Hackonomics 2010

HACKONOMICS 2010

TABLE OF CONTENTS
Introduction ........................... 1
Trust .................................. 2
Users .................................. 3
What Happens ........................... 4
Public Vs. Private ..................... 5

TECHNOLOGY
Botnet ................................. 6
Exploit Pack ........................... 8
Crypt ................................. 10
Denial of Service ..................... 11
Bruters ............................... 13
Web Exploits .......................... 15
Loader ................................ 18
Skimmers .............................. 19

SERVICES
Cards ................................. 20
Money Laundering ...................... 21
Password Cracking ..................... 22
Malware/Hackware ...................... 23
Crypt ................................. 24
Denial of Service ..................... 25
Bulletproof Hosting ................... 26
Virtual Private Networking ............ 27
Dedicated Servers ..................... 28
Traffic ............................... 29
Installs .............................. 30
EMail Lists ........................... 31
Spam .................................. 32
Search Engine Optimization ............ 33
PROFESSIONS
Botnet Operators ...................... 34
Crackers .............................. 37
Carders ............................... 40
Drops ................................. 42
Crypters .............................. 44
Coders ................................ 46
Skimmers .............................. 48
Spammers .............................. 50

EXPLOIT PACKS
Exploit Pack Introduction ............. 52
Effective Exploits .................... 53
Popular Exploit Packs ................. 58

PROTECTION
Strong Passwords ...................... 60
Patching .............................. 62
Uninstalling .......................... 63
Separate Browsers ..................... 64
Virtual Machines ...................... 65
Reinstalling .......................... 66
Separate Operating System ............. 67
Awareness and Inspiration ............. 68
Password Management ................... 69
Data Management ....................... 70
Startup Managers ...................... 72
Encryption ............................ 74
Imaging ............................... 77
VPN ................................... 78
Introduction
INTRODUCTION
1000 hits of traffic cost 1$. A free public exploit pack with a 10% hit rate can get
around 100 bots out of those 1000 hits. That means that each bot costs
approximately one cent. Each bot has the potential to yield at least one set of
credit card information. Each set of credit card information is worth at least 50
cents. Let's say out of those 100 bots, 50% log credit card information. That
means that those 100 bots may produce 50 sets of credit card information. 50 sets
of credit card information worth 50 cents means 25$. The cost of traffic is 1$,
and free bots and exploit packs can be used. With these prices, a botnet operator
may have 25$ return from a 1$ investment, which means a 2000+% profit
margin.
Welcome to hackonomics.
ABOUT HACKING
Using the techniques in this book based only on this book may result in getting
caught, because this book doesn't include much information on not getting
caught.
ABOUT THIS BOOK
This book is mostly in layman's terms, but there is technical information inside.
The technical information is usually given as examples, so it is not important to
understand all of it to get the main ideas of this book.
The information in this book is time-sensitive, because information security

advances very quickly. To get the book in print fast, superflous details have been
sacrificed. For this reason the book may appear somewhat unusual in terms of
formatting.
ABOUT MACS AND LINUX
Even though all the same techniques can work on Macs, there are so few Mac
users out there, that mac-hacking is simply not being practiced on a
hackonomically meaningful scale. The same goes for Linux.
1
Introduction
TRUST
Trust and identity are key ideas in information security. A lot of information
security revolves around establishing trust. The hackonomic solution to trust
management is very elegant. Trust in hackonomics is based on reputation.
Typically, a person makes an account on a forum and the posts and files posted
by the person serve as the foundation of their reputation. Because the files and
posts are publicly available, anyone can review them and estimate the value of
this information using their own standards. The peer review assures that there is
little or no cheating. A person that posts a lot of high value files but little
information is suspicious, and therefore not trustworthy. A person that makes a
new account and makes a lot of posts quickly is suspicious, and therefore does
not have a good reputation. Earning a good reputation is a process that takes time
and work. While it is possible to artificially inflate reputation or steal an identity,
that identity will be permanently ruined after cheating only a few people.
Cheating is punished very strictly, so it is usually unprofitable. The price paid by
the people that do get cheated is a small price for the community to rid itself of
members that don't contribute much.
What is elegant about this is that an identity may have trust without being linked
to any specific person. It is considered bad manners to reveal someone's human
identity. Nobody cares if multiple people use the same identity, so long as the
quality of service is good. There has been much effort in the information security
community to link an identity to a human to assure trust, even to the point of
using biometrics and RFID, while a much more efficient solution exists in plain
view.
Perhaps better information security is in the hands of the hackers themselves.
2
Introduction
USERS
The bulk of attacks rely on some form of user interaction. The technological
aspect of hacking is used mostly to minimize the amount of user interaction
required to carry out an attack. Fully automated hacking is mostly used to carry
out unsophisticated attacks, such as password guessing. Significant changes on
the infosec landscape are not going to happen until users start taking
responsibility for their own security.
One of the security responsibilities of the user is keeping the software up-to-date.
When each piece of software needs to be updated individually, a lot of software
is left unpatched for a long time. Outdated software often has well-known holes.
Hackers can use these known holes to exploit computers.
Another responsibility of the user is the understanding of at least some security

basics, including understanding the threats. Common threats in 2010 are
explained in this book.
3
Introduction
WHAT HAPPENS
When someone gets carded, this is what happens to him or her:
Phone Call - they get a phone call from the bank telling them of unauthorized
activity.
Card Locked – the compromised card is locked, so that it cannot be used to

make purchases or to withdraw funds.
Refund - the money is refunded.
Temporary Card - upon checking in at a bank branch, a temporary card is

issued if it's a Debit card. The temporary card is usually good for one month.
Affidavit - an affidavit arrives in the mail. An affidavit is a piece of paper that

has to be signed and sent back to the bank within a couple of weeks. It is possible
to go to a bank branch and have them fax the signed affidavit to their office. The
affidavit is a document that says that the person did not authorize the suspicious
activity.
New Card - a new permanent card arrives to the person's mailing address.
4
Introduction
PUBLIC VS PRIVATE
One of the key ideas in hackonomics is public vs. private. The term “public”
means resources and tools that are available for public and anonymous use. The
term “private” means resources and tools that are available to some specific
people. Here are some defining characteristics:
PUBLIC
Free - the biggest advantage of public stuff is that it is free. There might be some
reputation-based restrictions on who can access public stuff, but these restrictions
get lower very quickly as public stuff is spread out over the Internet.
Old - public stuff is often older versions of private stuff.
Detected - because public stuff is often used by many people and is old to begin
with, it is usually detected by anti-viruses.
Cannot be resold - public stuff cannot be resold because it is available for free.
Attempts to sell public stuff are looked down upon.
Anonymous - public stuff can usually be procured anonymously.
PRIVATE
Costs money - private stuff is usually worth some money and is typically bought
and sold, though it may be traded for other things of value, or shared for free
between partners.
New - private stuff is new, often coming directly from the person who produces
it.
Undetected - private stuff is typically either so new it is undetected by anti-
viruses or crypted to become undetected.
Can be resold - private stuff can be resold for money, however there are often
license restrictions on who is authorized to sell private stuff. These restrictions
are strictly enforced.
Limited access - private stuff is typically traded between people with reputation,
though sometimes it is traded anonymously.
The terms public and private are used very frequently in hackonomic activity.
5
Technology
BOTNET
A bot is a computer that has a malware installed that allows remote control. A
network of remotely controlled computers is called a botnet.
Botnet malware used to be custom written by teams of hackers for personal use.
One of these botnet packages went commercial and became the industry
standard, this botnet is called "Zeus".
A Zeus botnet is controlled through a web site. Zeus bots connect to a Zeus
control panel. When bots connect to the control panel they send logs to the panel
and get commands from it.
Zeus has the following functionality:

Log information submitted in web forms - that means logging all financial
information used for shopping on-line.
Log stored passwords - passwords stored by some popular applications are
logged and sent to the control panel.
Inject code into the web browser - this is useful for making it look like the
person clicks on ads. Advertising services pay per click on the Internet ads.
SOCKS Proxy - proxies allow one computer to connect to the network through
another computer. This is useful for hiding the source of the connection. Many
web sites allow only several failed login attempts, for example five. If a person
uses 1000 proxies, he may be able to make up to 5000 failed login attempts.
Therefore proxies are useful for guessing passwords.
DDoS - a Zeus bot can be instructed to flood another computer on the network.
When lots of bots do this, the target computer can be disconnected from the
network for the duration of the attack.
VNC Remote Desktop - the botnet operator can watch what a person is doing on
their computer and click around at their leisure. While this feature sounds
intimidating it is probably the least used in practice. Someone that controls
>10000 bots probably isn't going to be checking out the desktops of many of
them.
Take Screenshots - Zeus can take screenshots of the user’s desktop..
Stealth - Zeus doesn't show up in "Task Manager". New versions of Zeus
sacrificed some stealth to be able to work in Windows 7. Zeus hides inside other
programs when it is running, so it is easiest to detect it by checking the place
where it starts itself. Zeus v2 starts itself from a registry key located in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that
looks like {12341234123-1234-1234-3211-1234123412}.
Zeus is being rapidly developed. A current version of Zeus costs between 1000-
10000$. Old versions are free on the Internet. There is also a fake version of Zeus
– Zeus v3 is fake and is basically a cheap Chinese counterfeit.
6
Technology
Zeus is not the only botnet. Zeus is not the most sophisticated botnet in terms of
technology. Good documentation, technical support, pragmatic approach to
functionality, and ease of use are some of the reasons for its popularity. The other
botnets usually implement some of the same functionality but have better stealth.
Other botnet solutions exist. Some of them are direct competition to Zeus. Some
are made for a specific purpose and don't have all the functionality that Zeus has.
Some botnet software is written for personal use by teams.
A typical personal botnet is made of 1000-5000 bots. The largest recorded

commercial botnets are Mariposa at approximately twelve million bots, and
TDSS at approximately sixteen million bots.
7
Technology
EXPLOIT PACK
An exploit is a glitch in software code that can be used to run custom code. When
an exploit is found, the software vendor usually releases a patch to fix it soon
afterwards. Not everyone installs that patch, so some computers are still affected
by the exploit. Different computers have different unpatched software installed.
To maximize the likelihood of at least one exploit working, exploits are bundled
into exploit packs. An exploit pack is a bundle of exploits that are executed
sequentially.
Exploits can be used to run custom code. That custom code is called "shellcode".
The term "shellcode" is related to the twentieth century term "spawning a shell",
which means running a command line. In the twentieth century, exploits were
often used to open a command line interface so that a hacker could send
commands to a target computer remotely. Today, the term "shellcode" is not
technically accurate, but it's still around. Another word that means pretty much
the same thing is "payload". A typical modern payload downloads a program
from the Internet and runs it.
The value of an exploit depends on several factors:

• Age - the newer the exploit, the fewer computers are patched against it.
• Vulnerable software - the more popular the vulnerable software is, the
more computers are vulnerable.
• Reliability - exploits are not 100% effective, the more reliable an
exploit, the more valuable it is. The same computer can run an exploit
ten times and have it work only a couple of times. Good reliability is
seven out of ten or more.
When new exploits come out, there are often no patches for them yet. These new
exploits are called "0day" exploits. The term "0day" is related to the term Day 0,
meaning the day of some planned event. In the twentieth century, hackers would
sometimes write an exploit in secret and prepare an attack. The day of the attack
was Day 0. The exploit was the "0day" exploit. Because the "0day" exploit was
written in secret for a planned attack, there was no patch available and the exploit
was very effective. When a patch is released, a 0day exploit becomes a "1day"
exploit. The term "1day" simply means that it is no longer 0day. 0day exploits
are very valuable, sometimes costing as much as 50000$. 1day exploits are still
effective and most exploits in exploit packs are 1day. 1day exploits are usually
free.
0day exploits used to be something that is very valuable and private. Once a
patch was released, the exploit drastically lost value and leaked out to the public.
These days, there is killer 0day coming out about once every two months. This
means that the overall commercial success of hackonomics has attracted more
resources.
8
Technology
The most commonly exploited software is:

