# FBI spreading backdoor software via 4chan kid material



## drmike (Sep 22, 2013)

New blog I eyeball from time to time and mentioned on here prior --- Zoned.pw...

Latest blog entry about FBI passing infected backdoor executable payload to Windows users who are interested in the topic material on 4chan.org/b   (random)... Nature of material in their post = teen nude girl.    

The payload calls home to a server in same subnet as recent Tor compromise operated by the FBI.

The feds are getting a bit carried away infecting and backdooring folks. Yet another example of why to dump Windows as an operating system.

full story over here --> http://zoned.pw/?p=260


----------



## Magiobiwan (Sep 22, 2013)

Psst. zoned.pw is (I'm pretty sure) run by Mr. Curtisg. You know, the idiot who claimed he was going to hack/DDoS all teh hosts. Some people need to not be on the Internet...
 
Edit: OH. Look at his PREVIOUS post. http://zoned.pw/?p=258 @Francisco Is this true? Or is he just blowing smoke (like always)?


----------



## drmike (Sep 22, 2013)

I've heard the rumor about the operator of the site.  Doesn't change the nature of the material.   Thanks for pointing it out though.


----------



## RiotSecurity (Sep 22, 2013)

Magiobiwan said:


> Psst. zoned.pw is (I'm pretty sure) run by Mr. Curtisg. You know, the idiot who claimed he was going to hack/DDoS all teh hosts. Some people need to not be on the Internet...
> 
> 
> Edit: OH. Look at his PREVIOUS post. http://zoned.pw/?p=258 @Francisco Is this true? Or is he just blowing smoke (like always)?


Well, seeing how I am Curtisg (as many have noticed), I can confirm I am *not* behind the zoned.pw blog, nor am I affiliated with it in any way.


----------



## Magiobiwan (Sep 22, 2013)

Oh. Hi then. If it's not you, then who is it? He needs his Internet taken away. Forever.


----------



## RiotSecurity (Sep 22, 2013)

Magiobiwan said:


> Oh. Hi then. If it's not you, then who is it? He needs his Internet taken away. Forever.


Why don't you ask him yourself?


http://zoned.pw/?page_id=228


----------



## Aldryic C'boas (Sep 22, 2013)

BuyVM representative (myself) recently and publicly states opinion of curtisg (who was recently begging to get filtering and pay via bitcoin) and his wannabe-blackhatting.  Shortly after, "his friend Zoned" claims to knock us offline.

Butthurt much?


----------



## Aldryic C'boas (Sep 22, 2013)

buffalooed said:


> I've heard the rumor about the operator of the site.  Doesn't change the nature of the material.   Thanks for pointing it out though.


You may want to take into consideration the dearth of proof, references, or anything other than "believe this because I say so".  I'd advise looking into anything 'posted' before believing what's written.  Willing to bet that you'll either find that curtisg simply ripped/rewrote someone else's article, or is making false claims with very dubious "proof" in a poor attempt to appear knowledgable.


----------



## drmike (Sep 22, 2013)

I like BuyVM BTW.

Honest question here, since we've delved off topic,  why do blackhats, hackers, et. al. want DDoS protect services?   It's the fixed nature of IPs that are a rampant security issue in part.   I've seen similar requests on WHT and scratch my head about such.  Care to shed some light on this?


----------



## Aldryic C'boas (Sep 22, 2013)

buffalooed said:


> I like BuyVM BTW.
> 
> Honest question here, since we've delved off topic,  why do blackhats, hackers, et. al. want DDoS protect services?   It's the fixed nature of IPs that are a rampant security issue in part.   I've seen similar requests on WHT and scratch my head about such.  Care to shed some light on this?


The ones that do are either amateurs, or just need to keep their C&C masters online amidst the rampant booter pissing contests.  Actual blackhats that know what they're doing and not just relying on some script or other people to do the work for them - you'll never know their name, let alone catch them 'settling down' with a provider.


----------



## Deleted (Sep 22, 2013)

buffalooed said:


> The payload calls home to a server in same subnet as recent Tor compromise operated by the FBI.


The phone-home blocks on TOR were not the FBI, they were a /16 owned by the NSA.


----------



## drmike (Sep 22, 2013)

Monkburger said:


> The phone-home blocks on TOR were not the FBI, they were a /16 owned by the NSA.


That's ahhh, even, well shall I say scarier.

Why would the NSA be involved in pedo luring?  I'd normally make a joke about them having problems finding willing agents or something, but the topical is disturbing as are their actions.


----------



## RiotSecurity (Sep 22, 2013)

Aldryic C said:


> BuyVM representative (myself) recently and publicly states opinion of curtisg (who was recently begging to get filtering and pay via bitcoin) and his wannabe-blackhatting.  Shortly after, "his friend Zoned" claims to knock us offline.
> 
> Butthurt much?


Claims? I watched him hit it offline, so how is that for your "claim." He even hyperspinned it as proof.

Who's butthurt? I'm not personally.


----------



## RiotSecurity (Sep 22, 2013)

buffalooed said:


> That's ahhh, even, well shall I say scarier.
> 
> Why would the NSA be involved in pedo luring?  I'd normally make a joke about them having problems finding willing agents or something, but the topical is disturbing as are their actions.


Who knows? However I don't understand why they're doing it.


----------



## drmike (Sep 22, 2013)

Wired has a write up on the Tor compromise and fingers Verizon as the network where the call home was located and FBI mentioned lots:

http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/


----------



## drmike (Sep 22, 2013)

Whole thing rings oddly like the federal contractor DynCorp and their involvement in child kidnapping and in this article, child prostitution, including homosexual conduct:

http://www.huffingtonpost.com/2010/12/08/wikileaks-reveals-that-mi_n_793816.html

and Dyncorp trafficking women and children:


----------



## Aldryic C'boas (Sep 22, 2013)

RiotSecurity said:


> Claims? I watched him hit it offline, so how is that for your "claim." He even hyperspinned it as proof.
> 
> Who's butthurt? I'm not personally.


You could tell me the sky is blue kid, and I would still look out the window to confirm.  You're a known liar and a proven amateur.  Aye, there was a bit of booter activity - but if renting some booter is the best you can do, then colour me unimpressed.


----------



## RiotSecurity (Sep 22, 2013)

Aldryic C said:


> You could tell me the sky is blue kid, and I would still look out the window to confirm.  You're a known liar and a proven amateur.  Aye, there was a bit of booter activity - but if renting some booter is the best you can do, then colour me unimpressed.


Yes, because your everyday booter can generate over 10M r/s httpget flood.

Your logic makes my brain hurt.


----------



## RiotSecurity (Sep 22, 2013)

buffalooed said:


> Whole thing rings oddly like the federal contractor DynCorp and their involvement in child kidnapping and in this article, child prostitution, including homosexual conduct:
> 
> http://www.huffingtonpost.com/2010/12/08/wikileaks-reveals-that-mi_n_793816.html
> 
> and Dyncorp trafficking women and children:


Interesting find there.


----------



## Aldryic C'boas (Sep 22, 2013)

Funny how much you "claim to know" about this "huge flood".  But you're not Zoned.. just maybe sitting next to "him", stroking his hair 

Your lies make m... sorry, lost interest.  You're no longer amusing nor worth my time.

<3


----------



## RiotSecurity (Sep 22, 2013)

Aldryic C said:


> Funny how much you "claim to know" about this "huge flood".  But you're not Zoned.. just maybe sitting next to "him", stroking his hair
> 
> Your lies make m... sorry, lost interest.  You're no longer amusing nor worth my time.
> 
> <3


Actually, I chat with him over xmpp, [email protected]

We're pretty good friends.

Anyways, time to stop helping you derail the thread.

re:worth my time, your making me laugh thinking booters can do 10mr/s+


----------



## MannDude (Sep 22, 2013)

Just a friendly reminder to keep things civil and keep things on topic.


----------



## drmike (Sep 22, 2013)

The Tor entrapment payloads... Hmmm NSA implicated, but huge IP range with other stuff.. 

Someone said SAIC elsewhere... Science Applications International Corporation... The 9th largest Defense Department outsource recipient.  SAIC was behind Trailblazer. 



> Trailblazer was a United States National Security Agency (NSA) program intended to develop a capability to analyze data carried on communications networks like the Internet. It was intended to track entities using communication methods such as cell phones and e-mail.[1][2] It ran over budget, failed to accomplish critical goals, and was cancelled.


 Trailblazer was later linked to the NSA electronic surveillance program and the NSA warrantless surveillance controversy. http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer?currentPage=all


----------



## Deleted (Sep 22, 2013)

People still use the http keepalive dos tools? That's so.. 2006'ish.

