Leaderboard

In primul rand numele programului "coailii" nu are nici o leg cu postul lui Tex, pur si simplu nu mi-a trecut altceva prin cap .. Nu e Troll ! Este un "process manager" pe care-l folosesc sa scap de Desktop Lock-uri de pe RDP-uri, scris in .NET 2.0. Video/Demo : Cum procedez eu cu RDP-urile noi , inainte sa ma conectez la ele : 1) ma asigur ca in mstsc.exe la "Local Resources" > "More" > am bifata partitia KODAK (H:) 2) ma asigur ca in mstsc.exe la "Programs" am bifata optiunea "Start the following program on connection:" si ca in prima casuta am "\\tsclient\H\coailii.exe" iar in a 2-a casuta "\\tsclient\H\" H este partitia mea, la voi poate fi J/K/L/D/E etc.. nu recomand sa va puneti partitiile sistemului gen C:\,D:\ pentru ca va dura mai mult procesul de executie a programului "coilii.exe" eu folosesc un memory card de 2GB Proiectul original pe care l-am pornit pentru asa ceva se numeste "RST Anti Desktop Locker", dar inca nu l-am terminat pentru ca nu am decar 5 programe gen Desktop Locker. Programul ruleaza singur imd dupa pornire si face singur kill/registry remove, show desktop,show taskbar etc... Daca aveti versiuni de desktop locker va rog lasati in comment un link de download pentru a finaliza si publica programul. Thanks Download : https://www.dropbox.com/s/zukbjfur0nv2q7n/coailii.exe

Nate Anderson at Ars Technica has a good story about how investigators tracked down “Virus,” the nickname allegedly used by a Romanian man accused by the U.S. Justice Department of running the Web hosting operations for a group that created and marketed the Gozi banking Trojan. Turns out, I’ve been sitting on some fascinating details about this hosting provider for many months without fully realizing what I had. On Wednesday, federal prosecutors unveiled criminal charges against three men who allegedly created and distributed Gozi. Among them was Mihai Ionut Paunescu, a 28-year-old Romanian national accused of providing the gang “bulletproof hosting” services. Bulletproof hosting is an Underweb term for a hosting provider that will host virtually any content, from phishing and carding sites to botnet command centers and browser exploit kits. After I read the Ars story, I took a closer look at the Paunescu complaint (PDF), and several details immediately caught my eye. For one thing, the feds say Paunescu was an administrator of powerhost.ro (virus@powerhost.ro). In December 2011, a source shared with KrebsOnSecurity several massive database dumps from that server, which had apparently been hacked. Included in that archive was a screenshot of the administration panel for the powerhost.ro server. It visually depicts many of the details described in the government’s indictment and complaint against Paunescu, such as how the BP provider was home to more than 130 servers, and that it charged exorbitant prices — sometimes more than 1,000 euros per month for a single server. The above screenshot (which is a snippet taken from this full-screen version) shows that this server was used for projects that were “50%SBL,” meaning that about half of the properties on it were listed on the Spamhaus Block List (SBL), which flags Web sites that participate in malicious activity online, particularly sending or benefiting from spam and hosting malware. Some of the names chosen for the servers are fairly telling, such as “darkdeeds1,” “darkdeeds2,” “phreak-bots” and “phis1.” The data dump from powerhost.ro included multiple “drop” sites, where ZeuS and SpyEye botnets would deposit passwords, bank account information and other data stolen from tens of thousands of victim PCs. Paunescu is of course innocent until proven guilty. But from reading the government’s indictment of him, it’s clear that if he is the bad guy the government alleges, he was not super careful in hiding his activities. Within a few seconds of searching online for details about Internet addresses tied to powerhost.ro’s operations, I found this record, which includes his full name and lists him as the owner. Also, a simple Google search on powerhost.ro indicates that Paunescu is the rightful owner of the address space assigned to powerhost.ro. In the screenshot above, we can see several servers on powerhost.ro that were rented to miscreants who ran the TowPow pharmacy and replica affiliate program. TowPow advertised itself as a bulletproof hosting provider that was “Made by Spammers, for Spammers,” and would accept any type of traffic. “TowPow is not like any other affiliate system. Tow Pow offers not only quality landing pages, but they also offer FREE bullet proof domains and hosting for your spamming needs,” read one advertisement for the affiliate program posted to an underground forum in March 2010. “You will not have to worry about any complaints or having the heat come back to you, Tow Pow will handle it all. Stefan Savage, a professor at