• Adobe Acrobat/Reader
• Adobe Flash
• Oracle Java
• Microsoft Internet Explorer
• Microsoft Office
When an exploit is executed, the browser often crashes. Sometimes a window of

some sort will appear and disappear quickly. Sometimes the computer will be
very slow for a couple of seconds. Sometimes an error message may appear.
The typical effectiveness rate of exploit packs is 10%. 0day can bring that
effectiveness up a lot for some time, until it becomes 1day.
Example:
A computer has patched Office, patched Flash, no Java, Internet Explorer is not
used, but Acrobat is not patched. A crypted exploit pack has exploits for Office,
Flash, Java, IE (Internet Explorer), and Acrobat. The payload downloads and
executed a crypted Zeus bot. When the computer runs the exploit pack, the
Office exploit fails, the Flash exploit fails, the Java exploit fails, the IE exploit is
not sent (because the exploit pack can detect that IE is not being used), but the
Acrobat exploit runs the payload and the computer becomes a bot in a botnet.
The user sees the browser crash and for about a second the computer is very
slow. The user doesn't think much about it and goes back to browsing. Now if
that computer is used to do online shopping or banking, the bot will send
financial information to the Zeus control panel.
Comments to the example above:

If the exploit pack didn't have an Acrobat exploit, then the exploit pack would be
less effective. If an installed anti-virus detected any of the exploits or the bot, the
anti-virus would have probably prevented the payload from running and alerted
the user. A lot of users don’t know what to do with that warning and just go
about their business.
An anti-virus may detect an exploit pack if it has a signature for it. To get the
signature, the anti-virus company has to get a copy of a file from the exploit
pack. A botnet operator checks if the exploit pack or the bot is detected
approximately once a week, but it typically takes a couple of weeks for a bot or
an exploit pack to be detected. When an exploit pack is detected by one of the
major anti-viruses, the botnet operator crypts the exploit pack to make it
undetected again. This is why an anti-virus is not an effective defense against
botnets.
An exploit pack costs between 500-1500$.
9
Technology
CRYPT
Crypt means making a piece of software undetectable by anti-viruses. The term

"crypt" is related to the word "encrypt", though that is not technically accurate,
since crypt doesn't always encrypt the software.
Crypt is typically applied to bots and to exploit packs. Botnet operators typically
crypt their bots and exploit packs weekly. This is why anti-virus software is not a
practical defense against bots and exploit packs. A crypt usually lasts a couple of
weeks until it becomes detected.
Crypting a bot usually means encrypting it and attaching a "stub". When the file
is executed, the stub decrypts the bot and runs it. Crypting an exploit pack means
changing pieces of exploit pack code until it becomes undetectable.
Crypt can be either a product or a service. Some people sell "crypters", which can
encrypt unlimited amount of bots until the stub becomes detected by anti-viruses.
Crypters for exploit packs are relatively rare. A manual crypt is considered more
effective. There are people that specialize in crypting. Some amount of crypting
is often included in the purchase of a licensed exploit pack or bot as a part of
technical support.
Crypt usually costs around 50$.
10
Technology
DOS
DoS means "Denial of Service". Denial of Service is when an attacker makes

some technological service unavailable. Typical example of DoS are crashing a
computer or shutting down a web site. DoS are mostly nuisance attacks and do
not usually cause physical damage.
There are several types of Denial of Service attacks: crash DoS, flood, SYN
flood, and DDoS.
CRASH DOS
Crash DoS is an exploit that makes a target computer or program crash. This is
not very practical or popular. Back in the 20th century, it took a long time for
patches to be deployed, so there were a lot of computers vulnerable to crash DoS
attacks. Young people carried out these attacks for the entertainment value of
annoying people by making their computers crash. This type of attack has almost
no hackonomic value and is now very rare in practice. Patches come out very
quickly now, which makes it impractical to write crash exploits - by the time they
reach their intended audience of people who think crashing computers is funny,
they become obsolete.
FLOOD DOS
Flood DoS means sending as much information as possible to a target computer

to make the target computer slow. Flood DoS is one of the oldest types of DoS
and most modern DoS attacks are variations on flood DoS. One of the earliest
flood DoS attacks is called "ping of death". There is a computer program called
ping, which sends a small piece of information to a target computer (that piece of
information says "PING"). The target computer replies by sending the same piece
of information back. The ping program can be used to send a custom piece of
information and to keep doing it repetitively. Back in the 20th century, many
computers would crash if someone kept pinging them with large pieces of
information. The crashes don't happen anymore, though the attack still works if
someone with a fast connection floods someone with a slow connection - in that
case the attacker with a fast connection uses up the target's bandwidth and the
target's Internet experience becomes slow. Plain flood attacks are not popular
anymore because many people have broadband, so plain flood attacks often have
a negligible effect.
Because the attacker is not interested in receiving information back from the
target during a flood attack, the origin of the flood attack can be easily spoofed,
that is the origin of the flood attack may be set to any arbitrary address on the
11
Technology
Internet. It may still be possible to track the attack down to its real source, but
this is expensive.
SYN FLOOD DOS
A syn flood attack is a specific type of a flood attack. The syn attack sends pieces
of information that require the target computer to take some action, therefore if
enough syn packets are sent, the target computer will be slowed down both
because it has to take some action and because its network bandwidth is being
filled with junk. In this regard, syn flood is sort of a hybrid between flood DoS
and crash DoS. There are mitigation measures, but there is no real protection
from the syn flood attack, just like there is no protection from the flood attack.
The origin of a syn flood attack can be spoofed.
DDOS
DDoS means “Distributed Denial of Service”. DDoS is any DoS attack that is
carried out simultaneously by multiple computers. A DDoS is typically carried
out by a botnet. If a group of people use their computers to DoS a target at the
same time - that is technically a DDoS. DDoS is the most common modern type
of DoS attacks and is usually carried out by botnets. DDoS is very effective,
because it uses resources of many computers against the resources of a few
computers. The result of DDoS is usually that the target has no Internet access
for the duration of the attack. DDoS is sold as a service and costs 30-50$/day.
The demand for DDoS is low, because shutting things down does is generally not
profitable. DDoS sounds intimidating, but it’s really small time.
12
Technology
BRUTERS
Bruters are used to guess passwords. The term "bruter" is related to the term
"brute force attack", but is not technically accurate. A "brute force attack" is an
attempt to guess a password by trying all possible combinations. By contrast, a
"dictionary attack" uses a list of possible passwords to see if one of them is the
password. The list of possible passwords is called a "dictionary". The term
"dictionary" probably originated when someone decided to use all the words in
the dictionary to guess passwords. Bruters usually apply a "dictionary attack"
with a pretty short list of possible passwords. Bruters typically use a dictionary to
guess passwords of network servers.
A dictionary is also known as a word-list. Bruters usually come with a bundled

wordlist or two. There are many wordlists floating around the Internet. There are
some that are based on English language dictionaries. There are wordlists for
other languages. There are lists of most common passwords based on statistical
analysis of previously cracked passwords. A hacker typically has a bunch of
wordlists kicking around. There is no shortage of wordlists and choosing them is
a matter of personal taste and practice.
There are two common types of bruters:

• RDP Bruter - RDP bruter is used to guess passwords of Windows
Remote Desktop servers. The intended targets are usually corporate
servers running Windows Server operating systems. Remote Desktop is a
feature of Windows that allows using the desktop remotely. If the
password is guessed, the attacker can use the server almost the same as if
he was using it in person. Remote Desktop is graphical and for Windows.
• SSH Bruter - SSH bruter is used to guess passwords of Secure Shell
servers. The intended targets are usually corporate servers running Linux
or some other UN*X-like operating systems. Secure Shell is a service
that allows using a command line interface remotely. SSH is command-
line and for Linux.
RDP bruters are more practical and bruted Windows servers are usually more
useful than bruted Linux servers.
Both SSH and RDP allow only a limited amount of failed login attempts before
rejecting the connection. To overcome this, proxies are used. A proxy is a
computer that allows another computer to connect through it. The purpose of the
proxy is that the connections appear to be coming from the proxy. There are
many public proxies available for free. Zeus bots can also be used as proxies. If a
server has a limit of five failed logins, a bruter with 1000 proxies can try 5000
password guesses. 5000 guesses are not enough to try all possible passwords, but
it is enough to try a list of several thousand common passwords.
13
Technology
The objective of bruting is to guess passwords for as many servers as possible. A
bruter typically takes a list of targets, a list of proxies, a list of possible
passwords, and starts guessing passwords. The list of targets is produced by a
network scan. A network scan checks IP addresses to see if RDP or SSH servers
are running on them. Most computers with direct Internet IPs (not behind a
router) are scanned about every ten-fifteen minutes. IP addresses are numbers
that are written in the form 111.111.111.111 for convenience. In reality, an IP
address is actually a very large number and does not have to be written in the
form of 111.111.111.111. To scan a lot of IP addresses, two IP numbers are
chosen and every IP number in between them is scanned - these IP addresses are
called an IP range. Defining IP ranges is standard practice for many IT tasks, so
there is shorthand for writing IP ranges. Network scanners are used to scan IP
ranges for RDP and SSH servers and produce a list of targets for bruters. The list
of targets allows automatically bruting multiple targets.
Password guessing attacks are low cost, require little skill, and yield a high return
on investment. Password guessing attacks are very popular.
14
Technology
WEB EXPLOITS
An exploit is a glitch in software code that can be used to run custom code. A
web exploit affects a specific web site and does not necessarily give full control
over the target computer. A web exploit can be used to take control of a web site.
A botnet operator may take control of a web site using web exploits and insert
invisible iframes with exploit packs into the pages on the web site. When a
computer views such a web site, the exploit pack is loaded. If the exploit pack
executes successfully, the computer becomes a bot. When an attacker has control
over the web page, he can add his content to it, redirect the traffic from it to
somewhere else, or sell the access credentials to someone else.
The most common types of web exploits are SQL Injection and XSS.
SQL INJECTION
SQL Injection means sending commands directly to the database. Web