I have some penetration testing things I wrote about 6 years ago, one of them is a neat SNMP reflector that can generated about 10gB/s of traffic due to spoofed UDP+SNMP OID requests.. 



buffalooed said:


> I like BuyVM BTW.
> 
> Honest question here, since we've delved off topic,  why do blackhats, hackers, et. al. want DDoS protect services?   It's the fixed nature of IPs that are a rampant security issue in part.   I've seen similar requests on WHT and scratch my head about such.  Care to shed some light on this?


DDoS protection services are a total waste of time (and money). The reason why is because they get targeted by white/greys for exploiting/publishing people's information (SSN's and the likes)

I would never provide DDoS protection to anyone, EVER. It's a total waste of money and can attract unwanted attention on your network (outages, BGP flaps, et al).  I would also never sign up for a dedicated server or a VPS on a network that offers DDoS protection services. 

Besides, most of the DoS protection services aren't very good, and they only send a bgp community string to the upstreams to stop it there, and the other ones are physical devices that do some weird QoS rate limiting and whatnot.


----------



## drmike (Sep 22, 2013)

I know the feds are sickos and the military industrial complex is full of life ruining folks, but this?

*"5,200 Pentagon Employees Bought Child Pornography and the world media is silent."*

They didn't view or get caught with child porn, they BOUGHT IT?!?!?!

http://www.youtube.com/watch?v=Hk9M-L99PX0

Maybe Tor is just the internal office share for these sickos?


----------



## kaniini (Sep 22, 2013)

buffalooed said:


> I like BuyVM BTW.
> 
> Honest question here, since we've delved off topic,  why do blackhats, hackers, et. al. want DDoS protect services?   It's the fixed nature of IPs that are a rampant security issue in part.   I've seen similar requests on WHT and scratch my head about such.  Care to shed some light on this?


They use the DDoS-protected tunnel services to obfuscate where the actual hosting servers are for their activities.


----------



## Francisco (Sep 22, 2013)

Said skid GET flooded some of our domains but it was dealt with easily enough. We run lig pretty ... light... on resources so it was easy to max PHP out.

If they were hitting anything with 20gig I wouldn't know.

Alas i'm fairly sure Curtis has something mentally wrong with him. One day he's asking us for help fending off a 40gig flood. In the same conversation he begs that we offer payment by bitcoin since he wants to burn up some of the BTC's he has.

Now he's claiming to be smacking at us because he doesn't like whatever it is he doesn't like about me?

I've tried to be nice to him and even helped him for a while during the time he *was* a customer of ours. He kept begging people to keep flooding him and blew a ton of my time adding manual rules.

Francisco


----------



## nunim (Sep 22, 2013)

In case there was any shadow of a doubt that curtisg is zoned.pw, see: 

https://freevps.us/thread-10448.html

A thread of him linking to zoned.pw one day after the domain was registered.

From the posts on there it looks like it is written by a moron who has no idea what INFOSEC means, curtis surely fits that description.


----------



## jarland (Sep 23, 2013)

Topic had potential. Then CurtisG and HIS zoned.pw site that he runs with his buddy who operates Ixam Hosting.


----------



## Deleted (Sep 23, 2013)

Sounds like a bunch of kids with PHP bots that do socket() commands as legitimate users.


----------



## RiotSecurity (Sep 23, 2013)

jarland said:


> Topic had potential. Then CurtisG and HIS zoned.pw site that he runs with his buddy who operates Ixam Hosting.


You're wrong again, but maybe you can talk shit when you fix your uptime?

http://www.hyperspin.com/quicktest.php?action=result&qtid=1014629&r=2528


----------



## RiotSecurity (Sep 23, 2013)

Francisco said:


> Said skid GET flooded some of our domains but it was dealt with easily enough. We run lig pretty ... light... on resources so it was easy to max PHP out.
> 
> 
> If they were hitting anything with 20gig I wouldn't know.
> ...


The fact you all think I'm the owner of zoned.pw is quite amusing.

I already said I don't run it, it's very clear I don't. If you want to speak to the owner, you can get on XMPP and contact him, otherwise stop derailing the thread Francisco.

I never hit you, Zoned did. Stop being a butthurt skiddie.


----------



## texteditor (Sep 23, 2013)

RiotSecurity said:


> stop derailing the thread Francisco.


 

Thread started off the rails, citing that schizophrenic 'security' blog

 



> a butthurt skiddie.


the irony


----------



## MannDude (Sep 23, 2013)

This is why we can't have nice things. Thread derailed. Not going anywhere positive. Was going to hide all the not-on-topic posts but then realized there would be no thread left. :lock:


----------

