Forgot your password?
typodupeerror

Point and Click Cracking 105

Posted by Zonk
from the these-kids-have-it-too-easy-nowadays dept.
An anonymous reader writes "Washingtonpost.com is running a story about a number of botnets and keylogger operations being controlled by Web-sites with point-and-click type front-end software interfaces. The sites mentioned in the story look like fairly slick PHP pages designed to sort through password data from keylog victims and update infected computers with new code or instructions. From the story: 'The hacking software also features automated tools that allow the fraudsters to make minute adjustments or sweeping changes to their networks of hacked PCs. With the click of a mouse or a drag on a pull-down menu, users can add or delete files on infected computers.'"
This discussion has been archived. No new comments can be posted.

Point and Click Cracking

Comments Filter:
  • php? (Score:3, Funny)

    by Anonymous Coward on Friday March 17, 2006 @09:47AM (#14941102)
    wouldn't happen with .net!
    • offcourse not (Score:3, Interesting)

      Remember you write the code to exploit .Net in PHP.

      Why if you used .net for the exploit then EVERYONE could just steal your keylog files!

      This is basically a non-story. Someone at the washintingpost seems suprised that people do not print out their key logs and search them by hand. The only "new" element is that the tools are migrating to web based apps. Then again isn't that suppopsed to be the next big thing? Why should criminals ignore IT development? I am willing to bet the next one will be using AJAX.

    • Re:php? (Score:1, Interesting)

      by pushf popf (741049)
      It wouldn't happen if users logged in with SecureID tokens (or similar), and never used Credit Card numbers from physical credit cards on web sites.

      Want my credit card number? Here is is!

      4264655876823752

      It was only good on Amazon.com, only good for a single purchase and expired after the transaction went through. I don't care if anybody steals it because it's useless as (insert crude useless analogy here).

    • Indeed, with .NET, no cracking is required. Just Google for a security hole and you're pretty much in. :)
    • by metamatic (202216)
      "PHP: The language of choice for script kiddies."
  • by solarbob (959948) on Friday March 17, 2006 @09:48AM (#14941106) Homepage
    Most of the reasons PC's get hacked now days is that end users are still clicking on the links in phising emails and then holes in the browser being exploited. Surely it wouldn't take much for the main browser makers to put in a user idiocy filter to just say aren't you being a bit silly? Of course user education would be best but there will always be a certian newbie segment who are on the internet for the first time and will keep doing this. That software though does look pretty comprehensive
    • by G)-(ostly (960826) on Friday March 17, 2006 @09:53AM (#14941135) Journal
      Actually, a lot of the time a browser hole isn't required at all. Users are actually still downloading applications that are just applications that function in a malicious way, with full rights actively given by the user to use the system resources for ill.

      After all, once an OS is running something bound to a port, how is it supposed to know whether or not you're an idiot who just installed a keylogger or trojan, or a competent user running some sort of legitimate server software? It can only warn you so much before there's just nothing else that can patch the hole, except maybe some tape over your head.

      At this point, browsers warn people, operating systems warn people, firewalls warn people and virus scanners worm people, and they still just have to run that trojan software for whatever pointless whizz-bang effect it adds to their mouse cursor or emails.
      • Its probably about just wanting to get some free porn or whatever else is offered
      • by _xeno_ (155264) on Friday March 17, 2006 @10:13AM (#14941257) Homepage Journal
        At this point, browsers warn people, operating systems warn people, firewalls warn people and virus scanners worm people, and they still just have to run that trojan software for whatever pointless whizz-bang effect it adds to their mouse cursor or emails.

        Was "virus scanners worm people" a reference to the recent McAfee problem [sans.org] or just a typo? :)

        Er, anyway, my actual point was that people are now so used to be warned about installing just about everything that they just click "yes" without thinking. When you go to Windows Update or Microsoft Update for the first time, Microsoft has a nice little picture explaining how to say "yes" to the warning dialogs that come up when it tries to install the update ActiveX control.

        People are just so used to be annoyed by their computer that they mindlessly click through all the warnings anyway. The warnings don't really help, people don't bother understanding what they mean, and websites frequently include instructions on how to bypass them without explaining what the warning means [xenoveritas.org]. (I'll fix that someday. No, really...)

        The only real solution is user education. Failing that, the clue-stick (also known as a "clue-by-four") is a fun, but ultimately useless, alternative.