applications often include a database. For example, a web store keeps inventory,
orders, and price information in a database. SQL is a database language. The web
pages have scripts in them that interact with the database using SQL. If the
scripts have errors in them, they may allow an attacker to send custom SQL
commands to the database. SQL Injection attacks are frequently carried out by
adding SQL commands to the address bar. Sometimes SQL commands may be
inserted into the text boxes of the web page. If an attacker can send custom
commands to the database, he may be able to take over the web page and to read
all the information in the database. If the database stores financial information,
the attacker may be able to get that information using an SQL injection attack.
XSS
XSS means Cross-Site Scripting. Cross-Site Scripting attacks are not as serious
as SQL injection attacks. Cross-Site Scripting attacks rarely if ever allow taking
full control of a web site. Cross-Site Scripting applies to web pages that allow
users to add content, such as comments in blogs or social networking web sites.
In a XSS scenario, an attacker leaves a comment with a script in it. When another
computer loads the comment, it executes the script. The script may be able to do
some of the things that a logged in user can do on the affected web site, such as
add users as friends, send messages, post comments, etc. In the extreme case, an
attack may be able to take over the logged-in user's session.
The technique for taking over another user's session using XSS is called "stealing
the cookie". Web sites that have user accounts typically use cookies to keep track
of users - each user is given a unique number, which is stored as a cookie by the
15
Technology
web browser. An XSS attack may send a user's cookie to an attacker. The
attacker can then install this cookie in his web browser and the web site will
think that he is the user whose cookie was stolen.
XSS exploits are very limited, but they are very common. In terms of
hackonomics, XSS is rarely more than a nuisance.
PASSWORD GUESSING TAKEOVER
Password guessing is an obvious and common technique for taking over a web
site. Typically a "bruter" is used as described in one of the earlier sections. In
addition to RDP and SSH bruters, there are bruters made specifically for taking
over web sites. A list of common or probable passwords is used to guess the
password for some administrative component of the web site. Because most web
sites limit the amount of guesses per IP, proxies are used to make a large amount
of guesses. If a web site has a limit of five failed log-on attempts, a list of 1000
proxies allows an attacker to make up to 5000 guesses.
E-MAIL RECOVERY TAKEOVER
E-mail recovery takeover means taking over an account by having the password
sent to an e-mail address. Many web sites offer to send the password to an
account by e-mail in the event a user forgets his password. The e-mail address
that the password is sent to is usually specified when making a web site account.
In order for the e-mail recovery take-over to succeed, an attacker has to first take
over the e-mail address of the user. The e-mail address has to be the one that was
used to make the account on the target web site. One common way to take over
an e-mail address is password guessing. Sometimes an e-mail account is deleted
and another person can make an account with the same address.
Some of the implications of taking over an e-mail address are obvious. In

addition to being able to read the person's private e-mail and being able to
impersonate the person, an attacker may be able to take over a web site account
that has been created using the target e-mail address. In the event that this user
account has full control over a web site, the e-mail recovery attack allows taking
over the web site.
Many people use the same password for many things, so once an attacker has one
or two of a person's passwords, and their e-mail address, the attacker can then go
on to take over many of the person's on-line accounts and resources. The
hackonomic value of taking over e-mail addresses and social networking
accounts is low; the value of taking over a web site is much higher.
16
Technology
CREDENTIAL STEALING TAKEOVER
A web site may be taken over when a bot logs the username and password. A
Zeus bot logs information that the user enters into web site forms. The botnet
operator gets a lot of these logs and looks through them at his leisure or sells
them to someone else. In the event that the logs contain information for
administering a web site, the web site can be taken over.
Sometimes the files on a web site are managed using FTP. FTP is a program for
transferring files. A Zeus bot logs ftp accounts. FTP is an old program, so when
someone is using it, a lot of the time it is to manage files on a web site. FTP
accounts may be worth a couple of dollars each.
WEB SHELL
A web shell is software that is used for controlling a web site. When a web site is
cracked, a web shell is uploaded to control it. Different web shells have different
functionality, but they usually allow managing files and sometimes running
system commands on the web site server.
IFRAME
An iframe is a piece of code that loads a web page into a web page. "Iframe"
means inline frame, and is basically a small window with a web page in it that
can be placed into another web page. An iframe can be made very small or
invisible to avoid detection.
Iframes are used to make legitimate web pages load exploit packs on the visiting
computers. The iframing process goes like this: an exploit pack is installed
somewhere on the Internet, a piece of iframe code is generated to load the exploit
pack, and the iframe code is inserted into multiple compromised web sites.
Whenever a computer loads the compromised web site, the iframe loads the
exploit pack, the exploit pack runs on the visiting computer, and if any of the
exploits are successful, shellcode is executed, which downloads a loader, which
downloads and installs a bot on the visiting computer.
Iframe can be used as a verb. To iframe a web page means to add an iframe code
to it. Example: "Some hacker iframed the company web page with an exploit
pack".
17
Technology
LOADER
A loader is software that downloads and installs another software. A loader is

usually used in the following fashion: exploit pack downloads and runs a loader;
a loader downloads and installs a bot. The reason for using a loader is that a
loader makes the installation process more reliable. The circumstances during
exploitation are sketchy at best - the exploit might not work correctly, the
application being exploited might crash, an anti-virus or a firewall might
interfere, the user might notice that something suspicious is going on and shut
down the computer, etc. A loader is optimized for running under such
circumstances, so it is more likely to run correctly than a bot. Loaders often
include technologies for bypassing firewalls and anti-viruses.
18
Technology
SKIMMERS
Skimmers are physical modifications to ATM machines that send card

information to an attacker. Skimmers are not limited to ATM machines and may
be installed at gas stations and other places where cards are read. An attacker
makes a clone of the card reader slot from the target machine, puts his own
reader in there, and replaces the reader on the target machine with his own. The
original machine's card reader is left in place, so the original machine still works.
The cover of the card reader is what is replaced. Sometimes a video camera is
installed near the screen to record the pin number being entered.
Skimmers are physical and require the attacker to be physically located near-by.
The skimmer records the bankcard information and sends it to a receiver via
radio. The recorded financial information is sold over the Internet to a carder.
Skimmers are sometimes sold on-line. A skimmer with a video camera costs
around 900$.
Skimmers are out there and they are pretty difficult to spot. Some ATMs have
anti-skimmer features, which are basically alarms that go off when parts of the
ATM are removed.
19
Services
CARDS
DESCRIPTION:
Credit card information is one of the commodities traded on the Internet in bulk.
Credit card information comes from many different sources, such as botnet logs,
compromised servers, and skimmers. Click here for more information. Just
kidding.
Bots record financial information when the user enters it into a web site form.
Bots periodically send collected information to the botnet control panel. The
botnet operator can download the collected logs from the botnet control panel.
The botnet operator can search the botnet logs for credit card information and put
it in a separate file. The credit card information can then be sold on the Internet.
Some database servers store credit card information. Web sites use SQL to access
information in databases. An attacker may be able to get access to sensitive
information in the database by using an SQL Injection technique. An SQL
injection technique means sending SQL commands through the web site. A web
site is supposed to have security measures that prevent SQL Injection attacks, but
this is still a very common vulnerability.
Skimmers are physical modifications to ATM machines that send financial

information to an attacker when the ATM is being used.
PURPOSE:
Cards are lists of credit card information being sold to people that use them to get
the money out somehow.
PRICES:
1 Card ~ 0.8$
3 Cards ~ 2$
10 Cards ~ 5$
100 Cards ~ 50$
20
Services
MONEY LAUNDERING
DESCRIPTION:
Money laundering means transferring money from a suspicious account to the

launderer, and then the launderer sends most of that money to the customer.
PURPOSE:
The purpose of money laundering is to make hackonomic income look like some
other type of income.
PRICE:
???
21
Services
PASSWORD CRACKING
DESCRIPTION:
The password cracking service means breaking the password for an on-line
account of some sort, such as e-mail. Usually, password guessing attacks are
used, but sometimes weaknesses in the web site are used instead. This service is
not very common and is not always effective. The password cracking service
sounds very powerful, but it is a very small part of hackonomics. Hackonomics
are based on low-cost, large-scale attacks. A password cracking attack is small-
scale and relatively high-cost, and that makes it unpopular.
PURPOSE:
The purpose of password cracking is usually to take over an e-mail account to

read the person's e-mail and to impersonate them. One reason to crack an e-mail
account is to do an e-mail recovery take-over of a web site. An e-mail recovery
take-over means getting the password to some on-line resource sent to the e-mail
account. Many sites offer to send a password if the user forgets it to the user's e-
mail account. If an attacker takes over the user's e-mail, the attacker may be able
to retrieve the password.
PRICE:
~50$
22
Services
MALWARE/HACKWARE
DESCRIPTION:
Malware is a term that means malicious software. The term "malware" is used by
information security professionals, but not in the hackonomics at large, because it
has a very negative connotation. The term being coined in this book is hackware,
as a middle ground between the underground and the academic. In the
hackonomic circles, the neutral and ambiguous term "software" is used, together
with one of the names that specify the type of software. The commonly traded
hackware types are: loader, crypter, bot/trojan/rat, exploit pack, iframer, bruter,
and some more exotic types. These technologies have separate chapters dedicated
to them.
PRICE:
Loader - ???
Cryper ~ 50$
Bot/Trojan/Rat ~ 500-10000$ (Trojan and rat are other names for a bot. RAT
means Remote Administration Tool)
Exploit Pack ~ 500-1500$
Iframer ~ 20-50$
Bruter - ???
23
Services
CRYPT
DESCRIPTION:
Crypt means making hackware undetectable by antiviruses. Crypt is typically

applied to bots and exploit packs. Botnet operators typically crypt their bots and
exploit packs weekly. This is why anti-virus software is not an effective defense
against bots and exploit packs. A crypt usually lasts a couple of weeks until it
becomes detected.
Crypting a bot usually means encrypting it and attaching a "stub". When the file
is executed, the stub decrypts the bot and runs it. Crypting an exploit pack means
changing pieces of exploit pack code until it becomes undetectable.
Crypt can be either a product or a service. Some people sell "crypters", which can
encrypt unlimited amount of bots until the stub becomes detected by anti-viruses.
Crypters for exploit packs are relatively rare. A manual crypt is considered more
effective. There are people that specialize in crypting. Some amount of crypting
is often included in the purchase of a licensed exploit pack or bot as a part of
technical support.
PURPOSE:
Crypt is used to make hackware undetectable by antiviruses. A decent botnet

operator uses crypt approximately once a week. This is why anti-virus software is
not a practical defense against bots and exploit packs. A crypt usually lasts a
couple of weeks until it becomes detected. Therefore, anti-viruses in general are
usually a couple of weeks behind. When a bot is installed, it may update itself
with a new crypted version periodically.
PRICE:
30-50$/crypt.
24
Services
DENIAL OF SERVICE
DESCRIPTION:
Denial of Service means slowing down or crashing target computer(s). The DoS
service that is being actively sold is usually DDoS carried out by botnets. DDoS
means distributed denial of service. DDoS is when multiple computers are
attacking the same target(s). The industry standard is DDoS syn flood carried out
by thousands of computers simultaneously. Some botnets exist entirely for the
purpose of carrying out DDoS attacks. DDoS are not known to cause physical
damage. The effect of DDoS is usually disconnecting the target from the Internet.
PURPOSE:
The purpose of DDoS attacks is to disconnect target computer(s) from the

Internet for some period of time. Sometimes DDoS is used to fight competition.
Sometimes DDoS is used to annoy video game players. Sometimes hacker
groups use DDoS against each other. DDoS has been used to extort money from
businesses that rely on continuous web presence, but that business model has
proven to not be hackonomically viable. DDoS is not very profitable, but it is
easy to do, so it is a readily available service.
PRICE:
30-50$/day.
25
Services
BULLETPROOF HOSTING
DESCRIPTION:
Bulletproof hosting means offering to host a web site or a web application that is
not supposed to come down even if someone tries to take it down. For example,
even if investigators find that a web site is used to host a botnet, a bulletproof
hosting provider won't take it down when investigators ask them to. The
bulletproof hosting providers are spread out geographically in a way that makes it
difficult to take action against them. Bulletproof hosting providers optimize their
services to resist DDoS attacks.
PURPOSE:
Bulletproof hosting is often used for serving botnet control panels and exploit
packs. There are two main threats to hosting: "abuse" and "DDoS". DDoS is
when a botnet floods a web server with information. Basically, DDoS can shut
down a web site for the duration of the attack. "Abuse" is when someone writes a
letter to the hosting provider saying that a web site is "abusing" the terms of
service. Most regular hosting providers will respond to that by shutting down the
web site, often even if the "abuse" letter is fake. A bulletproof service provider
will ignore "abuse" letters. Resistance to "abuse" and "DDoS" are the two basic
distinctions between bulletproof web hosting and regular web hosting.
PRICES:
Web Hosting ~ 50$/month
Web hosting is a place to put a web page on the Internet. For basic web hosting,
many web sites share the same IP address.
Virtual Private Servers ~ 150$/month