University of California, San Diego’s Department of Computer Science and Engineering, said TowPow affiliates were a huge source of junk email, much of which was delivered through the now-defunct Grum botnet. “They basically owned the U.S. spam-advertised replica market, and they seem to dominate the herbal market as well,” Savage said. Among the files leaked from powerhost.ro was the entire affiliate database for TowPow. It’s not clear who ran TowPow, or if “Virus” was somehow involved in the day to day operations beyond providing hosting for it, but the TowPow SQL database (saved as “blue4rep90_felon.sql”) includes a “tickets” section where users could submit help requests, place orders for hosting, or pass special instructions for wiring funds. For example, in the following message, an affiliate pings the program administrators and asks for new hosting to be set up to handle ZeuS botnets. To wit: (72, 61, ”, ‘Hi!\r\nI need BP link for Zeus site!\r\nThanks’, ”, ‘Web’, ’80.232.219.254?, ’2011-07-18 16:59:42?, NULL) This user, “Daniel Mihai,” shows up throughout the database: (58, 49, ”, ‘wire info:\r\niban: RO23INGB0000999901772881\r\naccount holder: Dan Mihai Daniel\r\nswift code:INGROBU\r\nbank name; ING Office Targoviste Independentei\r\nbank address:Bd.Independentei nr.3A, bl.T1, targoviste/dambovita\r\n\r\nplease tax me the 80$ wire fee’, ”, ‘Web’, ’82.137.10.254?, ’2011-05-13 00:37:58?, NULL), Some of the top TowPow affiliates earned thousands of dollars a week advertising the program’s herbal and replica sites via spam: UCSD’s Savage said the TowPow database indicates that many of its affiliates were referred from ZedCash, another affiliate marketing program strongly associated with replica and herbal pharmacy spam. In fact, the top referrer used the nickname “TowPow” and password “ZedCash.” According to Spam Trackers, ZedCash is run by a hacker who uses the nickname “Ucraineanu”. Interestingly, this nickname shows up as “Ucraina2? in the powerhost.ro screenshot above next to one of the servers that TowPow rented for USD $400 per month. Savage notes that the TowPow database shows which members ran the program, and that at the top of the list is a member who used the email address “ukrainaeu@yahoo.com”. INSERT INTO `requestaffiliate` (`raid`, `raemail`, `referrer`, `radate`, `rastatus`) VALUES (159, ‘ukraineanu@yahoo.com’, ’279?, ’2010-05-25?, 1), (160, ‘cergatus@yahoo.com’, ’1050?, ’2011-01-15?, 1), (161, ‘techoweb@gmail.com’, ’1050?, ’2011-01-15?, 0), (162, ‘techoweb@googlemail.com’, ’1050?, ’2011-01-15?, 0), (163, ‘filelv2011@yahoo.com’, ’1092?, ’2011-05-30?, 1), (164, ‘rodobone@yahoo.com’, ’1111?, ’2011-10-30?, 1); Sursa: Inside the Gozi Bulletproof Hosting Facility — Krebs on Security

Being an online criminal isn't always easy. For one thing, there's all that tedious administrative overhead of deploying command and control servers, finding proxies to mask them, and shifting IP addresses to stay off of private security blacklists. Today's savvy cyber criminal, therefore, often outsources the work to so-called "bulletproof" hosting operations, which rent servers to criminals and take care of all the dirty details needed to keep them online. That was the approach taken by the Russian creator of malware known as Gozi—malicious password-stealing software which the US government today called "one of the most financially destructive computer viruses in history"—to store his stolen data. But as the malware man found out, bulletproof hosts can be taken down with enough effort. Even when they're based in Romania. Gozi was coded back in 2005 and deployed in 2007. Back then, it largely targeted Europeans. When installed on a computer, the virus waited until the user visited an online banking site and then grabbed account names and passwords—anything that might be needed for a criminal to transfer money out of the user's account. This information was then sent silently to the Gozi command and control servers, from which it was harvested on a regular basis. By 2010, the malware innovated in two important ways. First, it had gained the capability to do sophisticated Web injection. When an infected computer was pointed at a banking website, the virus wouldn't simply steal account login information; it could be configured to inject additional data requests right into the bank's webpage. This made it almost impossible to tell the requests were not being made by the bank itself. In this way, the malware could be tweaked to ask for Social Security numbers, driver's license information, a mother's maiden name, PIN codes—anything a client wanted. The second innovation? Gozi expanded to the US and started targeting specific US banks. The collected information was then sold to other criminals, who quickly transferred money out of the targeted bank accounts. On August 13, 2010, for instance, $8,710 went missing from