How I Cracked a Keylogger and Ended Up in Someone's Inbox

Website that we were running was under DDOS couple of years ago, what we did is we took ips of servers that made ddos. Then we scanned the ports, found vulnerability in the application that was running on it then get into the server using this vulnerability. We checked open connections and found one used for command and control server (irc server) then we listened to irc channel. DDOSers were talking private things on that channel... Then we entered their channel and disabled all their bots using their own software that we got source from link pasted on their channel. Then we confronted them, period of silence after they have read what we wrote was priceless. They never ddosed us again.

Thanks to domaintools.com - I also found that the guy (seemaexports3@gmail.com) used to own domain: bdmtsteel.com<p>I also find similarities between above domain and these: transitoin-asia.com seabunker.net<p>See this: <a href="http:&#x2F;&#x2F;imgur.com&#x2F;tsxqwiQ" rel="nofollow">http:&#x2F;&#x2F;imgur.com&#x2F;tsxqwiQ</a><p>If someone wants to do more research - would be fun to dig deeper.

Is the header sticky for anyone else? It seems to take up ~30% of my screen (Windows 7, Chrome Stable) [0].<p>[0] <a href="http:&#x2F;&#x2F;puu.sh&#x2F;pNYUH&#x2F;d42d8395fc.jpg" rel="nofollow">http:&#x2F;&#x2F;puu.sh&#x2F;pNYUH&#x2F;d42d8395fc.jpg</a>

I&#x27;ve done this a few times for fun, simply search YouTube for a &quot;game code generator&quot; or something like that, take your pick, download their magic &quot;tool&quot; from the link in the video description and get disassembling with ILSpy [1]. A ton of these &quot;account stealers&quot; are written in VB.NET and seem to be generated from a template. Remember to stay safe and use a sandbox or virtual machine when dealing with malicious code.<p>[1] <a href="http:&#x2F;&#x2F;ilspy.net&#x2F;" rel="nofollow">http:&#x2F;&#x2F;ilspy.net&#x2F;</a>

Aha I love those little messages at the end telling users to update their software to the latest version. It&#x27;s a cry to the void.

That&#x27;s a great little story, interesting to read how these sorts of scams are carried out, but I also found the code analysis and decompilation tale fun!

I just hope someday the general public realize what a poor job Microsoft has done regarding security on Windows operating systems and embrace other (and more promising) alternatives

&gt; It also attempts to steal password manager credentials and Windows keys.<p>Ugh I hate reading this. I keep everything in my password manager. If I lose that I&#x27;m hosed. I wish more sites supported 2FA.

Scary that a vulnerability that old is still worth exploiting.

a few questions I&#x27;m wondering about, if anyone can help:<p>- how do those PW stealers work? are they similar to the Steam one, where it&#x27;d delete existing creds and then sniff newly entered ones?<p>- can this thing detect certain apps like FileZilla and then say &quot;user entered &lt;FTP site creds&gt;&quot; and send individual fields, and is that what is meant by supporting say FTP and FileZilla?<p>- what does PHP support mean? maybe looks for common stuff like php.ini, various other conf files like FPM, and tries to find DB&#x2F;cache connection creds?<p>there&#x27;s one other thing I&#x27;m wondering about, which is the light&#x2F;easily crackable encryption of the keylogger&#x27;s internals, and I vaguely remember reading about Google&#x27;s encryption on the new recaptcha and people talking about all this stuff like complicated encryption routines baked into the client side JS that I really didn&#x27;t understand except at a handwavy level, and wonder if that&#x27;s the kind of thing some, say, intelligence&#x2F;espionage outfit could use.<p>very interesting&#x2F;engaging (fun) article, all in all, for me. and I appreciated the understatement of the (well-deserved) plug at the end.

I&#x27;m surprised the .net executable wasn&#x27;t obfuscated (as they usually are)

Using Volafile to host the keylogger executable seems like a pretty bad choice considering that this website will delete your files after only 2 days. Or maybe this shouldn&#x27;t surprise me so much considering the &quot;skills&quot; of the attacker.

where did ).exe came from? I thought you need to use VBscript of some sort to download a file from command line.

10&#x2F;10 brilliant. If only i was smart enough to do this...

Actually, this is interesting.

Fantastic write up! Good work.

Nice writeup.