A virtual private server is a type of hosting where a web page gets its own IP
address.
Dedicated Servers ~ 400$/month

A dedicated server is an actual separate physical server with its own IP address,
dedicated to hosting a web page.
26
Services
VPN - VIRTUAL PRIVATE NETWORKING
DESCRIPTION:
VPN is an encrypted tunnel to a VPN server. All connections going through VPN
appear to be coming from the VPN server. A VPN service provider typically
offers a choice of servers in different countries.
PURPOSE:
VPN is used for hiding the IP address on the Internet and the Internet traffic from
the Internet Service Provider. The original use of VPN is to encrypt traffic on the
Internet when connecting to a company or personal network remotely.
PRICE:
~1$/day
~30$/month
27
Services
DEDICATED SERVERS
DESCRIPTION:
Dedicated servers are computers that are on-line for a long time and usually are
not in use by a person physically. A dedicated server is usually a computer that
sits in a data center somewhere. Because few people exercise physical access to
dedicated servers, they usually use some kind of remote control software, such as
RDP or SSH. RDP and SSH bruters are used to guess passwords of the dedicated
servers. The successfully guessed passwords may then be sold. Dedicated servers
are a popular commodity.
PURPOSE:
Dedicated servers are used to launch attacks. Even if an attack was traced back
past proxies and VPN, it would appear to originate from the dedicated server.
Dedicated servers can also be used to host botnets and to send spam.
PRICE:
1-5$/server.
Yes, full access to your company’s server is only worth 1-5$ to a hacker.
28
Services
TRAFFIC
DESCRIPTION:
Purchasing traffic means paying to have a web site loaded by web browsers.
When a web site is cracked, it can be iframed with the customer's web site of
choice. Usually, an intermediate web site is used to count the amount of traffic
sent to the customer. Traffic is sold by thousands of hits.
PURPOSE:
The purpose of purchasing traffic is to load an exploit pack on as many

computers as possible to make bots as fast as possible.
PRICE:
1$/1000 hits.
29
Services
INSTALLS
DESCRIPTION:
Buying installs means paying to have the customers software installed. Selling
installs means taking money to install software on some amount of computers.
The process for installs is the same as installing bots, except instead of bots; the
customer's software is installed. The customer’s software is usually bots, so
selling installs usually means installing someone else’s bots.
PURPOSE:
The purpose of buying installs is usually to install spyware or adware on people's

computers. It may be possible to buy installs to make a botnet.
PRICE:
70$/1000 installs.
30
Services
EMAIL LISTS
DESCRIPTION:
E-mail lists are sometimes traded on the Internet.
PURPOSE:
E-mail lists are sold for the purpose of sending spam to them. A spammer gets
paid for sending messages to a certain amount of e-mails. The more valid e-mail
addresses a spammer has, the more money he makes. The hackonomic value of
spam has been rapidly declining, but it still exists.
Some of the most common sources of e-mail lists are on-line dating sites.
PRICE:
???
31
Services
SPAM
DESCRIPTION:
Spam means sending lots of advertisements. Spam is usually sent over e-mail.
Anyone who has used e-mail for a while knows what spam is. Spam used to be
big, but its share of hackonomic activity is dwindling.
PURPOSE:
The purpose of spam is to send lots of advertisements. The logic is that some of
the people that get the advertisement will make a purchase, so the more spam, the
more purchases, and therefore the bigger profit.
Spam is also popular with scammers. The idea is that some of the people that get
the scam letter will fall for it, so the more spam, the more victims, and therefore
the bigger profit.
PRICE:
???
32
Services
SEO - SEARCH ENGINE OPTIMIZATION
DESCRIPTION:
SEO means making a web site easier to find with search engines. The objective is
usually to make the web site to appear higher in the list returned by search
engines for certain key words. One approach to SEO is to spam links to a web
site on different forums and blogs. Modern search engines consider web sites that
have a lot of links pointing to them important. Another approach is to create lots
of web sites that have links to the customer's web site. SEO involves a lot of
techniques and technologies. SEO is a large part of hackonomic activity.
PURPOSE:
The purpose of SEO is to increase traffic to a web site. Generally speaking, more
traffic means more money on the web.
PRICE:
???
33
Professions
BOTNET OPERATORS
A botnet operator is a person that controls a botnet. Botnet operators are probably
the most interesting type of hackers (besides the legit information security types).
The duties of a botnet operator include: installing bots, managing bots, crypt, and
collecting logs.
INSTALLING BOTS
Installing bots usually means iframing a web site with an exploit pack.
MANAGING BOTS
Managing bots means making sure the bots remain operational. One of the
biggest parts of managing bots is making sure they are not detected, because once
a person knows they have a bot on their computer, the person will probably get
rid of it somehow. Therefore, crypt is one of the biggest parts of managing a
botnet.
Other bot management tasks include checking the control panel to see how many
bots there are, issuing bot commands via the control panel, updating bot
configuration files as needed, and making sure the botnet as a whole is not
detected.
CRYPT
Bots periodically become detected by anti-viruses - this is because bots are

spread on many computers and eventually a user may send a suspicious file in to
the anti-virus companies. An anti-virus company may share this information with
other anti-virus companies. Once this happens, all the identical bots are subject to
being removed by anti-viruses. To prevent this, botnet operators crypt their bots
faster than they are detected and send commands to the existing bots to update to
new, crypted versions. The frequency of crypt is different for different operators,
but it's something like once a week on average. It takes approximately two weeks
for a bot to be detected.
COLLECTING LOGS
Most of hackonomic value of bots comes from collecting logs. Logs are
usernames and passwords recorded by bots. An average user has multiple
usernames and passwords that he uses for multiple things, so each bot typically
yields multiple usernames and passwords, together with what the web site or the
34
Professions
application that these credentials are for. A botnet of thousands of bots then
yields many thousands of usernames and passwords. Even if the bot is detected
after a couple of days, it has collected some logs by that time already. Most users
don't change all their passwords when their anti-virus finds a bot, however over
time passwords do tend to change, so the quality of logs depends largely on their
freshness. Logs can be traded raw, but then they are not worth that much. Logs
can include things like cards (financial information), passwords to dedicated
servers, passwords to web sites, and passwords for video game accounts. A
botnet operator will often look through the logs to see if he has logged anything
of value to sell.
DDoS
Botnets can be used to perform DDoS attacks. Botnet operators may sell DDoS
services or use DDoS for personal reasons. The effect of DDoS is usually that a
web site is not available for the duration of the attack. Because there are many
botnets out there and the demand for DDoS is small, the cost of DDoS is low.
DDoS sounds intimidating, but it’s very small-time. The main motivation for
hacker activity is profit and collecting logs is safer and more profitable.
There has now been hype about hackers shutting down electricity or other
services. The computers that control infrastructure are not connected to the
Internet and are therefore immune to DDoS. There is no good reason to connect a
computer that controls infrastructure to the Internet. Stories about hackers
shutting down infrastructure are hype and fear mongering.
35
Professions
BOTNET OPERATOR SKILLS
• Botnet Management
• Web Site Administration
• Parsing Logs
• Trading Hackonomic Commodities
BOTNET OPERATOR INPUT
• Exploit Packs
• Botnet Hackware
• Crypt
• Dedicated Servers
• Cracked Web Sites
• Traffic
• Iframes
BOTNET OPERATOR OUTPUT
• Logs
• Cards
• Botnets
• Cracked Dedicated Servers
• DDoS
• Spam
• Installs
BOTNET OPERATOR PROFIT
Botnet operators sell different services to different

people:
• DDoS to someone who wants to take out the
competition
• Cards to carders
• Dedicated servers to spammers and crackers
• Installs to spyware companies and other botnet
operators
36
Professions
CRACKERS
Crackers are a kind of dry bread. Crackers are also people who break into web
sites and computers. Crackers use different methods for cracking and often
specialize in some specific method. One of the most common methods is
automated password guessing, also known as bruting. A more sophisticated
method is SQL injection, which allows taking over a web site. Both bruting and
SQL Injection are described in the Technology section of this book. SQL
Injection is a web exploitation technique.
A cracker matches what most people think of as a hacker. Crackers are not the
biggest players in hackonomics. Hackers can have multiple jobs and small-scale
cracking combines nicely with operating a botnet. Crackers perform active
attacks, while botnet operators set up traps. Botnet operators get a lot more bots,
but crackers can target attacks. Both crackers and botnet operators rely on
unsophisticated and well-known attacks for the bulk of their work.
There has been a paradigm shift in terms of hacking attacks in the past decade. In
the late 20th and early 21st centuries, crackers performing aggressive targeted
attacks have done most of the penetration. The common scenario has been for a
cracker to attack a server and take full control over it. This is still the scenario
used by crackers today, but it used to be the dominant mode of attack and a lot of
the information about hacking in the mainstream media was about these types of
attacks. In the last decade, the bulk of penetration has shifted to exploit packs,
where multiple web sites sit as traps on the web and thousands of computers visit
them every day and get botted. The latter approach has introduced a greater
degree of automation and efficiency, increasing productivity many times over.
Public awareness has not caught up to this fact and this is probably the greatest
insight in this book for someone outside of the information security field. This
paradigm shift has drastically lowered the price of hackonomic goods while
simultaneously greatly expanding the scale of operations and increasing the
amount of available hackonomic goods. This phenomenon is probably the single
largest factor responsible for hacking evolving from an obscure hobby-like
activity to a massive trans-national enterprise.
The transition from targeted or semi-targeted cracking to exploit traps has been
partly driven by the vastly improved security of operating systems and server
software. Extrapolating this trend suggests that improved security against exploit
traps will further evolve hackonomics towards greater audiences, more
transparent tools, and higher profit margins. The motivation for this is in place
already - the average penetration rate of exploit packs has been dropping. A
couple of years ago, when exploit packs were new, it was common to see 20%
and higher average penetration rates. 10% penetration rates are considered
average today.
37
Professions
There is not much money in cracking, because dedicated servers and web sites
yield very little money. Bruting attacks are very easy to wage, so cracking is
hackonomically a pretty small-time activity, even though there are a lot of
bruting attacks taking place and succeeding.
Because a lot of home users connect to the Internet via routers, these users are
not susceptible to crackers. Only computers that are directly connected to the
Internet or have ports forwarded are at risk of being cracked. This is mostly a
concern for businesses, because they often have ports open for workers to
connect remotely. IT people often have weak passwords and this is why crackers
are often successful.
38
Professions
CRACKER SKILLS
• Bruting
• Web Exploits
• SQL Injection
• Server Administration
• Web Site Administration
CRACKER INPUT
• Bruters
• Password Lists
• Web Exploits
• SQL Injection
• Web Shells
CRACKER OUTPUT
• Cracked Dedicated Servers

• Cracked E-Mail
CRACKER PROFIT
• Carders, spammers, and botnet operators buy

cracking services.
39
Professions
CARDERS
Carders are the people that use credit or debit card information to make
purchases or to transfer the money out somehow. Carders use cards. "Cards" is a
hackonomic term for financial information, because it's the information that
people have on debit and credit cards. When banks complain about hackers, they
are complaining about carders.
Usually carders operate by using financial information to make purchases on-line

that are then shipped to vacant properties. A "drop" picks up the goods at the
vacant property, sells the goods, and shares the money with the carder. A "drop"
is pretty much the lowest level hackonomic person, whose only responsibilities
are to pick up carded goods, sell them, and not get caught. Drops do get caught,
so carders make sure the drops have no way of finding them. Because of this high
degree of separation, the drop may take the money and not share it with the
carder. Doing this ends the business relationship. This is one instance of a
common hackonomic practice of ripping partners off. Carders have to deal with a
lot of rip-offs in general.
Carders are interested in “cardable shops” – these are online stores that ship stuff
purchased with cards. Some businesses verify shipping and billing information
more thoroughly than others. Carders are interested in shops that don’t bother
making sure that the merchandise is being shipped to the person who is paying
for it or don’t do a very good job at it.
40
Professions
CARDER SKILLS
• Cloning cards
• Banking operations
• Multiple languages
• Finding cardable shops
CARDER INPUT
• Cards
• Cardable shops
CARDER OUTPUT
• Carded stuff
CARDER PROFIT
• Carders get a share of the money from the carded

stuff.
41
Professions
DROPS
Drops receive goods purchased with carded accounts. Drops work together with
carders. The term "drop" is similar to the idea of "drop-shipping". Basically, a
drop is a location where something is dropped off. About ten years ago, goods
could be shipped simply to a vacant house and picked up at the front door. These
days, postal services might not ship expensive electronics to a place where
nobody lives, but this doesn't stop drops from operating. Because the seller
knows the address, an investigator might come to check it out, so the job of a
drop is risky. A drop doesn't need many technical skills and gets a pretty large
percentage from the transaction. The amount of successful transactions is limited
by the person's physical ability to pick up the drops. Because of high risk, low
income, and low technical skill level a drop is a low level position. Because of
relatively high and easy income relative to other forms of unskilled labor, drops
are abundant.
Drops may also use cloned debit cards to get cash out from ATMs. Some ATMs
are easier than others.
The skill of a drop is knowing his environment. This is a person with low
mobility, but high awareness - he must know the type of ATMs in the area,
available drop points in the area, and must be able to avoid the police. Poor
neighborhoods are particularly well suited for drops, because poor people have
lots of free time to explore their environment, their neighborhoods have older
model ATMs, and probably lots of vacant housing, or housing that changes hands
often. The most probable motivation for a drop is lack of meaningful
employment opportunities.
Another skill of a drop is secure communication - the drop must be able to

communicate with the carder to negotiate the transactions and to transfer the
profits. The communication must be secure, because otherwise the carder will
refuse to participate. The whole point of a drop is so that the person who places
the order is different from the person who receives the goods.
42
Professions
DROP SKILLS
• Secure Communications
• Physical Exploration
• Selling Carded Stuff
DROP INPUT
• Carded Stuff
DROP OUTPUT
• Money
DROP PROFIT
• Drops make money by selling carded stuff.
43
Professions
CRYPTERS
Crypters are people and software that make hackware undetectable by anti-
viruses. When anti-virus companies talk about thousands of new viruses, they are
often talking about the crypted versions of bots. Crypters either write software
that crypts hackware or manually crypt each piece of hackware. Crypting appears
to be neither very difficult nor very profitable. Crypting itself is described in an
earlier chapter.
Considering that this is one of the first books that talk about this, perhaps it is
appropriate to define the terminology. A "cryptor" can be the crypting software,
and a "crypter" can be a person that does crypting.
There are two types of crypter services: manual crypt or cryptor software.
Cryptor software is by far more common. There is a lot of open source and free
cryptor software, but anti-viruses often already detect it. The whole point of
purchasing a cryptor is that it is unique for each customer. A certain amount of
free updates is often included in the purchase of a cryptor.
The exact technologies for crypting different types of hackware are different, but
the idea is always the same - making hackware undetected by anti-viruses.
Generally speaking, this task is accomplished successfully and the anti-virus
industry is usually a step behind hackonomics.
44
Professions
CRYPTER SKILLS
• Crypting
• Programming
CRYPTER INPUT
• Detected Hackware
• Programming Tools
• Anti-Virus Signature Detectors
• Hex Editor
• Text Editor
CRYPTER OUTPUT
• Undetected Hackware
• Cryptors
CRYPTER PROFIT
• Botnet operators pay for crypt.
45
Professions
CODERS
"Coder" is just another word for programmer; the term is used widely in software
development and IT. There are many software tools that are used for
hackonomics and someone has to write them. The coders that write hackware
usually sell it
A lot of hackonomic tools are written for general IT tasks, and it is probably
possible for hackers to make do using only the generic IT tools. Information
security professionals write some tools, and some of these are well adapted for
hackonomic tasks, while others are really more about demonstrating the idea; the
majority of these are used for demonstrating ideas and are not very
hackonomically useful, because they often have very few features and no
support. The generic IT tools and the infosec tools are usually free or cheap, with
some notable exceptions, like vulnerability scanners; even so, there are usually
free replacements for the expensive tools. In any case, hackers don't hesitate to
download pirated versions of expensive software, so it's mostly free for them
anyway. The purpose-written hackonomic tools are a whole different story - they
are expensive, they typically come with support, and they are not always easy to
get. Because of this, there exists the public/private paradigm, which has a whole
chapter devoted to it.
Hackware coders are persecuted when they are found, which commands a
premium on their prices and means that purchasing hackware requires involved
parties to have some reputation and trust. The actual transaction is often
conducted anonymously and the money may be laundered before being cashed
out by the coder. There is potential for hackware coders to make comparable
money to a full-time job, but it appears to be mostly a supplemental form of
income, especially since the demand is not always steady.
46
Professions
CODER SKILLS
• Programming
CODER INPUT
• Time
• Brains
CODER OUTPUT
• Hackware
• Web Sites
CODER PROFIT
• Coders sell hackware to crackers, spammers, and

botnet operators.
• Coders often offer crypting services bundled
with their hackware.
47
Professions
SKIMMERS
Skimmers are devices for using an ATM to read debit card information and the
people who use them. A skimmer is basically a replacement slot for the card
reader in the ATM that includes an additional reader, which sends card
information to the skimmer operator. The process of reading card information is
called skimming. The original ATM equipment remains functional, so it takes a
long time for someone to detect that there is a skimmer installed. Once a
skimmer is installed, there is no need for the skimmer operator to touch the ATM
again, because skimmers can send information remotely. The person might want
to recover the skimmer to recover the original investment cost.
A skimmer does not need much skill. A skimmer may be purchased online for
around 800$. Some amount of audacity is required to install a skimmer. Banks
are acutely aware of skimmers now and some ATMs come with tamper-resistant
features, which are basically alarms that go off when an ATM is being tampered
with. Skimmers rarely get caught, but if they do, they can expect unpleasant
treatment because they are causing a lot of trouble for the banks.
Skimmers produce cards. "Cards" are a hackonomic term for financial

information. "Cards" are listings of financial information sufficient to make
banking operations or purchases. Cards are sold to carders and carders use them
to withdraw money through some kind of financial scheme, which usually means
buying something online and having it shipped to a vacant house, where a "drop"
picks up the product. The "drop" then resells the product and shares the money
with the carder. A "drop" is pretty much the lowest level hackonomic person,
whose only responsibilities are to pick up carded goods, sell them, and not get
caught.
In some cases, the skimmer is also the carder, and maybe even the drop. This
type of integration drastically increases the payout and the associated risk, but
because of the risk this probably doesn't happen often. It is more likely that
skimmers and carders develop partnerships, where carders share the profit,
instead of paying a fixed rate for the cards. The incentive for the carder to do so
is because the skimmed information is often very accurate and complete, so it's
easier for the carder to work with.
48
Professions
SKIMMER SKILLS
• Making a Skimmer
• Installing a Skimmer
SKIMMER INPUT
• Skimmer
SKIMMER OUTPUT
• Cards
SKIMMER PROFIT
• Skimmers profit by selling cards to the carders.
49
Professions
SPAMMERS
Spammers are people that send large amounts of advertisements. Anyone that has
used e-mail for a couple of years knows what spam is. Some e-mail filters are
pretty good, but most e-mail on the Internet is spam. This is because it is very
easy to send lots of e-mail messages. There used to be lots of money in spam,
because there were some high-profile cases, where the personal assets of
spammers were revealed, and they were large assets.
http://www.msnbc.msn.com/id/18955115/ - this guy made over 700 thousand
dollars, but he's also one of the biggest spammers supposedly. There used to be a
lot of money in spam before, supposedly, but not really anymore. Because spam
is so cheap and easy to do, there still is lots of it, there just isn't much money in
it.
Spammers take a list of e-mails, some mail servers, some spamming software,
and messages from their sponsors and off they go spamming. The lists of e-mails
are procured from many different sources, including various mailing lists
compiled by businesses and web sites that get cracked, but more commonly
"harvested" from search engines. One simple way to make a list of e-mails is by
using a web search engine to search for e-mail addresses. "Harvesting" software
exists, which automates the process of using search engines to find e-mail
addresses. Mail servers used to be easy to get, but because of the fight against
spam, it became slightly harder. Before there were simply tons of open mail
servers on the Internet, but now a spammer has to either run a botnet or buy
dedicated servers to use to send spam. A spammer can rent a botnet for spam.
This actually makes spam more effective, because it appears more real since it is
coming from the computers of actual businesses and people. Spamming software
is software that can send lots of identical or similar e-mail messages quickly; this
is very simple software and may be built into botnets. Messages from sponsors
are the messages that whoever is paying for spam wants to send.
50
Professions
SPAMMER SKILLS
• E-Mail Administration
• Botnet Management
SPAMMER INPUT
• E-Mail Lists
• Dedicated Servers
• E-Mail Servers
• Botnet
SPAMMER OUTPUT
• Spam
SPAMMER PROFIT
• Online businesses and scammers pay for spam.
51
Exploit Packs
EXPLOIT PACK INTRODUCTION
An exploit pack is basically an exploit trap - it's a bunch of exploits sitting

somewhere on the web waiting to be loaded by a browser. An exploit is a glitch
in software code that can be used to run custom code. An exploit pack typically
includes the following components: exploits, installer, control panel, and various
statistics counters. An exploit pack usually requires PHP and MySQL on the
server and enabled JavaScript on the client.
Exploits - commercial grade exploits are typically delivered by a web application

to make exploits more difficult to detect - that is an exploit pack is a web
application. Exploit packs often have a built-in cryptor, which crypts exploits on
the fly. Crypting is explained in a separate chapter; here it means making exploits
undetectable to anti-viruses. Eventually the crypt mechanism itself becomes
detected, however it is often written in such a way that with a few minor
adjustments it becomes undetected again. Most exploit packs use the same
exploits. The used exploits are updated as new exploits come out and old exploits
become obsolete. There are typically somewhere around five to fifteen exploits in
an exploit pack. A list of popular exploits can be found in this book.
Installer - the exploit pack installer is a simple script that initializes the statistics
database and the exploit pack configuration settings, such as the administration
username and password.
Control Panel - the exploit pack control panel typically has a configuration page
and a statistics page. The configuration page is different for different exploit
packs, but usually includes options to change the administration username and
password, the file to load on the exploited computer, and some more options,
such as selecting which exploits to use and checking if an anti-virus detects the
files. The statistics page shows the amount of visitors, usually broken down by
country, operating system, and browser type. The statistics page shows the
amount of visitors total and the amount of successfully exploited computers.
Because exploits are not 100% reliable, the actual amount of loaded bots is
usually less than the exploit pack statistics page suggests, though it's pretty close.
Information about what exploit packs are in vogue today can be found by
checking http://www.malwaredomainlist.com
52
Exploit Packs
LIST OF EFFECTIVE EXPLOITS
CVE-2006-0003 MDAC RDS.Dataspace

Target: IE6 < MS06-014
Date: 2006-10
http://www.securityfocus.com/bid/20797
http://www.exploit-db.com/exploits/2052/
http://osvdb.org/show/osvdb/24517
CVE-2006-5559 MDAC ADODB.Connection

Date: 2007-03
CVE-2008-0655 PDF Collab

Target: Adobe PDF < 8.1.2
Date: 2008-02
MetaSploit: Adobe Collab.collectEmailInfo() Buffer Overflow
CVE-2007-0071 Flash9
Target: Flash9 < 9.0.124.0
Date: 2008-04
CVE-2008-2463 Access
Target: IE6,7 + MS Access 2000,XP,2003 < MS08-041
Date: 2008-07
MetaSploit: Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary
File Download
53
Exploit Packs
CVE-2008-2992 PDF printf
Target: Adobe PDF < 8.1.3
Date: 2008-11
http://osvdb.org/49520
MetaSploit: Adobe util.printf() Buffer Overflow
CVE-2008-5353 JAVA Calendar

Targer: Sun Java < 1.6u11
Date: 2008-12
MetaSploit: Sun Java Calendar Deserialization Exploit
CVE-2009-0075 IE7 XML

Date: 2009-02
MetaSploit: Internet Explorer 7 Uninitialized Memory Corruption Vulnerability
CVE-2009-0927 PDF getIcon

Target: Adobe PDF <7.1.1 < 8.1.4 < 9.1
Date: 2009-03
MetaSploit: Adobe Collab.getIcon() Buffer Overflow
CVE-2008-0015 IE DirectX
Target: IE6,7 < MS09-032
Date: 2009-07
MetaSploit: Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption
54
Exploit Packs
CVE-2009-1136 OWC MS09-043
Target: IE6,7 + Office 2000, XP, 2003 < MS09-043
Date: 2009-07
http://www.securityfocus.com/bid/35642/
MetaSploit: Microsoft OWC Spreadsheet HTMLURL Buffer Overflow
MetaSploit: Microsoft OWC Spreadsheet msDataSourceObject Memory
Corruption
CVE-2009-1869 Flash10
Target: Flash < 10.0.32.18
Date: 2009-07
CVE-2009-2477 FF Font Tags

Target: Firefox 3.5.0
Date: 2009-07
CVE-2009-2990 PDF U3D

Target: Adobe PDF < 7.1.4 < 8.1.7 < 9.2
Date: 2009-10
http://www.osvdb.org/58920
MetaSploit: Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
CVE-2009-3867 JAVA getSoundBank

Target: Sun Java < 1.5u22 < 1.6u17
Date: 2009-11
MetaSploit: Sun Java JRE getSoundbank file:// URI Buffer Overflow
55
Exploit Packs
CVE-2009-4324 PDF newPlayer
Target: Adobe PDF < 9.3
Date: 2009-12
MetaSploit: Adobe Doc.media.newPlayer Use After Free Vulnerability
CVE-2010-0188 PDF libTiff

Target: Adobe PDF < 8.2.1 < 9.3.1
Date: 2010-03
MetaSploit: Adobe Acrobat Bundled LibTIFF Integer Overflow
CVE-2010-0249 IE Aurora
Date: 2010-01
MetaSploit: Internet Explorer "Aurora" Memory Corruption
CVE-2010-0806 IEPeers
Date: 2010-03
MetaSploit: Internet Explorer DHTML Behaviors Use After Free
CVE-2010-1297 Flash+PDF
Target: Flash < 10.1
Date: 2010-06
MetaSploit: Adobe Flash Player "newfunction" Invalid Pointer Use
56
Exploit Packs
CVE-2010-2265 IE Help Center
Target: IE7, 8
Date: 2010-06
MetaSploit: Microsoft Help Center XSS and Command Execution
Java Downloader
Target: Java
MetaSploit: Signed Applet Social Engineering Code Exec
57
Exploit Packs
POPULAR EXPLOIT PACKS
Most exploit packs use a similar mix of exploits. The exploit selection is updated
as new exploits come out and old exploits become obsolete. The difference is
mostly in the quality of customer service.
YES EXPLOIT SYSTEM

YES stands for "YES Exploit System". YES has been around for a couple of
years. YES is reasonably popular. YES is actively being maintained. Old
versions of YES are public.
COST: ~900$
ELEONORE
Eleonore is an exploit pack that has been around for a couple of years. The
exploits used in Eleonore are very slightly adjusted versions of public exploits.
Eleonore is pretty popular because in spite of this, it gets the job done. Eleonore
is frequently updated and comes with technical support. Old versions of Eleonore
are public.
COST: ~1200$
FRAGUS
Fragus is an exploit pack from 2009. It has leaked out to public pretty quickly.
Fragus has enjoyed popularity, because supposedly it has high quality source
code, which is easy to edit and adjust for personal use. Fragus has not been
officially updated or supported for a long time.
COST: Free
CRIMEPACK
Crimepack is a new exploit pack in 2010 that has had some bad publicity over
claims that it is not effective. The one distinguishing aspect of Crimepack is low
cost.
COST: ~400$.
PHOENIX
Phoenix is another exploit pack that has been around for a couple of years. The
Phoenix pack is expensive. Phoenix comes with technical support and is actively
being updated.
COST: ~2000$
There are a lot of other exploit packs, such as: Siberia, Nuclear, and NeoSploit.
They work pretty much the same.
58
Exploit Packs
59
Defense
STRONG PASSWORDS
Strong passwords are important to have good security on the Internet. Password
protection is one of the most common security technologies. To make password
protection effective, the following guidelines are recommended: use both letters
and numbers, use long passwords, change passwords for important resources
occasionally, don't recycle passwords, don't use dictionary words, don't use
popular passwords, don't use letter and number substitution when choosing
passwords, don't store passwords unencrypted, and manage your passwords.
Using both letters and numbers in a password makes it much harder to guess. It is
not enough to add a 0 or a 1 to the end of the password, because some password
guessing programs try to guess such combinations. It is recommended using at
least a two-digit number. It is recommended to use both lower and upper case
letters.
A long password that is not in the dictionary is usually harder to guess than a
short password. It is recommended to use a password that is at least 8 characters
long. For long passwords, a combination of words with letters thrown in is
recommended - this allows creating long and easy to remember passwords. It is a
good idea to use capital letters; one way to do it is by using multiple words and
typing one of the words in capital letters.
It is a good idea to change passwords occasionally. For someone who has a lot of
passwords, it may be impractical to change all the passwords, but changing some
important passwords sometimes is still a good idea. Important password-
protected resources often include the primary e-mail password, the web
administration password, the banking password, and the master password used to
protect secondary passwords in a program such as KeePass. When changing
passwords, it is recommended to not use passwords that you have used before.
It is recommended to not use words that are in the dictionary as passwords. It is

also not recommended to use names as passwords, such as usernames, aliases,
pet names, nicknames, first names, last names, Biblical names, fictional names,
names of places, brand-names, etc. Password guessing attacks often use lists of
dictionary words and names for guessing. Adding some digits to the end of the
word might fool some the password-guessing programs, but this is not
recommended - some password guessing programs may compensate for that,
because adding digits to the end of a word for a password is a very common
practice. For the same reason, it is not recommended to use combinations of
names and personal dates, such as birth dates.
It is not recommended to use letter and number substitution a.k.a. 1337-speak for
choosing passwords. There is a popular practice of substituting letters with
similar looking numbers in a word to make a password, such as substituting e
60
Defense
with 3, l with 1, t with 7, and o with 0. For example, the word password may be
spelled as pa55w0rd. Because this practice is popular, some password guessing
programs take it into account.
It is not recommended to store passwords unencrypted. This sounds obvious but

happens very often. Many programs, such as web browsers, offer to remember
usernames, passwords, and other personal information. Bots often retrieve these
credentials and log them. Therefore it is recommended to not have a web browser
or any other application remember passwords. If passwords have to be stored, it
is recommended to encrypt them, by using a program such as KeePass.
For someone who has a lot of passwords, it is recommended to use some

password management practices. There is a small chapter on password
management techniques in this book, but it can be summed up as storing
secondary passwords in a program such as KeePass. Secondary passwords are
passwords that are not used very often and passwords for resources that are not
very important, such as online shopping or video game accounts.
61
Defense
PATCHING
Patching means installing all the latest patches for all the installed software. Most
exploits used for hackonomic purposes are already patched, meaning that patches
are available to protect against them. On a computer that has a lot of software
installed, a lot of the time at least some of the software is unpatched. Installing
security patches is a basic protection measure.
PATCH MANAGERS
A patch manager is software that monitors what software is installed on the

computer and helps download the relevant patches. Linux often has a built-in
patch manager. Some free patch managers for Windows are available at the
following links:
Secunia PSI (free for personal use only).

http://secunia.com/products
Secunia PSI is a little slow.
Update Notifier (really free).

http://cleansofts.org/view/update-notifier.html
Update Notifier looks nice, but it's not very accurate. Update Notifier is often
way behind on the patches, so running it does not assure that the latest patches
have been installed. Even so, it is helpful in identifying the software that may
require patching.
Neither of these patch managers is perfect, but either can be a decent complement
to managing patches by hand, especially when multiple computers are involved.
Commercial patch management solutions for large networks exist.
62
Defense
UNINSTALLING
Uninstalling unused software improves performance and reduces the amount of

potentially exploitable software. The following methods help reduce the amount
of unused software: uninstalling unused software, disabling services, and
removing unnecessary operating system components.
Uninstalling unused software - modern operating systems include application

managers. In Windows XP, applications can be removed from "Control
Panel"/"Add or Remove Software". In Windows 7, applications can be removed
from "Control Panel"/"Programs and Features". Many new computers come with
lots of software that is not necessary, sometimes including exploitable software.
The amount of this junkware is often so large that it may be more practical to do
a clean reinstall right away. This technique applies to Linux as well, though
managing software is different on Linux and different for different Linux
distributions. When removing unnecessary software, it is recommended to use
discretion when deciding what is necessary and what isn't. It is a good idea to
decide what the computer is supposed to be used for and to remove everything
that is not necessary for that functionality.
Disabling services - system services are software that runs as a part of the
Operating System. Sometimes it is more practical to disable this software than to
remove it. On Windows, services can be disabled by running the command
"services.msc". Different Linux distributions have different ways of disabling
system services. There are many guides for disabling services on the Internet.
This is an intermediate level technique and is a good idea.
Removing unnecessary Operating System components - sometimes it may be

