.

It began in June, 2006 when the serious hole in safety in software of RealVNC appeared, "the virtual network console" — the program for remote control used to administer Windows of the machine via the Internet.

The error was in short procedure of handshake which preceded each establishment of new session between VNC by the client and RealVNC the server. The critical part of procedure of handshake came when the server and the client approved the safety type applied to session. This two-level handshake. To start RealVNC the server sent to the client the reduced list of the protocols of safety configured for support. The list is just an array of numbers: for example, [2, 5] means that the VNC server supports the second type of safety, rather simple password authentication scheme, and type 5, completely ciphered connection.

At the second stage the client spoke to the server what of the declared protocols of safety he wants to use, sending back corresponding number as the order of the Chinese food to the menu.

The problem was that RealVNC the server first of all did not verify the answer from the client to learn whether there was it in the provided menu. The client could send back any type of safety, even that which the server did not declare, and the server unconditionally accepted it. Even including type 1 which almost never appeared because type 1 meant lack of safety completely, it allowed you to log in in RealVNC without password.

To change the client of VNC, having forced to send always type 1, turning it into a master key, was trifling matter. Such malefactor as Max could guide the cracked software at any box with the started vulnerable RealVNC and instantly enjoy easy access to the machine.

Max started scanning on vulnerable installations of RealVNC as soon as he learned about this gaping hole. He dizzily observed how results filled its screen below and below, they were thousands: computers in houses and in hostels of colleges, machines of offices of Western Union, banks and lobbies of hotels. He logged in at random in one; also found himself looking at corridors via the surveillance cameras which are in a lobby of the closed office building. Other computer was from department of police of the Midwest where it could listen to calls in 911. The third transferred it to the owner of the house with system climate of control, it raised temperature by ten degrees and moved further.

The tiny part of all systems was more interesting and also familiar thanks to its continuing invasion into Pizza Shmizza. It were restaurant systems of service. It was money.

Unlike the dumb and stupid terminals sitting on counters wine shop and grocery stores, restaurant systems became more difficult solutions everything is in - one which supported everything: since acceptance of the order and finishing with seating of places, and all of them were under control of Microsoft Windows. To support machines far off, service providers installed them with commercial backdoors, including VNC. With the master key for VNC Max could at desire open many of them.

So, Max who scanned all military network of the USA once, looking for vulnerable servers, now for days on end and at the nights fished the computers on the Internet, looking for and cracking pizzerias, the Italian restaurants, the French bistros and the American grill bars — it collected data from magnetic bands of credit cards from everywhere where found them.

According to standards of safety of Visa it should not be possible. In 2004 companies prohibited to use any sales outlets which save data of magnetic bands of credit cards after completion of transactions. To conform to standards, all main suppliers made patches which allow to protect their systems from crankcases. But restaurants did not hurry to set them.

In technology of scanning of Max there were several interacting parts. The first was sent to search for the set VNC, using fast pass of "port sweep" — a standard method of investigation which relies upon openness of the Internet and standards.

From the very beginning network protocols of the Internet were developed to allow computers to combine different types of connections at the same time — today they can include e-mail, a web traffic, a file transfer and one hundred other more exotic services. To support all this separately, computers set new connections with the help of two information parts: The IP address of the machine of assignment and virtual "port" on it — number from 0 to 65535 — which identifies service type for required connection. The IP address is similar to telephone number, and the port is similar to extension number which you drive in into the switch of the company and therefore he can send your call to the necessary department.

Numbers of ports are standardized and published online. The software of e-mail knows that port for sending the message 25, web browsers connect to the 80th port to get on the website. If connection on specific port it is refused, then it as a challenge without answer, means service which you look for, is not present on this IP address.

Max was interested in the 5900th port — standard port for the VNC server. It configured the machines to sherstit wide address space of the Internet, sending to each address only one sixty four byte packet of synchronization which checked whether the port 5900 was open for service.

Addresses which answered its fishing, were transferred to the script written by Max PERL which was connected to each machine and tried to log in, using an error in RealVNC. If the exploit did not work, the script tried to use the general passwords: 1234, vnc or blank line.

If it got inside, the program pulled out a certain preliminary information about the computer: name of the machine, and also permission and depth of flowers of the monitor. Max neglected computers with poor quality of displays, assuming that they were home computers, but not for business. This operation was very fast: Max started it on five or six servers at once, each of which browsed a class B network, about sixty five thousand addresses, for couple of seconds. Thus its list of the set vulnerable VNC grew approximately on ten thousand records every day.

Systems of sales outlets were needles in a huge haystack. It could define a little just from the name: "Aloha" means most likely the Aloha POS terminal made in Atlanta based on system from Radiant Systems, its favourite purpose; "Maitre'D" was the competing product from Posera Software from Seattle. For the others it was required to guess. Any machine with the name "Server", "Admin" or "Manager" demanded a repeated look.

Sliping through the VNC the client, Max could see the computer screen as though he sat before it. Since it worked at night, the display of the idle PC was usually dark therefore it not busily pushed a mouse, stopping thereby a welcome screen. If someone was near in the room, it could look a little horribly: you remember that time when the monitor of your computer lit up without the reason, and the cursor twitched? It could be Max Vizhn who is quickly throwing a view of your screen.

This part of check was slow. Max employed Tea it allowed to help — it to VNC the client and began to feed it lists of vulnerable machines, at the same time having thrown off instructions on what should be looked for. Soon Max was connected to snackbars across all America. A burger King in Texas. Sports bar in Montana. Fashionable night club in Florida. Californian grill bar. It moved to Canada and found even more.

Max began the sales of stolen dump with the unique restaurant. Now at it was whole hundred, the credit cards submitting it data honor in real time. Digits will have much more work.