        • by G)-(ostly (960826) on Friday March 17, 2006 @10:32AM (#14941369) Journal
          It's not going to work. People don't know how to use warnings in the physical world properly. Look at warnings provided on the road. How many people ignore Yield signs and try to merge right into oncoming vehicles? How many people just blow right through a blinking yellow without thinking? How many people just blow out of parking lots or driveways? How many people actually look to see if a train is coming before they cross tracks with a warning light and bar?

          It's a matter of risk/reward that's inherent in human nature. If 99 times out of a hundred you approach a crossing with a light and bar there's no train coming when there's no lights, you're going to get used to that. Of course, that one time you come along and the lights are broken, you're going to die, but that's the risk/reward. You're taking the 1% chance that you'll get killed by an unannounced train and comparing it to the fact that you'll have to do the extra work of slowing down, looking and speeding back up for nothing 99% of the time.

          People just don't take serious warnings seriously unless there's a very good chance that they could be harmed by not following them. It doesn't matter how serious the consequences if they occur too infrequently to stay fresh in one's mind.
        • When you go to Windows Update or Microsoft Update for the first time, Microsoft has a nice little picture explaining how to say "yes" to the warning dialogs that come up when it tries to install the update ActiveX control.

          To be fair, they also explain how to check if the control is signed, who it's signed by, to consider whether or not you trust the publisher of the control, etc. It's a little more than just "If you get a prompt, just click yes!".
      • Actually, a lot of the time a browser hole isn't required at all. Users are actually still downloading applications that are just applications that function in a malicious way, with full rights actively given by the user to use the system resources for ill.

        Yup. I really want to write a virus named "This is a virus - don't click on me.exe" and see how many people run it. Then compare those numbers to its variants, "This is a virus LOL.exe" and "This is a virus.mpg.doc.jpg.pif.scr.exe"

        At this point, browsers
      • There are so much warns out there that they become useless. The user don't read them anymore. The only alternative that works is making it hard to run the trojan, make the user DO several things in order to run it.

        Require the user to change permissions is something that works. Linking the file with the browser someway, and requiring the user to unlink it to use out of a sandbox is something that may work. Displaying a confirmation window when the user see several of them each hour is something that doen't

      • and virus scanners worm people ...you don't work for McAfee by any chance?
    • Yeah those stupid users and the holes in their browser...clearly it's the users fault!!!
    • Case in point:

      Frost blames himself for the theft of his personal information. He said the Web site that launched when he clicked on the link in the fraudulent e-mail belonged to a legitimate online camera store, and that the woman he spoke with at that store even told him that her site had been hacked and that it had probably downloaded "some kind of virus to his computer."

      Frost also admits he ignored her warning and put off installing the latest patch, something he said he plans to rectify after re-

    • by CarpetShark (865376) on Friday March 17, 2006 @10:47AM (#14941482)
      No, the real problem is systems like Windows, which promote the idea that end-users can administrate computers. It simply doesn't work, any more than it works for every driver to be their own car mechanic.
      • by Anonymous Coward
        Absolutely right! PC administration should be so difficult that the user shouldn't even bother in the first place. Oh, the operating system should be free, it just should be such a cryptic pain-in-the-arse to install/use/maintain that nobody but an über-geek would bother. Then and only then will computing/the internet be "safe".

        of course the $100-laptop folks and the "broadband-to-the-masses" folks and the "information freedom" folks can just go take a dump somewhere because all those initiatives wi
        • Absolutely right! PC administration should be so difficult that the user shouldn't even bother in the first place.


          Your post doesn't follow from what I said. It's not my fault if you only see one solution to a problem; the problem still exists, and admitting that is the first step towards other solutions.
      • It is getting there. I've been toying with the idea of simply refusing traffic at a site if the agent is IE or requesting system Windows. Just show 'em a message "This site does not support your browser/system for security reasons, go here to download Firefox/Linux"...

        Think about it. Where do ALL of the security problems come from? Thus, a big shortcut to security would simply be to eliminate all Windows traffic. They've been talking about splitting up the Internet - let Microsoft start it's own Internet,

        • Well, you're going overboard (intentionally, I presume) but you're no so far from the issue at hand. That is, administrators are tasked with securing systems so that users can't hurt themselves through their inexperience. In a corporate environment, it's the job of admins to prevent users from downloading viruses etc. Likewise, those who sell PCs to users should set them up properly with browsers that aren't fundamentally flawed, and with anti-virus software etc., so they're not completely defenseless th
      • No, the real problem is systems like Windows, which promote the idea that end-users can administrate computers. It simply doesn't work, any more than it works for every driver to be their own car mechanic.

        Or the idea that anybody can be a driver, let alone a mechanic too. But, as with Windows, if everybody else is doing it, then it has to be done. It's part of society now. If the test is too difficult, tone it down, because you can't alienate consumers from society.

      • [...] systems like Windows, which promote the idea that end-users can administrate computers.

        Right on target! Windows (falsely) promotes the idea that end-users (aka. the Joe Sixpaxen of the world) can admin computers.

        There are two ways around this: one is to alleviate most needs for administration--i.e. "Just Work"--and the other is to create a high enough barrier to entry that only reasonably competent people will run the system in the first place. Let's call them the "OS X way" and the "GNU/Linux way"
        • Yep, mostly agreed. One thing I would point out is that it's actually very simple to set someone up a Linux desktop account, show them their email and browser, and just let them use it. In other words, I can trust that the OS will not become infested with things and suffer from permission creep and all sorts of other fundamental security issues that eventually turn a working desktop into a credit-card monitoring liability. At most, you might have to come back, erase their .gnome or .kde folders, and rest
          • The short version: I agree!

            The longer version:

            It's actually very simple to set someone up a Linux desktop account, show them their email and browser, and just let them use it.

            I haven't tried that, but I'm willing to take your word for it--it's not like it's difficult to use, it's just different. And if the users have a sysadmin, that ought to make it workable for them. So... yeah, perhaps that is what I should do to my mom...

            RMS says that he choose Unix because he knew that hardware would be much differe
        • you can change the MTU in windoze but you have to use regedit to do it
    • Most of the reasons PC's get hacked now days is that end users are still clicking on the links in phising emails and then holes in the browser being exploited.

      Gee, that's great except it is not even close to being true. Most infections by number and most DDoS bandwidth is the result of automated worms that perform automatic remote exploits and require no human intervention.

      Surely it wouldn't take much for the main browser makers to put in a user idiocy filter to just say aren't you being a bit silly?

    • I think the biggest problem in doing that is what is sometimes called interaction fatigue. If the browser reminds them of these things over and over for *legit* content, the user gets used to just clicking OK to download anyway. So, when something malicious really does come down the pipe, they have been conditioned to just click that OK button. It's nothing more than the *browser calling trojan*, nobody believes it until it's too late.
  • by Enigma_Man (756516) on Friday March 17, 2006 @09:53AM (#14941136) Homepage

    I often migrate things to web-interfaces that were previously shell scripts. It's more convenient, 'cause I can do the things I need to do from any browser without having to ssh in (which isn't always a possibility, rare, but it does occur). Also, it's easier to show to other people without giving away a shell account. Also also, it's easier to show to people who aren't "in the know" because it looks like something.

    -Jesse
  • Stupid Innuendo (Score:5, Insightful)

    by Bios_Hakr (68586) <xptical@@@gmail...com> on Friday March 17, 2006 @10:02AM (#14941191) Homepage
    Here's what I hate about news. It's all about alluding to something powerful and blinding the users with innuendo.

    Stop mincing your words and just say it. Stop telling people about "some website" where "evil hackers" can "point and click" to crack your passwords. Just fucking say Rainbow Crack.

    It really fucking gets my goat when someone claims to have secret knowledge. What harm could have come from just saying Metasploit or Rainbow Crack? The evil doers already know. Give JoeUser actual knowledge and let him decide for himself.

    Stop pretending that you know something and the public can't be trusted with it.
    • And now an extra 15,000 script-kiddie-wanna-be's also know. Thanks.
      • I doubt most SKs read the Washington Post. Those who do are probably smart enough to Google for the tools.
      • And now an extra 15,000 script-kiddie-wanna-be's also know. Thanks.

        Script kiddie wannabe's. So bad that they can't even write a short script. Joe User says, "I'm gonna get revenge on this guy I don't like"
    • I know things the public isn't interested in (and many wouldn't understand) does that count?
      • Re:Stupid Innuendo (Score:4, Informative)

        by Bios_Hakr (68586) <xptical@@@gmail...com> on Friday March 17, 2006 @11:05AM (#14941612) Homepage
        The point is that no one should be allowed to tease the public with knowledge contained in secret tomes only the few can access. If you are going to talk to someone on a subject, then talk to them as an equal. Don't tell them that the boogyman is around the corner. If they ask, show them the actual threat. Let them decide. Don't just try and instill fear.

        Would you be satisfied if a neighbor was sent to prison without a public trial? If you ask, the police could just say, "If you only knew what we know, you'd want him in prison too."

        That's what the WP is doing here. They tell people to be afraid without showing the full truth. The internet is a bad place, but don't try and scare people with secret knowledge.
        • Re:Stupid Innuendo (Score:3, Insightful)

          by Hoi Polloi (522990)
          "Would you be satisfied if a neighbor was sent to prison without a public trial? If you ask, the police could just say, "If you only knew what we know, you'd want him in prison too.""

          Yah, he's in Guantanamo Bay now.
    • Well some of us have learnt something but definitly an intresting thing to read about
    • by Anonymous Coward
      Just learn to recognise the tone to know what you're dealing with, it's basic psychology.
      They're called paranoiacs and are the antithesis of "open' people. They hoard, trade and restrict information and generally infest journalism, intelligence and large dinosaur corporations where the strict information heirachies are comfortable. They espouse the idea that ordinary people can't handle knowing this and that, that it's for 'security' and that it's for 'your own good'. All of this is a smokescreen to hide th
    • Re:Stupid Innuendo (Score:3, Insightful)

      by apt142 (574425)
      I agree. As a web applications developer, I'm interested in making a web app as secure as possible. To do that, I must be aware of what's out there.

      Fortunately, I've had the advantage knowing about these apps before now. But, I'm not the sort of person that goes looking for scripts to take out websites. I could make some good guesses on where to look for these things. But, I'm never going to have the time to be as aware of that area of knowledge as I could and should be. Especially if I have to rel
      • Re:Stupid Innuendo (Score:3, Interesting)

        by Inda (580031)
        I found out about Rainbow Crack after our website was cracked. I found out about SQL injections after our website was hacked. I found out that 'passwords are obsolete' after mine was posted on a forum [after we got hacked].

        We started off over 7 years ago running a gaming site. I did the graphics, my mate used Front Page to get a few pages together. We pirated a verison of vBulletin... None of us knew much apart from a Hello World HTML.

        3,000 members later and a dozen or so clued-up kiddies thought they'd tak
  • by $RANDOMLUSER (804576) on Friday March 17, 2006 @10:04AM (#14941205)
    We've had decent network admin tools for the enterprise for a long time now. It's about time we had the same thing for botnets. ;-)
  • by digitaldc (879047) * on Friday March 17, 2006 @10:05AM (#14941208)
    Frost's data, along with information stolen from thousands of other victims, made its way to a Web site hosted by a Russian Internet service provider. The site is currently the home base of a network of sites designed to break into computers through a security hole in Microsoft's Internet Explorer Web browser.

    So why aren't the police kicking down the doors and confiscating equipment from this ISP? Are they 'protected' or 'special?'
    After reading stories like this Dutch hacker arrest, [godutch.com]I am not sure why.
    Aside from that, Microsoft needs to do something like pushing out mandatory security patches for all users of Windows and/or IE.
    I am not sure why they don't do this either. I guess Microsoft thinks that all these lazy suckers deserve to be hacked.
    • Aside from that, Microsoft needs to do something like pushing out mandatory security patches for all users of Windows and/or IE. I am not sure why they don't do this either. I guess Microsoft thinks that all these lazy suckers deserve to be hacked.

      Profit. Microsoft doesn't push them out for profit sake. If you have a legal copy of a recent version of windows you can set the computer to auto update. Which is essentially what you are saying. Those with out a legal copy are left out in the cold. It's m
    • I can think of a quick and significant reason I would not want mandatory patches for users of Windows or IE.

      Ask any decently managed medium or large sized business if they would like mandatory patches forced upon them. Patches are tested extensively prior to rolling them out on the network. If a patch breaks a critical system it can cost the company millions in uptime, legal expenses and replacement costs.

      I'm not really sure why you are so up in arms about this whole thing. You seem legitimately pi
      • If a patch breaks a critical system it can cost the company millions in uptime, legal expenses and replacement costs.

        Now the question is, do the costs you mentioned outweigh the security risks/costs of not patching their software?
        And if it does indeed 'break a critical system' then maybe it is different issue that may not related to the browser at all. Or, if so, they could always use Firefox. [mozilla.com]

        I am not up in arms or pissed off, just trying to point out what happens in some countries vs. others.
        I
  • by MoralHazard (447833) on Friday March 17, 2006 @10:11AM (#14941240)
    I'm sure someone has made this point already, but technological advances have a way of finding their maximum profitable use, regardless of how the original inventors intended their innovations to be used. I think these botnets are a similar phenomenon.

    Case in point: Thomas Edison originally conceived of the phonograph as a tool for dictation, teaching children from recorded lessons, and a few other specific apps. You know what he never, ever thought of? Recorded music. And yet, that is the killer app that made his invention a common household object and birthed one of the most successful commercial fields of the 20th century--the whole music industry as we know it wouldn't exist without the phonograph.

    We saw the same thing with the Internet, when a bunch or DARPA eggheads (no offense, I love you guys) built an academic network that turned into what may prove to be the newest and most effective mass media tool in the history of the human race. I seriously doubt that anyone involved in the original research, or even anyone engineering TCP/IP networks in the 70s and 80s, imagined what would happen after 1990.

    In the same fashion, botnets manage to apply the same basic technologies pioneered by Seti@home, distributed folding, and all of the other "beneficial" distributed computing projects that have wrung work out of the combination of 1) the popularity of the Internet, and 2) the unharnessed cycles, disk, and network I/O bandwidth of all those overpowered word processors around the world. And it's arguable that the economic productivity (at least to a few criminal types) of the botnets is overwhelmingly more than the cash made by all the originators of the concepts (yeah, I know, they're nonprofits, sheesh).

    It's kind of a shame that the killer app of distributed ad-hoc networks is so generally harmful, but that's the way the cookie crumbles. Get a firewall, install you patches, and hope to God that nobody targets you with a DoS attack.

    • You are right on the mark.

      If you look at it, these botnet idiots aren't really using the best technology. E.g. how does 20K bots connecting on an IRC channel make any sense? It doesn't -- there are better methods.

      But, they've got a way to make money, with crappy tools, and that's what they are doing. So a few of the guys get big, and then they start making decent custom software -- well, that makes them evil genius villains.

      Actually, it wouldn't surprise me if DARPA (or the CIA) wants to talk with these guy
      • by Hoi Polloi (522990)
        I wonder why someone doesn't use these tools against the crooks. You say that isn't 100% legal? Many of the things our government (or major companies) does today aren't 100% legal either. Take one of these botnet tools and use it to knock out their websites, spy on their irc channels, flood them with bogus data, disable the spammers, use it to spread worms that fix holes and knock out malicious code on the botnet pcs. Fight fire with fire. Obviously law enforcement isn't going to come after you since t
    • I seriously doubt that anyone involved in the original research, or even anyone engineering TCP/IP networks in the 70s and 80s, imagined what would happen after 1990.

      Certainly they imagined nothing of the sort. If they had, they would have paid a lot more attention to security issues, rather than assuming that users are in any way trustworthy...

    • by sgtrock (191182) on Friday March 17, 2006 @11:18AM (#14941701)
      We saw the same thing with the Internet, when a bunch or DARPA eggheads (no offense, I love you guys) built an academic network that turned into what may prove to be the newest and most effective mass media tool in the history of the human race. I seriously doubt that anyone involved in the original research, or even anyone engineering TCP/IP networks in the 70s and 80s, imagined what would happen after 1990.


      I've got to question that assumption at least a little bit. Many (most?) of the scientists working on computer science related projects have always been fans of science fiction. Are you trying to tell me that they wouldn't have been aware of stories by Asimov, Heinlein, Clarke, Sturgeon, and others who all envisioned ubiquitous communications networks? Many of those authors wrote stories where ubiquitous computer systems of varying degrees of complexity were a factor. And some of those stories included all kinds of fascinating elements revolving around hacking past security measures. Certainly Gibson developed the themes far more completely later, but the elements were already there in the '50s at the latest.

      I will concede that the original design(s) were never intended to grow into the global network that we have today. They were merely prototypes. The second one based upon IPv4 was so outstandingly successful that it took off before anyone really understood what was going on.

      Suggesting that the original developers never thought about security issues also does them a disservice. They were researching communications for the DoD, for Pete's sake! The original design goal was to come up with a communications systems that would be capable of surviving a nuclear war. While that particular scenario has never been tested (thank Ghu!), faulting them for not thinking through every implication of every design choice doesn't do them justice. They still designed and built a system that just runs (partial network meltdowns are always due to economic reasons, not design). This was a truly remarkable achievement. It's especially true since we see systems in place that are essentially immune to the bulk of the common attack vectors in use today. It's not the original designers' fault that so many implementations are so badly broken. It's especially not the designers' fault that the single most dominant OS in use today is also the most porous.
    • It's kind of a shame that the killer app of distributed ad-hoc networks is so generally harmful, but that's the way the cookie crumbles. Get a firewall, install you patches, and hope to God that nobody targets you with a DoS attack.
      Botnets are bad, but not everything.
      The killer app for distributed ad-hoc networks is still IMHO peer to peer sharing.
    • In the same fashion, botnets manage to apply the same basic technologies pioneered by Seti@home, distributed folding, and all of the other "beneficial" distributed computing projects

      I'll assume you mean distributed.net and later by SETI@home ;) But even those are built on technology pioneered in the late 1960's early 1970's, not the 1990's. Heck even when I did distributed.net the technology was already almost 30 years old, go read about DCS.

      All the really cool stuff was done in the 1970's, then cool again
  • Unpaid work (Score:2, Interesting)

    Aren't script-kiddies basically just unpaid volunteer workers for the (presumably blackhat) writers of these click-and-point hacking tools?

    Why go to the trouble of writing an easily-countered virus when you can just make cracking tools more convenient for the hordes of script-kiddies with nothing better to do, thus having a much more damaging effect?
  • ...and other Government agencies for a little homeland security project.
  • by failure-man (870605) <failureman AT gmail DOT com> on Friday March 17, 2006 @10:19AM (#14941283)
    One thing I've always wondered about script kiddies: who writes their tools for them, and why? What does the actual black hat get out of the deal? It's not like script kiddies pay for things.

    Is it for fame? Signal-to-noise manipulation? Are the little fuckers getting "0wn3d" by backdoors in their "1337 h4x0r t00lz"?

    Or is it something else entirely?
    • >> Is it for fame? Signal-to-noise manipulation? Are the little fuckers getting "0wn3d" by backdoors in their "1337 h4x0r t00lz"?

      They do it for the groupies. =P
    • I'm not a hacker but I'll take a shot at this one. Some have things to prove or an axe to grind. They're out to prove they are smarter or more clever than the system admins of www.genericcorpwebsite.com or that their "1337 5k1||5 7074||y 0wn 3v3ry0n3 3|53" or some crap like that. Somehow releasing these programs soothes their ego/temper/whatever.

      Some are malicious, they like inflicting damage so they create these things to turn script kiddies into their little army of conscript hackors.

      Other do it just for

    • One thing I've always wondered about script kiddies: who writes their tools for them, and why? What does the actual black hat get out of the deal? It's not like script kiddies pay for things.

      Don't know, but these parts are more of a write-once and reuse code-type. I've seen tools like this, it's like a frigging plug-in system. "Insert exploit here" "Insert shellcode here". Which doesn't mean you'll actually write code - you'll just add some modules of what it's going to do. I imagine the botnet code is simi
    • I've had a theory about this for some time...No doubt other have the same thoughts...

      At the top of the tree, you've got Anti-Virus and Security companies.
      They're where the initial energy for the system comes from...

      Through proxies, they hire programmers in Eastern Europe and Asia to write all the Trojans, Virii, Backdoors and what have you, which the companies at the top of the tree will protect us from for a price.

      If the programmers create a mechanism to make a little profit for themselves, so be it...
    • if someone told me that there was a secret receiver on the back of your head that you had no knowledge of, and i had no idea who you were, and you had no idea who i was, and i could activate it just by pushing a button, and it would cause you to twitch and spasm and yell out words tourette's style, and i know it's not good for you, what would i do?

      a part of me wants to push the button, just to laugh at your suffering

      over time, i could probably could come to enjoy it, sadistic pleasure from your pain

      even it required a lot more effort on my part to initiate the reaction

      and if it came to define my identity, this dependence on this drug (as this behavior obviously has for some) i might even fetishistically involve myself in the tools i needed initiate your suffering. i might have the magic button encrusted with diamonds. if it really represented the source of so much of my pleasure

      and before you sneer at me, recognize that this aspect of human behavior and this potential for asocial manipulation exists in all of us

      just look at your average kindergarten class if you think this kind of cruelty and enjoyment of others suffering, impersonal or not, is not something unfortunately intrinsic to human nature

      its a dark side, and its defeat comes in recognizing it, not ignoring it
  • Gulf Oil hacked ... (Score:2, Interesting)

    by Anonymous Coward

    "break into computers through a security hole in Microsoft's Internet Explorer Web browser"

    The flaw is in the underlying Operating System.
    A bug in a browser shouldn't lead to such massive breech.

    "Graham Spinney, director of information technology at Gulf Oil, confirmed that sometime on March 10, hackers broke into the company's Web site and planted code that redirected visitors to another site.

    The false site informed visitors that they needed to install a security update to continue logging in to the

  • by dtsazza (956120) on Friday March 17, 2006 @10:35AM (#14941389)
    FTFA:
    "This type of plug-and-play, click-and-hack software simply represents the commercialization of criminal activity, and in many respects lowers the technical knowledge barrier of entry to this type of crime."

    Yes. Asides from the "but is it Open Source?" jokes, I'd imagine it's not difficult for anyone with the motivation to get hold of this software - and no matter what it costs, a 'customer' could easily make that amount back and more.

    It just makes me think - how far do things have to go before people realise that computers are not inherently safe? I'm being careful not to imply that computers *can't* be safe, because of course they can and I'd imagine the vast majority of /. readers' are - but that it's not some whizzy technological environment where everything is great and snazzier is better.

    I'm talking about end-user attitudes; for a long time, public perceptions of computers and the internet has lagged behind the realities. They've shown themselves unwilling to learn out of sheer curiousity or interest in using these new tools. They've shown themselves unwilling to learn when viruses and spyware corrupt files and destabilise operating systems. Now I wonder if they'll start to pay attention to the realities of networked devices when it hits a lot of people in the wallet.

    I also wonder whether the commoditization of cracking tools will eventually shoot crackers in the foot, by making them so ubiquitous that people actually get a clue and stop falling for phishing emails. But then I remember that while crackers have the greater desire to learn and exploit, they'll always be able to stay one step ahead, and come up with some new exploit...

    And no, Trusted Computing is not the answer.

  • System Admins (Score:5, Insightful)

    by Herkum01 (592704) on Friday March 17, 2006 @10:38AM (#14941403)

    I don't get it. How can these Hackers get this tools that do all these great things, and as a system admin I cannot get a application bundle and installed without having to try and move the Rock of Gibraltar.

    Considering as a system Admin, I would have more time and a higher budget, you would think some corporation would make some better tools to handle the more common tasks like managing and updating applications on workstations. Instead I get to read how a hacker can control thousands of machines through a configuration more complicated than Enron's accounting procedures all with a click of the button.

    Life just ain't fair.

    • What this is, is a testament to the sheer size of the problem. There has to be some serious money behind this for it to be this advanced. I saw a mention of several billion in the article.

      It sometimes makes me angry that such a clearly insecure system is being abused to take money from honest people. But everyone I know is totally aware of the risks, I've given them all 'the talk' about Linux, and they choose the blue pill every single time. Desensitisation is a strange thing.

      • An unsafe user cannot be made safe by the system without serious frustration.

        No amount of software remediation will fix a a defective human peripheral (a clue-by-four, on the other hand . . .)
    • Re:System Admins (Score:5, Insightful)

      by Kjella (173770) on Friday March 17, 2006 @10:57AM (#14941567) Homepage
      I don't get it. How can these Hackers get this tools that do all these great things, and as a system admin I cannot get a application bundle and installed without having to try and move the Rock of Gibraltar.

      Well, I imagine the hackers don't give a flying fuck if it fails on 10% of the machines or how much it breaks, since it's all about numbers and it hardly matters which ones that works. If on the other hands it is the fscking machine you're trying to upgrade and instead it hoses the box, I think you might be slightly more annoyed.
    • I cannot agree more, however you have to remember that when you are out to get 100,000 infected machines what does it matter if you totally destroy 10,000 of them, you are still making a profit.

      The hackers don't really have to worry about reliability. Oh and I feel your pain on upgrades I am working on a rollout of office 2003, what a pain. If only you could hand out a cd and say "Here install this" and not have 98% of the users give you a blank look.
    • Considering as a system Admin, I would have more time and a higher budget

      *chuckles* No... you don't have either. And that's why.
  • With the click of a mouse or a drag on a pull-down menu, users can add or delete files on infected computers.

    Sounds like someone is confusing Windows' file sharing system with a security breach... oh wait...

  • i mean, if most of the people running botnets are young and doing it for the 'kool factor', doesn't this take away from that a bit? There are plenty of tools out there that are probably very easy to use, but once it really starts to get out that scanning ports and cracking systems is something any jerk can do with a GUI, maybe some of the 'show offs' might start declining the challenge...
    • i mean, if most of the people running botnets are young and doing it for the 'kool factor', doesn't this take away from that a bit?

      This is more botnet management software than exploit software. I think the main motivation is money these days. You can rent time on a botnet to perform attacks using a Web UI like this. The people managing the botnet can make a lot of money doing this, especially if they live somewhere like parts of eastern europe. Get one greedy American businessman to give you five grand f

  • I don't believe that can happ...[hey who deleted my file?]
  • I don't think I noticed any mention of that in their recruitment ads. Hmm, nope. [workopolis.com]
  • by UnidentifiedCoward (606296) on Friday March 17, 2006 @11:59AM (#14942020)
    The >Washington Post [washingtonpost.com] is so kind as to hide the identity of website from which they took the screenshots from which they referenced in the article [washingtonpost.com] can be easily located with a simple google search...

    The software -- viewed by a reporter on one of the sites, which washingtonpost.com is not naming because it remains active -- displays detailed graphs showing the distribution of victims by country. At time of this publication, the site harboring Frost's information was receiving a stream of illicit data from a network of roughly 3,000 infected PCs mostly located in Spain, Germany and Britain.


    Oh and here is a feature breakdown from a Russian bulletin board:

    In English...
    - Invisibility in system
    - Implementstion of software FireWalls leak
    - Implementation of Polymorthic algorithm
    - Implementation of AV Software vulnerability: AV Bases Update Breaker
    - Socks5 Proxy Server
    - FTP Server
    - KeyLogger
    - Clipboard Logger
    - Implementation of WebMoney Keeper leak: WebMoney Grabber
    - Implementation of E-gold security system leak
    - Protected Storage Grabber
    - Far FTP, TotalCommander FTP, The Bat Passwords Grabber
    - Sends logs/files to http server
    - Web-based Remote Control
    - Implementation of IE leak: Form Grabber
    - Implementation of UK banks security system leak: Memorable Info Grabber (at this moment released implementation of 6 most popular UK banks security system leak, no screenshots, only text) (List of vulnerable banks)
    - Implementation of DE Banks TAN Security System leak (included security test for 4 DE Banks) (List of vulnerable banks)
    - SMS warning if new TAN detected for clients of Russian BeeLine GSM Mobile Operator

    For those that care.... here [ratsystems.org] is the site.

    If you have half a clue you will figure out where to go from there.
  • From what I've read.. this isn't cracking at all, and it looks like some's gone through the urban dictionary with a vague understanding of what it's doing and picked a word at random..

    Consider this, you buy a dedicted server with a web-based 'Control Panel' on it, this makes you no more of an administrator than any other average joe who wants to run a web hosting company.

    Now.. just because you can rent a botnet, then control it via a web interface makes you no more of a cracker than anybody else out there w
  • Screenshots (Score:4, Informative)

    by MCron (737313) on Friday March 17, 2006 @12:57PM (#14942571) Homepage
    For those who are interested, I managed to get a couple more images of this interface here [doorman.info] and here [doorman.info].

    Bonus points if anybody can figure out where the shots came from and shut them down.
  • Now if someone would sell subscriptions to this botnet in the PHP interface. I'd buy a subscription and deploy out the commands needed to delete the botnet program :)
    -M
  • Conjures up an image of a zany band of fun-loving haxxorz sticking it to The Man. And they would've gotten away with it too, if it weren't for those Meddling Kids!
  • by BlueStrat (756137) on Friday March 17, 2006 @05:44PM (#14945096)
    Seriously, websites abound with cracking/booting/keylogging programs for Yahoo chat, and many other protocols, but for some reason, it seems there are more written for Yahoo chat. I'm not including IRC tools, as it seems to me to be a different class, mostly CLI tools.

      I'll sit in a Yahoo chatroom using gyach and FreeBSD, and I'll watch my pflog monitor and see dozens of scans, boot attempts, etc within a couple hours. (I love the chatroom "tough guys" that come in and threaten to "boot" me and "bluescreen" my PC..they get *really* frustrated when their little VB booter programs fall flat against a BSD box with a PF firewall and *nix chat client :D)

    There are numerous chat "crews" that trade in "cracked" accounts/screen names. I've never had my account cracked, but I follow proper practice regarding passwords, which most don't.

    I've had chatrooms I'm in fill up with an entire "crew" all trying simultaneously to "boot" me after one of their members fail. They finally tire and drift off with vague threats about cracking my account and having their "1337" friend ("..my buddy is certified by Microsoft, he'll crash your hard drive!" :D) hack my PC.

    Anyways, back on topic, there are hundreds of very slick-looking cracking and booting programs available for Yahoo/AIM/MSN, most free (as in beer).

    If there are programs just for *chat* that are this slick GUI-wise, it doesn't shock me at all that there are similarly-polished underground tools for other tasks and protocols.

    Strat
  • They could have a point and click method of helping Script Kiddies with their Control issues... Come to think of it, most message board admins need that too.
  • hacking for noobs! I wonder how many of the machines used to order this service are actually being used for bots.

TRANSACTION CANCELLED - FARECARD RETURNED

Working...