vrijdag 10 december 2010

[Tutorial] Beating offline phishers!

first of all I'd like to say this is part 1 of a series of tutorials on how to track down malware or phishers. This was published last year, but due to great interest reuploaded on this blog.

This tutorial will basically show you one of the simplest ways to spot an offline phisher and to compromise his account or get him removed.
It all started when I saw this...





I figured that this of course was a simple phisher we had to download.
He would just need our World of Warcraft password, and the program would hack for us, inject gold, etc... this smelled phishy, no? :D
so, I decided, let's download this uber hack.. I downloaded it, and decided to take a look.


 
 Note: certainly I didn't run this kind of program on just my computer. I actually used a virtual box and sandbox to keep it from harming my actual files. Never run possible malware on your computer!
 
Ok, it spit out no malware or anything, so it wouldn't be a keylogger, just a simple ftp function in the program, or mailsystem.
That's when I wanted to start up a disassembler, like w32dasm, or Hiew or something or maybe a hex-editor (bless HexEditor for Ubuntu)
. But I saw this was most probably a program written in .net, so I started up our beloved Stringstealer made by JapaBrz, which can be found in our tools section.
I was a bit lucky, indeed it was written in .net.
So I started to look a bit, how was this build.
Saw the main form, which was named "Hacks". And what function did I find here ?






bingo, no ftp system, just a simple smtp function.
And we would think it would be impossible to stop him now, since smtp can be sent with any mail account, no password required.
But what did he do, he used 2 mail adresses. One of his own to send, and one to get the accounts. And the password for his to-account, was just under his email, 13131312..
The phisher didn't know that once I compromised his from-emailadress, the chain was broken and he wouldn't get any accounts anymore. So at some time I had 120 wow accounts, but being a White Hat I deleted them, sorry for you guys ;-).
after that, I warned google about the phisher his main address, and they banned him, this is what they sent me..


so, all and all, very easy to accomplish, and It helps the community, I'm sure a lot of people appreciate such acts ;-).
tools:
String stealer
optional windows disassembler
sandboxie

UPDATE:

Added a good program - Acekidd01 gave me the tip, thx ;-) - which is named Red Gate's Reflector.
It's an entirely free .net decompiler (not disassembler, an entire decompiler!).
It can show you the code of the classes and methods, and how everything relates. It also has a lot of add-ons that can be downloaded.

Links

homepage: Red-Gate's Homepage
Add-ins: Codeplex - reflector add-ins
Gepost door Quinten

1 opmerking:

Abonneren op: Reacties posten (Atom)