a Bronx resident's account. The amounts could go much higher; in February 2012, another New York resident lost $200,000. And it got even worse. An FBI investigation, revealed today, found two Gozi-infected computers had led to combined losses of $6 million for their two owners. Total losses appear to have reached "tens of millions" of dollars. So, starting in 2010, the FBI launched an investigation. It didn't take long to find Gozi's creator, a 25-year-old Moscow resident named Nikita Kuzmin. By November 2010, Kuzmin had been arrested during a trip to the US; by May 2011 he pleaded guilty and agreed to forfeit his Gozi earnings, which might reach up to $50 million. Deniss ?alovskis, the 27-year-old Latvian man who allegedly coded the Web injects and customized them for various banks was picked up by Latvian police in November 2012. But it was the bulletproof host behind Gozi who turned out to be the most interesting catch—and who took longest to reel in. Injection in action: the original banking website. The altered site, now demanding much more information. “Answer me, damn it, I'm Virus” FBI agents collected an incredible trove of data on the Gozi conspirators. According to court documents, this data cache included wiretaps, seized servers, an interview with a Gozi distributor, and even a host of chat logs lifted from a server used by the criminals behind Gozi. Despite all that, in the end what brought down the bulletproof host was as simple as a cell phone number. With the number in hand, the FBI worked with the Romanian Police Directorate for Combating Organized Crime (DCCO), since the number was based in Bucharest. The DCCO obtained court permission to tap the phone, then agents listened to calls, watched text messages, and intercepted Web addresses and passwords entered on the handset for three months in the spring of 2012. On April 1, 2012, the phone's user sent a text message saying (according to an FBI translation), "Answer me, damn it, I'm Virus." The next day, a male voice called the phone and addressed its users as "Virus." But who was Virus? Someone who wasn't too careful with his cell phone, for one thing. The phone was registered to a company called "KLM Internet & Gaming SRL," which was itself registered to a Bucharest man named Mihai Ionut Paunescu. The corporate registration was later changed, and investigators weren't positive who was actually using the phone until they listened in on a call in which the phone's user identified himself to the Romanian Commercial Bank as "Mihai Ionut Paunescu" and provided the correct national ID number corresponding to Paunescu. (The caller was seeking information on the proper procedure to withdraw US$20,000.) Watching the smartphone's Web browsing history confirmed this phone belonged to the bulletproof host authorities sought. Paunescu regularly visited a site called adminpanel.ro. Romanian police watched as Paunescu entered the username and password to the site. Next they obtained court permission to search it. They did the search—and provided the information to the FBI. The site was essentially a set of status tables covering 130 physical computer servers which Paunescu apparently leased from legitimate hosting operations before reselling to less legitimate cyber criminals of all stripes. Subtlety was not the order of the day here. Adminpanel.ro's data tables contained notes on what each virtual machine on each server was being used for, and these included things (in English) like "spy/malware," "semi-legal non sbl," "facebook spam 0%sbl," "illegal," and "100%SBLmalware." ("SBL" is an apparent reference to the well-known Spamhaus Block List targeting spammers.) Keeping these 130 servers up and running for his clients apparently netted Paunescu a good deal of money. He kept meticulous records of how much he paid to lease every server and how much he received for leasing it back out. A typical entry shows that he spent "114EU" (euros) on a server that he resold for "330EU"—not a bad markup. As for "Virus," it turned out that Paunescu used this as his online nickname. Last month, Romanian police arrested him, bringing the Gozi story to a close. Wayward youth The US government revealed the three arrests today. It unsealed indictments against Kuzim, ?alovskis, and Paunescu which make clear just how young all three men were when the alleged criminal behavior began. Kuzmin got started with Gozi back in 2005, when he was just 18. ?alovskis was allegedly involved since he was 20. Paunescu is only 28 now and has allegedly been in the bulletproof hosting business for years. Kuzmin pleaded guilty and will be sentenced in the US, where he faces a maximum 95 years in prison. Extradition proceedings are underway for the other two, who could each face a max of 60 years in a US cell. Sursa: How the feds put a bullet in a “bulletproof” Web host | Ars Technica