possible to remove OS components altogether, instead of just disabling them.
This is especially useful for functionality that is otherwise difficult to control or
disable. The purpose for doing this is to improve performance and reduce the
amount of potentially exploitable software. The downside is that if this is not
done correctly, something will not work and it might take a while to figure that
out. The process of removing Windows components often means making a
custom Windows CD and using it do a clean reinstall. It is recommended to test
the CD in a virtual machine first to make sure it works ok. A custom Windows
CD that has some components removed can be made using nLite or vLite
software, which is available for free on the Internet. There are many guides on
using nLite and vLite on-line. Removing Linux components is different for
different distributions. Some Linux distributions offer to do a "minimal" install
and then the user can add only the things he/she wants. Removing OS
components is an advanced technique and usually requires practice before it can
be done correctly.
63
Defense
SEPARATE BROWSERS
One security technique is to use multiple browsers for different tasks. This
technique works because browsers and browser plug-ins are usually the software
that is targeted by the exploit packs. Having multiple browsers allows
configuring each one with different security settings.
It is recommended to install several web browsers and to disable all plug-ins in

one of them. It is recommended to use that browser for most regular web activity.
It is recommended to have another browser on hand with plug-ins enabled. The
browser with the plug-ins enabled can then be considered the less secure
browser. When a trusted web site requires plug-ins to be viewed correctly, it may
be viewed with the less secure browser.
The multiple browsers technique has some additional benefits. Different web
sites are best viewed with different browsers. Having multiple browsers on hand
allows viewing the web site with whatever browser displays it best. Some
browsers are faster than others. It may be possible to configure the fastest
browser as the most secure and use it for most browsing activity.
64
Defense
VIRTUAL MACHINES
Virtual machines have many applications, including security. In terms of

security, virtual machines are usually used for testing untrusted software.
A virtual machine is software that allows running another Operating System as a

program. There are multiple free virtualization packages available on the
Internet, such as VirtualBox, VMWare, and VirtualPC. A guest Operating
System is an operating system running within virtualization software.
These basic steps lead to being able to use a virtual machine:

1. Download and install virtualization software.
2. Create a virtual machine using the virtualization software.
3. Install an Operating System in a virtual machine.
4. Run and configure the guest Operating System.
5. Use the configured guest Operating System.
The exact instructions are different for different virtualization software packages.
Virtualization is very popular, so there are many detailed guides available on the
Internet.
The benefit of using a virtual machine is for testing or running untrusted

software. In the event that untrusted software includes malware, such as a bot,
only the guest operating system is compromised. Virtual machines can also be
used for browsing untrusted web pages and opening suspicious files.
It is a good idea to make a backup of the virtual machine once it is configured, so

that it can be restored easily in the event of being compromised. Making a
backup of a virtual machine usually means simply making a copy of the virtual
machine’s disk file.
Virtual machines are an advanced technique.
65
Defense
REINSTALLING
A clean reinstall means installing an operating system on a clean partition, a

partition that does not have an older version of the same operating system on it.
A clean install is often accomplished by formatting the drive and then installing
an operating system. A clean reinstall might sound extreme to someone who does
not manage his or her files in a way that accommodates rapid recovery. Someone
that does not back up their data and stores everything on one large system disk
together with the operating system might not like the idea of a clean reinstall.
Data management techniques described in the advanced section of this book are
recommended to make clean reinstalls more practical.
Many computers have a large system drive where programs, data and the
operating system are all mixed together. Doing a clean reinstall on such
computers is often impractical - that is why a clean reinstall is a technique of its
own, even though it is very simple. The ability to do a clean reinstall without
losing valuable data is a desired quality in terms of security.
In the event of penetration, especially by some dangerous hackware, a clean

reinstall may be the fastest and most practical way to deal with it, if such a
capability exists.
66
Defense
SEPARATE OPERATING SYSTEM
A separate Operating System is an additional Operating System installed on the

computer(s). It is good for things like getting information from the main
Operating System in the event of a compromise or serious system failure. An
advanced user may be able to remove malware manually by using a separate
Operating System. A separate OS is also good to get some work done quickly in
the event that the main OS becomes unusable or untrusted.
67
Defense
AWARENESS AND INSPIRATION
Awareness and intelligence go hand in hand.
Advanced security techniques require intelligence and awareness. These two

qualities are more important than the techniques themselves. The techniques here
are the solutions that some people have come up with and have used successfully
- they are described here to inspire more sophisticated solutions.
68
Defense
PASSWORD MANAGEMENT
Password management is an important security practice. Everyone that has

passwords manages them to some degree, but there are some techniques to make
this process more efficient and secure.
It is helpful to use a password management program, such as KeePass, when

managing multiple passwords. KeePass stores passwords in an encrypted archive
protected by a master password. It may be a good idea to keep the most important
passwords in memory only, but various secondary passwords may be better
stored in KeePass, because then only the master password has to be remembered.
KeePass also has a strong random password generator and is overall very nice
and free software. It is recommended to use a stronger than average master
password, which is different from all the other passwords. One way to make
strong and easy to remember passwords is to use phrases and add numbers to
them. It is also a good idea to throw in some capital letters in there, by writing
one of the words in the phrase in capital letters for example.
It is often a good idea to change passwords. This is standard practice in many

companies. The typical time for changing all passwords is usually something like
90 to 180 days. For most Internet users, changing all passwords with this
frequency is probably too much of a hassle and offers dubious benefits. Still, it
may be worth considering changing some of the passwords sometimes.
69
Defense
DATA MANAGEMENT
Managing data with security in mind makes several security-related tasks simpler
to implement. Some data management techniques include using multiple
partitions, using multiple hard drives, and destroying hard drives.
Using separate partitions means using at least two partitions, one for the
operating system and one for the data. This is helpful in the event that something
happens to the operating system, such as a bot infection, and the Operating
System has to be reinstalled. In that case, all the data from the OS partition can
be erased without damaging the data. This technique also makes backing up
simpler, because the entire data partition can be backed up by copying to another
hard drive. While in theory there may not seem much difference in that respect
between using multiple partitions and having all the files on the system drive, in
practice the difference is dramatic, because the files end up organized so much
better, though of course this depends on the user to some extent. Finally,
separating the operating system and the data allows encrypting either the data or
the operating system partition. Sometimes it may be desirable to encrypt just the
operating system, for example when it includes saved passwords, browser
history, and other sensitive settings. Other times it may be desirable to encrypt
just the data, for example when sensitive data is stored, but not much sensitive
information is saved by the operating system. Another advantage is that
defragmenting a smaller system drive is faster. Imaging a smaller system drive is
a lot more practical than imaging a large system drive where the operating
system and the data are mixed. In short, using separate partitions to manage files
opens up the possibilities for multiple techniques that might be impractical
otherwise; therefore it is a good practice.
Using separate hard drives means using multiple hard drives to keep backups of
the data, multiple Operating Systems, and OS images. An image is a snapshot of
a drive that allows restoring it exactly the way it was. The benefit of having
multiple hard drives is that if one hard drive is physically damaged, it can be
replaced quickly. Another advantage is that different Operating Systems may be
desirable at different times and multiple hard drives allow quickly switching
between Operating Systems without the need to reinstall. Another advantage is
that a hard drive can be transported to another location for sharing information
and this is often more convenient than transporting a whole computer.
The benefits of using multiple hard drives really shine when the time comes to
destroy a hard drive. Destroying hard drives physically is a common industry
practice, because it is generally considered that erasing files from the hard drive
might not actually remove them - that is deleted files may be recoverable. To
make sure that sensitive information is really erased, hard drives are often
destroyed. Some companies do this as often as every two years or whenever hard
drives are upgraded for capacity. Having multiple Operating Systems and
70
Defense
multiple data backups is very helpful when the time comes to physically destroy
a hard drive.
Having multiple hard drives with multiple Operating Systems does not mean that
these Operating Systems have to be installed from scratch on each hard drive. It
is a good idea to configure one OS perfectly and while it is still fresh to image it.
Then this image can be rolled out on the other hard drives to be available when
needed, while no sensitive information will be available on these cloned disks.
Using separate data and OS partitions makes imaging a lot more practical.
Therefore, these data management principles are all tied together to create
guidelines for having the ability to rapidly recover from data loss and to protect
sensitive information with encryption or with the ability to physically destroy the
hard drives.
71
Defense
STARTUP MANAGERS
Startup managers are software that assists with managing startup entries. Modern
Operating Systems usually have multiple ways of running programs
automatically. Usually, these are lists of programs to run when being turned on or
restarted. Each program that the Operating System will execute automatically has
its own entry in the startup lists. Removing startup entries means cleaning these
lists to make fewer programs run automatically. Removing startup entries may
prevent hackware, such as bots, from running automatically, effectively disabling
it. The fact of presence of unknown software in the startup lists may indicate the
presence of hackware.
There are several nice startup managers for Windows, such as:
http://www.nirsoft.net/utils/what_run_in_startup.html
An easy to use startup manager with basic functionality. This functionality is
enough for most usage.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
An advanced startup manager that displays entirely too much information. It is
very thorough. The key to using this one is the understanding that a lot of the
information that it displays is irrelevant.
http://www.online-solutions.ru/en/products/osam-autorun-manager.html
An advanced startup manager that scans detected software against an on-line
database. The on-line database is promising, but not actually that useful. Even so,
this is a very nice startup manager and is highly recommended.
Any of these can be used to remove recent versions of the Zeus bot. Zeus starts
itself from a registry key located in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that
looks like {12341234123-1234-1234-3211-1234123412}. The numbers are
random and may contain letters. Deleting this registry key will prevent Zeus from
running automatically. It is important to make sure that Zeus is not running
during this time, so that it does not add itself back to the startup lists. Software
such as “Process Hacker” can be used to make sure that Zeus is not running. If
Zeus is detected, it is a good idea to change recently used passwords and
financial information, after Zeus has been removed.
Using start-up managers effectively requires some understanding of how they

work. The way startup lists are implemented is different on different Operating
Systems. On Windows, there are start-up shortcuts, registry keys, and various
exotic methods.
72
Defense
Start-up shortcuts are shortcuts in the "Start Menu"/"Programs"/"StartUp" folder.
These shortcuts are executed when the user logs on. Start-up shortcuts are a
newbie technique. Malware does not usually use start-up shortcuts. What StartUp
folder usually contains are various "speed loaders" - all of their shortcuts can be
safely removed. The purpose of a speed loader is to pre-load a software, so that
when a user runs the software, it appears to load faster. Speed loaders take up
memory and adversely affect performance of all other running software, so it is
recommended to remove their shortcuts from the StartUp folder.
The most common way for software to run automatically on startup in Windows
is via registry keys. The most commonly used registry keys are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
There are also RunOnce keys, which work almost the same. The major difference
is that Windows removes RunOnce entries after running them once. To use these
keys, hackware keeps adding itself to the RunOnce keys every time it runs.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOn
ce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnc
e]
Then in Windows 7, these registry keys were added:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\polic
ies\Explorer\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Polici
es\Explorer\Run]
And in 64-bit Windows, there are also these:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentV
ersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentV
ersion\RunOnce]
Additionally, there are various exotic locations in registry that are poorly
documented, but result in software added there being run automatically. It is not
necessary to remember all of them. These are the strange looking things that are
displayed by the advanced StartUp managers. Fortunately, the exotic locations
are relatively rarely used by hackware.
Because there are so many places for hackware to run itself on startup in
Windows, using a startup manager is recommended.
73
Defense
ENCRYPTION
Encryption is a very common security technique. There are some applications of

encryption that have proven useful. Some software that has proven useful is:
TrueCrypt, 7-Zip, WinRAR, and PGP.
TrueCrypt is software that allows encrypting hard drives or making virtual

encrypted hard drive images. Encrypting hard drives is pretty straightforward.
One thing to note is that this is really more extreme than most people need. What
happens with a fully encrypted hard drive in the event of an investigation is that
the investigators cannot usually access data on it if the encryption key is strong.
In some countries, like the UK, a person that doesn't give up the encryption key
during the investigation may be charged with an additional crime. Fortunately,
TrueCrypt has an option of making a double-encrypted partition. What that
means is that a drive can be made that can be opened with two different
encryption keys and will show different stuff for each encryption key, so one
encryption key may be used to have some sensitive but not critical stuff, and the
other may be used to protect the critical stuff. For more information about how
this works and how to actually do this, please refer to the TrueCrypt
documentation. Anyone who is so serious that they want to encrypt their whole
hard drive should consider this functionality. Creating a virtual encrypted hard
drive is what TrueCrypt is often used for; this may sound complicated but it is
very simple. A virtual encrypted drive image is a file that TrueCrypt can open
and make look like a drive to the operating system; it is a file that is encrypted
and stores other files, these other files are the data that the user wants to protect.
TrueCrypt is software that anyone who wants to encrypt data should consider.
For exchanging or storing encrypted files, software called 7-Zip is good. One
way to exchange encrypted files is by uploading them to a free file-sharing web
site and exchanging the password using a different mode of communication,
ideally one that is anonymous and secure, such as an encrypted chat. Storing an
encrypted file is pretty straight forward, so long as the encryption key is
remembered. To assist with this, the encryption key may be stored in KeePass,
but this is not recommended for critical files. See the chapter on password
management for more information about KeePass and managing encryption keys
- encryption keys and passwords can be managed in very similar ways. Using 7-
zip to encrypt files is easy, it means putting files in a folder, right-clicking on the
folder, and selecting "7-Zip"/"Add to Archive". The recommended options are
AES-256 encryption and check "Encrypt File Names". 7-Zip is free and high
quality software.
WinRAR is commercial, but popular software that works very similarly to 7-Zip,
except it produces .rar files, instead of .7z files. Whether there are any
advantages to using WinRAR is not clear, but it is popular and therefore worth
mentioning.
74
Defense
TrueCrypt, KeePass, 7-Zip, and WinRAR use encryption called AES-256. AES-
256 means Advanced Encryption Standard with 256-bit key. AES-256 is the
current U.S. government and industry standard. Some people believe that there is
a backdoor in AES. AES was not developed by the U.S. Government or the
Intelligence Community, it was chosen from an open contest. Several
cryptography researchers produced encryption algorithms for a contest to be
chosen as the standard for the U.S. Government. This contest was peer reviewed
by people who are most critical of the possibility of introducing a backdoor into
an encryption protocol and who are some of the most qualified to detect it - these
people are the contestants who were rejected. Make your own decisions on how
trustworthy the AES encryption algorithm is, but do it based on facts, not fears.
There is an alternative encryption cipher and it is called "Blowfish". TrueCrypt

supports Blowfish. Blowfish is designed to be patent-free and restriction-free for
anyone to use. Some might consider this fact suspicious in itself. Fact is that
"Blowfish" was not chosen out of a contest, but it has been extensively peer-
reviewed. TrueCrypt allows using Blowfish and AES at the same time. Again,
make your own decisions regarding the security of Blowfish based on facts and if
this is really important to you, look into some more facts on the matter.
A completely different type of encryption is PGP. One common application of

PGP is for encrypting e-mail messages. PGP doesn't have just one encryption key
that allows opening the data, but it has two keys. One key is used to encrypt the
data and the other key is used to open the data. A person can send the key to
encrypt the data to someone else and this other person can use it to encrypt a
message and send it back. The first person can then read the message with the
key that is used to open the data. One thing to beware of is that sending
encrypted e-mail messages may be in itself a give-away and may draw
unnecessary attention. E-mail is simply not good for sending secret information.
It is a good idea to use something other than e-mail for sending encrypted
information and there are many other methods. One method that is better than e-
mail is encrypted chat. One way to do encrypted chat is to run your own chat
server and to connect to it via VPN. PGP is a noteworthy mention, but there are
caveats when using it. There are many articles on-line that recommend using
PGP to send private e-mail messages and PGP has been used for a long time, but
it is not recommended to use e-mail for sending secret messages altogether.
Key strength is important for making encryption effective. It is recommended to

use encryption keys that are at least 16 characters long, and to use letters,
numbers and capital letters in the encryption keys. Encryption keys should
generally be stronger than passwords, though strong passwords are good too, if
they can be remembered. One way to make a strong encryption key that is easy to
remember is to use a phrase and to add a number to it. The number doesn't have
to be at the end. It is also a good idea to use capital letters, for example by typing
75
Defense
one of the words in the phrase in capital letters. It may also be a good idea to
misspell some of the words in the phrase, if this can be remembered. Of course,
caution has to be used to not choose an obvious or easy to guess phrase when
using this method.
In practice, anyone who is serious about breaking encryption has two likely
options - encryption key guessing and interrogation. In some countries, not
giving up the encryption key during interrogation may result in additional
criminal charges. These considerations are just as important as the technical ones.
Strong encryption keys can make encryption key guessing ineffective. One of the
best technological ways to negotiate interrogation is by using a dual-encrypted
TrueCrypt archive. There is no way technologically to detect that a TrueCrypt
archive is double encrypted without the knowledge of both encryption keys.
Encryption can be a useful tool for information security.
76
Defense
IMAGING
Imaging is a very helpful technology from the perspective of security. Imaging

means making a file that allows making an exact copy of the information on a
hard drive. This file is called an image. Imaging is useful for making copies of an
installed and configured Operating System when you have it set up just the way
you want it. The security application of imaging is being able to restore the OS to
a clean and trusted state in the event of a compromise. A compromise is when
there is reasonable belief that security has been breached. Suspicion of
penetration may be sufficient to justify re-imaging the operating system.
An additional benefit of imaging is that imaging can be used to deploy a

configured OS on multiple computers quickly. For Windows Operating Systems,
the hardware usually has to be very similar or identical for this to work. Imaging
also works a backup, though it is often better to copy files instead of imaging
when backing up data. That said, imaging is a great way to back-up installed
programs, especially if there are licenses and serial numbers involved. If an
image is made of an optimized OS, restoring to this image may also increase
performance, if the OS has become subsequently sluggish.
The real benefit of imaging in terms of security is that it provides a high degree
of assurance that the system is clean. An anti-virus may or may not remove
hackware completely, but imaging definitely removes hackware. For this to
work, the image must not include any hackware, so it may be a good idea to
install and configure an operating system offline and image it before connecting
to the Internet. Assurance is a term that means a degree of certainty. When a
technological measure provides assurance of security; it means this measure
provides a logical reason to believe that security is improved.
77
Defense
VPN
VPN stands for "Virtual Private Networking". VPN is an encrypted tunnel

between a workstation and a VPN server. To the client, VPN works like an
Internet connection. To other computers on the Internet, all the network activity
that goes through the VPN appears to come from the VPN server. If the VPN
server does not keep access logs, it is difficult to identify where the connection
came from. When using a paid VPN service, the list of customers can narrow
down the possibilities. In practice, that list of customers is not easy to come by.
Besides paying for a VPN service, it is possible to run your own VPN.
Buying a VPN service is pretty easy and straightforward. It is important that the
VPN server does not keep access logs. Whether or not this is actually the case
largely depends on the trustworthiness of the VPN service provider. It may be
more secure to set up your own VPN. Paying for VPN might reduce privacy
somewhat. To improve the privacy of paying for VPN, anonymous on-line
currencies, such as Liberty Reserve or WebMoney can be used. It may be
possible to use pre-paid money cards, which are available in some convenience
stores and super-markets. Pre-paid money cards have no associated name
information and may be purchased with cash.
Running your own VPN is not difficult. One option is to purchase a Linux shell
account and to install VPN on it. A Linux shell account if often included in a
web-hosting package. Another option is to install VPN on a remote Windows
computer. These are advanced techniques, so figuring out the exact instructions
is up to an interested person with access to a web search engine. The exact steps
are different for different platforms, so spelling them out goes beyond the scope
of this book. The advantage of running your own VPN is then you can know for
sure that it does not keep access logs. It may be possible for someone to trace this
VPN server back by looking at who has a VPN server installed on their shell
account, because there may not many people who are doing this. For this to be
possible, complete cooperation of the shell service provider is required, so this
scenario is unlikely. It may still be a good idea to remove the VPN server when it
is no longer being used.
78

Hackonomics 2010

Uploaded by

Copyright:

Available Formats

You might also like

Hackonomics 2010

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hackonomics 2010

Uploaded by

Copyright:

Available Formats

HACKONOMICS 2010

ABOUT THIS BOOK

The information in this book is time-sensitive, because information security

ABOUT MACS AND LINUX

Perhaps better information security is in the hands of the hackers themselves.

Another responsibility of the user is the understanding of at least some security

When someone gets carded, this is what happens to him or her:

Card Locked – the compromised card is locked, so that it cannot be used to

Refund - the money is refunded.

Temporary Card - upon checking in at a bank branch, a temporary card is

Affidavit - an affidavit arrives in the mail. An affidavit is a piece of paper that

Zeus has the following functionality:

A typical personal botnet is made of 1000-5000 bots. The largest recorded

The value of an exploit depends on several factors:

The most commonly exploited software is:

When an exploit is executed, the browser often crashes. Sometimes a window of

Comments to the example above:

An exploit pack costs between 500-1500$.

Crypt means making a piece of software undetectable by anti-viruses. The term

Crypt usually costs around 50$.

DoS means "Denial of Service". Denial of Service is when an attacker makes

Flood DoS means sending as much information as possible to a target computer

SYN FLOOD DOS

A dictionary is also known as a word-list. Bruters usually come with a bundled

There are two common types of bruters:

SQL Injection means sending commands directly to the database. Web

PASSWORD GUESSING TAKEOVER

E-MAIL RECOVERY TAKEOVER

Some of the implications of taking over an e-mail address are obvious. In

CREDENTIAL STEALING TAKEOVER

A loader is software that downloads and installs another software. A loader is

Skimmers are physical modifications to ATM machines that send card

Skimmers are physical modifications to ATM machines that send financial

Money laundering means transferring money from a suspicious account to the

The purpose of password cracking is usually to take over an e-mail account to

Exploit Pack ~ 500-1500$

Crypt means making hackware undetectable by antiviruses. Crypt is typically

Crypt is used to make hackware undetectable by antiviruses. A decent botnet

The purpose of DDoS attacks is to disconnect target computer(s) from the

Virtual Private Servers ~ 150$/month

Dedicated Servers ~ 400$/month

The purpose of purchasing traffic is to load an exploit pack on as many

The purpose of buying installs is usually to install spyware or adware on people's

E-mail lists are sometimes traded on the Internet.

Bots periodically become detected by anti-viruses - this is because bots are

BOTNET OPERATOR INPUT

BOTNET OPERATOR OUTPUT

BOTNET OPERATOR PROFIT

Botnet operators sell different services to different

• Cracked Dedicated Servers

• Carders, spammers, and botnet operators buy

Usually carders operate by using financial information to make purchases on-line

• Carders get a share of the money from the carded

Another skill of a drop is secure communication - the drop must be able to

• Drops make money by selling carded stuff.

• Botnet operators pay for crypt.

• Coders sell hackware to crackers, spammers, and