With such large volume of work Dave "El Mariachi" Thomas selected bad time to become this Iceman'a bum pain. In June Thomas made something almost unprecedented in a narrow circle of a computer underground: it took out conversations from forums on public, in a normal cyberspace, attacking thus Carders Market in comments of widely readable blog on a computer security where he accused Iceman'a in connection with "OP" — law enforcement bodies.

"There is a website placed in Fort Lauderdale, the State of Florida," — Thomas wrote — "Actually it is located in someone's house. Nevertheless OP refuses to close them. In spite of the fact that this website sells PIN codes and numbers of PayPal, eBay and so on, OP watches all this time at other players."

"OP claims that they can make nothing with the website placed in the territory of the USA. But, to tell the truth, OP started this website just as they made it with Dark Artel."

Emphasizing arrangements of placement of Carders Market, Thomas aimed in the Achilles' heel of Iceman'a. The website still continued to purr peacefully because in the Affinity company still did not notice the illegal server among ten thousand legal websites. Ale worked on changing such deal, again and again making complaints in the company. To such tactics did not get logic: if Carders Market really was under control of the government, then complaints flew to deaf ears; if only it was rather criminal website, Affinity would delete it. If Iceman drowns, then it not the witch.

A week later Thomas's post, Affinity sharply chopped off Carders Market. Closing angered Max, it would have a good piece in ValueWeb (hosting). Well, he had to look for a new foreign legitimate hosting which could be opposed to El Mariachi, in the companies which are in China, Russia, India and Singapore. It always left equally — they would request a little money in advance as input cost, and then would roll a red ribbon before a street door, at the same time having asked the passport and the license for business activity or corporate documents.

"It will not give a ride because at you to a few IDIOTSKI TUPOE NAZVANIYE, KARDERY speaking 'here 'or' it is RYNOK KARDEROV'. Well so, perhaps?" — Thomas wrote, teasing Iceman'a — "Can if you do not shout 'HERE WORK KARDERA,' that you could have the small working website with a possibility of its further growth to an animal whom you desperately need."

Now it was personal: Thomas hated Iceman'a whether he was independently a federal soldier or not, and this feeling became mutual.
At last, Max got into Staminus, the Californian firm specializing in a hosting with a high flow capacity for protection against DDoS of attacks. By then Thomas tore and threw in him in comments of one accidental blog under the name "Life on the Road." the blogger quoted Thomas's comments on Carders Market in a short note about forums, involuntarily turning the blog into a new field of fight in El Mariachi's war against Iceman.

Iceman picked up a glove and placed a long public denial against Thomas's condemnations, accusing the enemy of "hypocrisy and slander".

Carders Market — not a "bulletin board for crime" either "empire", or any other similar to this the nonsense accused by all. We just a forum which selected an opportunity to allow to discuss financial crimes. We also grant the right in judgment which of participants this and who counterfeit, but all this only our opinions, we do not make on it money. We only the Information medium, we FORUM through which this communication can pass without oppressions. Carders Market is not involved at all in any crimes. To manage a forum and to allow to discuss is not illegal.

On craigslist.com there are persons advertizing in prostitution, narcotic connections and other obvious crimes, but people do not call craigslist "department store of whores and drug dealers" or the criminal empire yet. It is regarded as NOSITEL which is not responsible for the maintenance of posts on it. Such is a Carders Market position.


Courageous defense completely ignored the existence fact on Carders Market of the detailed manuals to crimes and reviews of systems, not to mention the hidden component of the website: giving to Max a site for sales of the stolen data.

Knowing that its Californian hosting will not satisfy an underground, Max continued the searches abroad. Next month it cracked for itself(himself) the new server, this time in the country which was so far from the USA as nobody else in the Network; in the country which will hardly respond to Dave Thomas's complaints or even the American government.

"Carders Market is in IRANE now," — he declared on August 11 — "Registration is resumed."

To be continued

The published transfers and the plan of publications (a status for December 23)
PROLOGUE (School students of GoTo camp)
1. The Key (Grisha, Sasha, Katya, Alyona, Sonya)
2. Deadly Weapons (Young programmers of FSB of the Russian Federation, 23 Aug)
3. The Hungry Programmers (Young programmers of FSB of the Russian Federation)
4. The White Hat (Sasha To, ShiawasenaHoshi)
5. Cyberwar! (ShiawasenaHoshi)
6. I Miss Crime (Valentin)
7. Max Vision (Valentin, 14 Aug)
8. Welcome to America (Alexander Ivanov, 16 Aug)
9. Opportunities (jellyprol)
10. Chris Aragon (Timur Usmanov)
11. Script’s Twenty-Dollar Dumps (Georges)
12. Free Amex! (Greenhouse of social technologies)
13. Villa Siena (Lorian_Grace)
14. The Raid (Georges)
15. UBuyWeRush (Ungswar)
16. Operation Firewall (Georges)
17. Pizza and Plastic (is ready)
18. The Briefing (Georges)
19. Carders Market (Ungswar)
20. The Starlight Room (???)
21. Master Splyntr (Ungswar)
22. Enemies (Alexander Ivanov)
23. Anglerphish (Georges)
24. Exposure (+)
25. Hostile Takeover (fantom)
26. What’s in Your Wallet? (done)
27. Web War One (Lorian_Grace?)
28. Carder Court (drak0sha)
29. One Plat and Six Classics (+)
30. Maksik (+)
31. The Trial (+)
32. The Mall (Shuflin+)
33. Exit Strategy (done)
34. DarkMarket (Valera of an ak Dima)
35. Sentencing (comodohacker+)
36. Aftermath (ex-er-sis?)
EPILOGUE

This article is a translation of the original post at habrahabr.ru/post/273725/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus