Professor
Professional
- Messages
- 653
- Reaction score
- 646
- Points
- 93
CONFESSION OF A HACKER.
Content:
Enjoy reading!
The main types of computer viruses and malware
Pavlovich:
Friends, hello! Glad to see you. You often wrote in the comments, invite someone related to viruses, botnets and all this other technical stuff that, with certain manipulations, can easily be converted into money. Therefore, today the whole issue is dedicated to viruses and their further monetization. And how else to protect yourself from this? Here is a kind guest who will tell you about all this. Let's then talk about the main types of viruses in general now.
Hacker:
There are 9 types of malware that are used everywhere. These are loaders, botnets, clippers, stealers, miners, various ransumbers, HVNC and, probably, warriors with keyloggers.
Botnet
Pavlovich:
Now let's talk specifically about each type, because I don't know all of these words. Let's talk about botnet loaders.
Hacker:
There are loaders and botnets, in fact, they are the same thing, because botnets are usually based on a resident loader. Resident means that from the word "resident" it is a permanent resident on the computer. It is registered in the startup, and with each start of the system it is in it. And non-resident are just loaders that have completed their task and left.
Pavlovich:
Well, that is, in simple words, a loader is a thing for loading malicious code so that your computer or phone becomes controllable and turns into a bot, in essence.
Hacker:
Well, if we load some botnet or Ratnik with HVNC from a loader, then yes. But with the help of a loader you can also load any other malicious software. Stealers and miners, in fact, do not become bots from this computer.
Pavlovich:
In short, all infection, in fact, occurs through this loader, which downloads all sorts of malicious crap onto your computer.
Hacker:
Well, in a good way, yes, but some people can distribute only a stealer, and then, well, there is nothing to use the loader for.
Miners and earnings on viruses
Pavlovich:
In short, I'm already completely confused, let's then step by step, a miner, I just go to some sites, it happens, and I realize that I went to a regular site, there, bookmakers, for example, And my computer starts to take off, and I understand that something is wrong there.
Hacker:
There are all sorts of JavaScript miners. The last one was, in my opinion, Coinhave. The most popular now. The number of JavaScript miners has decreased, but they still exist. There is also an executable miner file, which does not necessarily go to some site that will monetize the computer, and your computer itself will constantly mine cryptocurrency.
As a rule, now on the market among miners it is a modified XMRig miner. It is white software, which is designed to mine monero.
Pavlovich:
And it is simply modified, that is, white software for mining a certain coin, crypto, monero, it is modified so that hackers can somehow secretly mine with it.
Hacker:
Yes, it is made, in fact, it is not even modified, a loader is made for it, which downloads it to the computer and runs it with certain parameters. This is the address to which it is mined, this is a pool, well, actually, where all the miners unite, because you will not be able to mine alone on a regular miner's computer, otherwise you will mine there for decades to get something.
Pavlovich:
Well, I tried mining on these, on Google's virtual servers, I rented them there, but of course everything is very slow there, some cents, maybe tens of cents a day, but that's very little, I got less than a dollar a day there.
Hacker:
Well, the problem here, I think, is not that the miner is bad in general. Mining with one, say, 10 machines doesn't make that much money. But the miner brings in quite a good income, if you have, well, more than 500, probably, machines that mine 24/7. On average, with some i5-6400 processor and higher, you will get around 5 cents a day.
If you have 100 of them, then that's already 5 dollars. If a thousand, then 50 dollars, and you will grow, therefore, as an additional monetization of your installations, the miner is quite a good tool, because it, in fact, does not require any skills or special knowledge, you just need to get acquainted with what a miner is, spend
30 minutes on it, do everything according to some Internet guides, of which there are enough, and, in fact, add it to your pack of viruses.
Stealers (Stealer)
Pavlovich:
Well, the miner is clear with it, yes, it lures cryptocurrency in short, secretly from the owner of the site, computer, and so on. And stealers, earlier in my time it was simply called an ordinary Trojan, yes, well, essentially a program for remote control. There were, I don’t remember, well, like remote desktop, remote desktop, and now for some reason all this is called stealers from the English word steal.
More details about this, what they are and the most common.
Hacker:
There aren't really that many stealers on the market, there are probably about 5 of them, by the way, they are divided into two types, these are malware as a service stealers and just stealers, the difference is that with regular stealers you need to install them on your hosting, buy a domain, set up a database, and malware as a service stealers provide you with a ready-made product practically on a turnkey basis.
You are given an exe file that is already linked to the developers' servers, and all you have to do is start distributing this file, and the logs containing passwords, cookies, autofill or any other telegram sessions, discord sessions will come to this admin panel, from which you will be given the logs for the password.
Pavlovich:
Well, as I understand it, they basically use this rental of these stealers, in essence.
Hacker:
Well, it's hard to say what percentage of people use these or those stealers, the problem is rather that using such a turnkey product, you don't know where your logs are, because it's all on the product developer's servers.
Pavlovich:
That is, it may turn out that you took this stealer, rented a malicious program that will steal from infected users, their logs, all their passwords, cookies from the browser and everything else, then you can cast ads from his Facebook advertising account, and he will receive a bill, steal his mail, account in social networks, this is all okay, but if you do it with a rented stealer, then all this stuff, including crypto wallets and other things, it can also go to the owner.
Hacker:
This stealer. Yes, of course, they have access to these logs, they can do anything with you with them. You can either take their word for it, or buy regular products that you put on your own hosting, and you know where all your stuff is.
Pavlovich:
And with renting a stealer like this, if you rent it, here is the easiest way, which, as I understand it, is used by novice hackers, let's say, how much does it cost per month?
Hacker:
Wait, maybe malware as a service is not exactly rent, it is like rent, but not in the way you said, there are also just stealers that you rent, or rather you have a monthly payment, they are still installed not on the developer's servers, but on yours, but you have to pay every month so that your build is spilled, so to speak.
Bypassing antiviruses
Pavlovich:
But then another complication arises, that these malicious programs, it doesn't matter whether I rent it or I have my own, they are written there for my needs, their antiviruses will regularly detect them.
Hacker:
For this, either the developer cleans it from runtime detection. Runtime is when the product, the stealer, well, any software works. It works, and antiviruses hang a detection on some actions and can delete it. There is also a scantime detection, which we can influence. This is when the file just gets to the computer. To do this, you need to encrypt the files or protect them with different protectors.
This is before Enigma in the mProtect file, add different resources to it so that it differs from the previous version, so that antiviruses look, yeah, something has changed here, this and that is different, so we will not immediately hang detect on it. And we cannot get rid of runtime detect, because this detect is on the functions that the stealer does.
That is, some specific malicious actions, right? Yes. For example, you can, or rather not you, the stealer can successfully collect your logins and passwords, but when it takes a screenshot of the screen or some stealers have a function "take a picture from a webcam", the antivirus can be triggered by this and cancel everything. And define it as a malicious program. Yes. And the stealer will not work in most cases.
Clippers (Clipper)
Pavlovich:
And clippers, what are clippers on your list?
Hacker:
Clippers, they are sometimes called either a crypto-shuffler or a crypto-hijacker. But these are very isolated cases. Clipper is basically a program that becomes a resident on the computer when launched. Its task is to wait for the moment when the computer owner, that is, the victim, copies some crypto wallet and when he inserts it, it will be replaced with yours. There are
not many of them on the market, and there are practically no good ones. Most of those that are sold, they replace the wallet, say, bitcoin, with some single one that you specify or the coder specifies.
Pavlovich:
The developer of this clipper?
Hacker:
Yes, you kind of give him the wallet that will be changed to, he makes a build for you. But bitcoin has three versions, what numbers the letters begin with. There is a one, legosi, there are wallets for three, there are new wallets, they begin with BC.
And if you gave a coder a wallet that starts with one, and a person copies a wallet from BCA, then it is obvious that the owner of the computer will most likely immediately notice the change and go check the computer for viruses.
Pavlovich:
Well, to be honest, I probably wouldn’t notice.
Hacker:
That is, there it is a set of letters, a number… — No, when you, for example, even if the first three is inserted by you as the first symbol, it immediately catches your eye. There are good products where you can put, if you bought a builder or can transfer to a coder, a large number of wallets at once.
Such products, as I said, are few, but they are much better than these ordinary ones that I mentioned, because they work according to some mask, for example, in a wallet the number 1 can be replaced if it is in your list of transferred wallets.
Pavlovich:
Well, I understand.
Hacker:
One will change to a small letter l, a five to an s, and it will not catch your eye so much. And the chance that the victim will transfer money to you increases.
Prices for viruses
Pavlovich:
Are these clippers expensive?
Hacker:
No, the average price for clippers is probably around $100, they start at $50 and end at $500, but I haven't seen any that cost more than $500. In short, from $50 to $500.
Pavlovich:
What about stealers?
Hacker:
Stealers? Now, let's say there are 5 main stealers on the market. These are Vidar and Raccoon. This is a small race service. Raccoon costs $200 a month, Vidar $300. Of the regular ones, there are Tauras, Tauras, Ficker and... I probably won't say more.
Because they are constantly either scamming or closing down. There was Predator not long ago. From Predator. Yes-yes-yes-yes. Tauras. Allegedly, the coder handed over his project to another person, and he improved it. Now Tauras costs $100. That's it. Predator closed down. There was also Krot, Koski, they too...
What is a "build"?
Pavlovich:
Well, in short, there are enough on the market, right? Let it even cost 5 pieces. It costs from 100 to 300 dollars. And you have already mentioned the word Build several times, just what is it for our viewers and the young ones who do not understand?
Hacker:
Build is a copy of the virus that the coder gives you, with which you will work. That is, some kind of customized, configured for you, undetectable by these antiviruses, right? Well, he gives you a clean file, a clean build, which you will have to encrypt, and this is your file, which is tapped into the place you need. If a stealer, then to the admin panel, if a clipper, then it just works, if a miner, then also just works.
Well, the builder is the creator, creates the build, this is what he uses.
Ratniki
Pavlovich:
And you also said Ratniki, that is, in my time there were no such words, in general, what does Ratnik come from?
Hacker:
It comes from Remote Administrative Tool. I don’t even know what they are used for, because it is rather for... Well, it’s like Teamviewer now, that is, probably. Yes, it’s like you can’t use it for any serious actions. You just have full access to the computer. You can open KMD, run some of your own scripts.
Pavlovich:
KMD, he means the command line.
Hacker:
You can transfer something to yourself through file managers-files, but I don’t see how they can use it for work, for some kind of profit.
Pavlovich:
But in general they exist, they are made for something, right?
Hacker:
I don’t know, they are usually sold on some lol-steam or hack forum, but you won’t get much profit from it.
Pavlovich:
In short, essentially the same Teamviewer, which will allow you to climb.
Hacker:
Yes, it's better to install it on your computer, the admin there, and log in from the phone, do something, control.
HVNC
Pavlovich:
And you also mentioned HNVC.
Hacker:
Well, HVNC is essentially the same as Ratnik, only you have the ability to have a parallel session with the victim, and you will work with their hardware, and they will not know anything about it.
Pavlovich:
So, essentially, if a person has an open HVNC port, let's say, yes, on their computer?
Hacker:
No, rather, when you dump an HVNC build, you have a server that is located somewhere on your server, and there is a client. You distribute the client, which itself will open the ports and knock on your server. You can go in and, using the victim's browser, go to PayPal or a bank account and perform any actions.
Because if you simply stole files with a tiler, cookies, passwords, then when you go into this account, you, well, will be charged fraud, wherever you are. The Pulps will fraud you or Bank America.
And with HVNC you log in directly from the victim's IP, all sorts of browser fingerprints are saved from his browser, all sorts of plugins, and the chance that this or that payment will give you is maximum.
Pavlovich:
Well, in general, if I understood everything correctly, HVNC, yes, it is such a thing, also just a malicious program, which, if you throw it on the victim's computer, it will open VNC ports for him, let's say, and through these ports you will connect there, and you will be able to just do your computer, and he will not see anything, right? He will not do anything. That is, it will not be like on TeamUvery, that the mouse moves, that is, you see.
Yes. And by the way, we used to bully like that as children, well, in our youth there constantly, that is, through AirAdmin they infected there, they threw AirAdmin, and man, well, it was cool as a child to watch, he there pulls the mouse in one direction, and you in the other.
Hacker:
No, for such purposes, of course, you can use Ratnik and turn off the mouse, turn off the keyboard. You see a person playing some game, you take his mouse, turn it off. Well, it's funny, yes, but there is no serious profit.
Keyloggers (Keylogger)
Pavlovich:
And keyloggers, from the name itself I already understand that it simply records all keystrokes, but all these other software that you just listed, all other types, do the same.
Hacker:
Well, they don't log every keystroke the holder makes on the keyboard. And the logger, I wouldn't say at all that it is some kind of mass software, because there is no point in loading it en masse. You won't track each user, what he presses where. Stealers have a function that, if they find a link in the passwords that you need, say, from a crypto exchange or PayPal, then there is a loader function, and you can download another keylogger to that computer.
And in this case you will be able to monitor what the user presses. In general, it is usable for crypto, there are all sorts of cold wallets like Bitcoincore, on which a password is set, the wallet is encrypted, and this password is not stolen by stealers.
And you can wait for the moment when a person opens it, Bitcoincore, the keylogger will send you a message, well, not a message, but, roughly speaking, in the log you will have text that Bitcoincore is open, and after some time the person indicated some password when sending funds. That's it, you learned the password, and you can go to this wallet.Dat, which the stealer stole from you, and do something.
What are keyloggers used for?
Pavlovich:
In general, the keylogger is not used en masse then, but it is an auxiliary tool for the same stealer to steal the most hidden passwords, so to speak.
Hacker:
Yes. Well, it can also be suitable for some pinpoint attacks. If you need to penetrate, say, some network of the RDP company, and you don’t have admintraffic, you couldn’t raise them with exploits, you can install a keylogger on this computer and wait until, say, the system administrator comes and enters the password from or from the account admin panel or from the antivirus to disable it.
Pinpoint work with a keylogger is a good thing.
Pavlovich:
Translating into simple language that you understand, you can, in short, install a keylogger on a computer, yes, to find out the password from Instagram, and there download secret love correspondence with a lover, yes. But if seriously, then simply when the network gets infected from the outside, and you can’t get from it to increase your rights to go through the entire bank network, for example, then on the
administrator’s computer, for example, a logger is installed, well, you don’t have enough rights to go further into the network, just install loggers, you steal his admin password.
Hacker:
Well, yes, you wait until he runs it himself, and then you will see it and be able to use it.
Ransomware and encryption viruses (extortion viruses)
Pavlovich:
Ransomware, encryption viruses, I already had Nikitin in the issue, there from Group-IB. Ransomware is encryption programs that encrypt the contents of your computer, your, for example, organization of companies, and demand, in general, a ransom in bitcoins most often.
Hacker:
What about this? Well, either manners, or bitcoins. By the way, I do not agree with the person who talked about Ransomware. It seems to have been said there that only 25 percent of passwords are decrypted. The rest is either a scam, or people themselves cannot decrypt what they infected. In our segment of the market, so to speak, Russian-speaking, CIS, there are no products that cannot be decrypted.
There are popular Ravel, Abaddon, a couple more. There have never been cases when... Blockades. Blockades. Well, it's impossible. These people have a huge reputation. There are deposits from 10 to 100 bitcoins on forums. These lockers have never had a single case when there were some bad cryptos that they couldn't decrypt.
The most famous, probably, of the ransomware is Ravel, because they blocked, well, the operators blocked it, more precisely, Ravel himself is the creator, they blocked banks, Jack Daniels, Trump had some news about 43 million dollars, they could rip him off.
Pavlovich:
So Revil is simply, it turns out, the name of this virus extortionist, let's say.
Hacker:
This is an affiliate program that provides its build to the cryptolocker The difference between Revel, Avadon and some other Nightwalker is particularly small They have different encryption methods For some, it can go in several streams at once Someone communicates with people themselves, well, operators
Your task is to infect, and it will communicate for you There is essentially no difference between these products They encrypt everything, antiviruses have not yet come up with ways to decrypt them, well, and it is more likely simply impossible to do. Because all sorts of shadow copies are deleted, everything is blocked, and all files cease to be useful to you until you pay.
Pavlovich:
In essence, it turns out that if you are infected with this virus ransomware, all your files are encrypted, you can either pay, and they will give you the decryption key, or tell you to fuck off, if you have it on your computer in some third-party hard drive, here in my backpack, all the backups are obtained.
Hacker:
Yes, if you have a backup on an external hard drive that was not encrypted, or somewhere else, then you can easily recover from it.
Pavlovich:
But if I had it on my computer, somewhere in my work, then the people who block my network, my computer, they will, of course, find all this and erase it in advance, so that I will pay 100%.
Hacker:
Yes, usually you either pay or waste time, if you do not have backups, trying to restore something, remember. By the way, ransomware is now in such a fashion, if you refuse to pay, they can either leak your information, information, important encrypted files from companies, they are posted in the public domain or sold to someone, and also, if you decide to think for a long time about what to do, the ransom amount will double or triple in N number of days.
Ransom amount for computer blackmail
Pavlovich:
And what are the ransom amounts on average, or do they depend on the companies?
Hacker:
No, basically the minimum is either 200 or 300 dollars, you can't specify less, and then, of course, it depends on the company, depending on what you encrypted, their ability to pay, you set the price yourself.
REvil and Avaddon, their affiliate programs
Pavlovich:
And these, you said, Revil, Avadon and others, these are just ready-made, virus writers have created these ready-made encryption viruses, and you rent them from them, and your task comes down to what? Just to distribute them as much as possible?
Hacker:
Different affiliate programs have different approaches to the set of their clients who will distribute, Let's say, schoolchildren who will load lockers on some, well, cheap traffic, so to speak, to India, well, let's say, to an ordinary person. They don't need it, it causes more problems, takes more time. Usually they remove people who have access to corporate networks, who know how to get good quality material.
Perhaps they take some spammers who can spam emails, well, such more or less quality traffic. Well, you say, they take it. Yes, you have to come to the selection, you can buy some cryptolocker that someone wrote, but it will usually be worse than those provided to you through the affiliate program.
Percentages and profit turnover
Pavlovich:
And the distribution of percentages, so I found an affiliate program somewhere with this malicious cryptolocker, I took it, passed their selection, took it, distribute it, I don’t know, through a YouTube channel for example, or with some spam, or just write on a social network, look, you were caught jerking off, and that’s it, I infected a whole bunch of people, and they paid me, some of them
paid the ransom, in what proportions is it divided between me and the owner of this ransomware virus?
Hacker:
Usually the percentage starts from 30-20 in their favor, you get 70-80, and it goes up to about 10%, they keep it for themselves, if you have, like the ravels, 100 thousand dollars a week. Turnover, well, profit. In general, you can get to 10%.
The fact that they take more is rather an out-of-the-ordinary case, and you shouldn't use such an affiliate program.
How hackers become virus distributors
Pavlovich:
And how they advertise, it's just a little surprising, how they advertise themselves, that is, either those who are interested in them somehow google them, find them, or they, that is, as I understand it, the affiliate program, it simply created a good product, this digital virus, yes, but it cannot live without those who will distribute it, how do you find each other?
Hacker:
Yes, there are news items, there are just some news on the forum. Ravel recently made a 100 bitcoin deposit on DamageLab. Is this some kind of Western hacker forum? No, this is a Russian-language forum, it is actually quite old. Now it is called XSSIS, or AS, if it is a regular domain. 100 bitcoins, well that's a good deposit, that's a million dollars.
Pavlovich:
What did they deposit it for?
Hacker:
Just to show that they have a good product, they are serious, they want to work only with people who know how to work.
Pavlovich:
And there are many like you, for example, who take these ransomware viruses from them and distribute them.
Hacker:
It is difficult for good affiliates to get in, because there is a very strict selection and the number of places is limited. The more people, if you have an open set, let's say, Take everyone, you give a room to Kaspersky, give some other EBS specialists your product, so usually sets of 5-10-20 teams that use. And when some team works poorly or stops working, the affiliate kicks them and opens sets again.
There will always be those willing to work with some famous affiliate.
Hackers' capabilities
Pavlovich:
Well, and who wants to work, then we smoothly move on to another block of questions. Who are these people who want to work and what capabilities.
"Brutitting dedicated servers"
Hacker:
Do you have? They work with Rance Weyer, rather people who have been in the virus business for a long time, they can either brute-force, brute-force dedicated servers to suddenly get into some network. Someone works with Cobalt Strike, Burp and some other penetration tools.
Pavlovich:
Brute-force dedicated servers is simply scanning the Internet for vulnerable servers, preferably corporate ones, right?
Hacker:
Well, as a rule, you just scan, take a range of IP addresses, add them to the brute force software, there are two of them, from Z668 and NLBRUD, you add the range of IP addresses, the range of ports that you scan, 3389, 33389 and so on, load a database of passwords, passwords and logins there, and start...
Pavlovich:
You simply load a database of passwords and logins into the brute force, yes, just so that it goes by your dictionary and picks up combinations, so that it can quickly... If it encounters an easy password on some server that it starts to crack, it encounters an easy password, picks up according to your dictionary, it will very quickly give you a whole bunch of servers.
Hacker:
Yes, and when you get access to any one machine, you can fire it up, suddenly it turns out to be some kind of network, and then you start working on the network, and you can infect a good bunch of servers.
Money turnover from spreading viruses
Pavlovich:
Well, how much do they earn if they deposited a million dollars, let's say, on one of the forums, how much do they earn per month, according to your calculations?
Hacker:
The affiliate program itself, I think, is millions of dollars per week. Millions per week. Even per day.
"Code of honor" of Russian hackers
Pavlovich:
And it turns out that it is you, who took these ransomware viruses from them and spread them around the world. Is there a code there, like the carders used to have, the journalist keeps asking, like not to touch RU computers, or something like that.
Hacker:
Yes, of course. All the software in general, all the malware that is sold on our market, as a rule, does not work on CIS computers. It is detected either by the keyboard layout that you have, if there is RU, then that's it, it does not work, or by the current IP.
Pavlovich:
Well, one of my friends was recently infected, there, an accounting company, there...
Hacker:
But these are most likely some not very good or our people who work, who ordered custom software, because buying one that will work on the CIS is quite difficult in our, at least, Russian-speaking segment. Well, that is, there is some kind of code after all, right? Yes, yes. They don't even block hospitals, educational institutions, even if they are Western.
There was a recent case when they attacked, I don't remember what, but in the end they infected a hospital with ransom, and supposedly because of this a patient died. After she died, Interpol wrote to this partner using the contacts they left, like you made a mistake, because their message said that they were blocking some other resource, but for some reason they hit the hospital.
Interpol wrote that you made a mistake, and the partner gave the decryption key, because it is not good to block this in a hospital.
Pavlovich:
So hackers finally came to the understanding that despite the money, they should not block everyone?
Hacker:
Yes, usually the work is carried out by some companies that can pay, to whom this blow will not be as Well, strong, than ... Well, it's conscience, some kind of moral values. Blocking Russia in a hospital is unhealthy.
Content:
- Main types of computer viruses and malware
- Botnet
- Miners and earnings on viruses
- Stillers
- Antivirus bypass
- Clipper
- Prices for viruses
- What is a Build?
- Warriors
- HVNCC
- Keyloggers
- What are keyloggers used for?
- Ransomware and encryption viruses (extortion viruses)
- Ransom amount for computer blackmail
- REvil and Avaddon, their affiliate programs
- Interest and profit turnover
- How Hackers Become Virus Spreaders
- Hackers' capabilities
- "Brutalize DDoS"
- Money turnover from the spread of viruses
- "Code of Honor" of Russian Hackers
Enjoy reading!
The main types of computer viruses and malware
Pavlovich:
Friends, hello! Glad to see you. You often wrote in the comments, invite someone related to viruses, botnets and all this other technical stuff that, with certain manipulations, can easily be converted into money. Therefore, today the whole issue is dedicated to viruses and their further monetization. And how else to protect yourself from this? Here is a kind guest who will tell you about all this. Let's then talk about the main types of viruses in general now.
Hacker:
There are 9 types of malware that are used everywhere. These are loaders, botnets, clippers, stealers, miners, various ransumbers, HVNC and, probably, warriors with keyloggers.
Botnet
Pavlovich:
Now let's talk specifically about each type, because I don't know all of these words. Let's talk about botnet loaders.
Hacker:
There are loaders and botnets, in fact, they are the same thing, because botnets are usually based on a resident loader. Resident means that from the word "resident" it is a permanent resident on the computer. It is registered in the startup, and with each start of the system it is in it. And non-resident are just loaders that have completed their task and left.
Pavlovich:
Well, that is, in simple words, a loader is a thing for loading malicious code so that your computer or phone becomes controllable and turns into a bot, in essence.
Hacker:
Well, if we load some botnet or Ratnik with HVNC from a loader, then yes. But with the help of a loader you can also load any other malicious software. Stealers and miners, in fact, do not become bots from this computer.
Pavlovich:
In short, all infection, in fact, occurs through this loader, which downloads all sorts of malicious crap onto your computer.
Hacker:
Well, in a good way, yes, but some people can distribute only a stealer, and then, well, there is nothing to use the loader for.
Miners and earnings on viruses
Pavlovich:
In short, I'm already completely confused, let's then step by step, a miner, I just go to some sites, it happens, and I realize that I went to a regular site, there, bookmakers, for example, And my computer starts to take off, and I understand that something is wrong there.
Hacker:
There are all sorts of JavaScript miners. The last one was, in my opinion, Coinhave. The most popular now. The number of JavaScript miners has decreased, but they still exist. There is also an executable miner file, which does not necessarily go to some site that will monetize the computer, and your computer itself will constantly mine cryptocurrency.
As a rule, now on the market among miners it is a modified XMRig miner. It is white software, which is designed to mine monero.
Pavlovich:
And it is simply modified, that is, white software for mining a certain coin, crypto, monero, it is modified so that hackers can somehow secretly mine with it.
Hacker:
Yes, it is made, in fact, it is not even modified, a loader is made for it, which downloads it to the computer and runs it with certain parameters. This is the address to which it is mined, this is a pool, well, actually, where all the miners unite, because you will not be able to mine alone on a regular miner's computer, otherwise you will mine there for decades to get something.
Pavlovich:
Well, I tried mining on these, on Google's virtual servers, I rented them there, but of course everything is very slow there, some cents, maybe tens of cents a day, but that's very little, I got less than a dollar a day there.
Hacker:
Well, the problem here, I think, is not that the miner is bad in general. Mining with one, say, 10 machines doesn't make that much money. But the miner brings in quite a good income, if you have, well, more than 500, probably, machines that mine 24/7. On average, with some i5-6400 processor and higher, you will get around 5 cents a day.
If you have 100 of them, then that's already 5 dollars. If a thousand, then 50 dollars, and you will grow, therefore, as an additional monetization of your installations, the miner is quite a good tool, because it, in fact, does not require any skills or special knowledge, you just need to get acquainted with what a miner is, spend
30 minutes on it, do everything according to some Internet guides, of which there are enough, and, in fact, add it to your pack of viruses.
Stealers (Stealer)
Pavlovich:
Well, the miner is clear with it, yes, it lures cryptocurrency in short, secretly from the owner of the site, computer, and so on. And stealers, earlier in my time it was simply called an ordinary Trojan, yes, well, essentially a program for remote control. There were, I don’t remember, well, like remote desktop, remote desktop, and now for some reason all this is called stealers from the English word steal.
More details about this, what they are and the most common.
Hacker:
There aren't really that many stealers on the market, there are probably about 5 of them, by the way, they are divided into two types, these are malware as a service stealers and just stealers, the difference is that with regular stealers you need to install them on your hosting, buy a domain, set up a database, and malware as a service stealers provide you with a ready-made product practically on a turnkey basis.
You are given an exe file that is already linked to the developers' servers, and all you have to do is start distributing this file, and the logs containing passwords, cookies, autofill or any other telegram sessions, discord sessions will come to this admin panel, from which you will be given the logs for the password.
Pavlovich:
Well, as I understand it, they basically use this rental of these stealers, in essence.
Hacker:
Well, it's hard to say what percentage of people use these or those stealers, the problem is rather that using such a turnkey product, you don't know where your logs are, because it's all on the product developer's servers.
Pavlovich:
That is, it may turn out that you took this stealer, rented a malicious program that will steal from infected users, their logs, all their passwords, cookies from the browser and everything else, then you can cast ads from his Facebook advertising account, and he will receive a bill, steal his mail, account in social networks, this is all okay, but if you do it with a rented stealer, then all this stuff, including crypto wallets and other things, it can also go to the owner.
Hacker:
This stealer. Yes, of course, they have access to these logs, they can do anything with you with them. You can either take their word for it, or buy regular products that you put on your own hosting, and you know where all your stuff is.
Pavlovich:
And with renting a stealer like this, if you rent it, here is the easiest way, which, as I understand it, is used by novice hackers, let's say, how much does it cost per month?
Hacker:
Wait, maybe malware as a service is not exactly rent, it is like rent, but not in the way you said, there are also just stealers that you rent, or rather you have a monthly payment, they are still installed not on the developer's servers, but on yours, but you have to pay every month so that your build is spilled, so to speak.
Bypassing antiviruses
Pavlovich:
But then another complication arises, that these malicious programs, it doesn't matter whether I rent it or I have my own, they are written there for my needs, their antiviruses will regularly detect them.
Hacker:
For this, either the developer cleans it from runtime detection. Runtime is when the product, the stealer, well, any software works. It works, and antiviruses hang a detection on some actions and can delete it. There is also a scantime detection, which we can influence. This is when the file just gets to the computer. To do this, you need to encrypt the files or protect them with different protectors.
This is before Enigma in the mProtect file, add different resources to it so that it differs from the previous version, so that antiviruses look, yeah, something has changed here, this and that is different, so we will not immediately hang detect on it. And we cannot get rid of runtime detect, because this detect is on the functions that the stealer does.
That is, some specific malicious actions, right? Yes. For example, you can, or rather not you, the stealer can successfully collect your logins and passwords, but when it takes a screenshot of the screen or some stealers have a function "take a picture from a webcam", the antivirus can be triggered by this and cancel everything. And define it as a malicious program. Yes. And the stealer will not work in most cases.
Clippers (Clipper)
Pavlovich:
And clippers, what are clippers on your list?
Hacker:
Clippers, they are sometimes called either a crypto-shuffler or a crypto-hijacker. But these are very isolated cases. Clipper is basically a program that becomes a resident on the computer when launched. Its task is to wait for the moment when the computer owner, that is, the victim, copies some crypto wallet and when he inserts it, it will be replaced with yours. There are
not many of them on the market, and there are practically no good ones. Most of those that are sold, they replace the wallet, say, bitcoin, with some single one that you specify or the coder specifies.
Pavlovich:
The developer of this clipper?
Hacker:
Yes, you kind of give him the wallet that will be changed to, he makes a build for you. But bitcoin has three versions, what numbers the letters begin with. There is a one, legosi, there are wallets for three, there are new wallets, they begin with BC.
And if you gave a coder a wallet that starts with one, and a person copies a wallet from BCA, then it is obvious that the owner of the computer will most likely immediately notice the change and go check the computer for viruses.
Pavlovich:
Well, to be honest, I probably wouldn’t notice.
Hacker:
That is, there it is a set of letters, a number… — No, when you, for example, even if the first three is inserted by you as the first symbol, it immediately catches your eye. There are good products where you can put, if you bought a builder or can transfer to a coder, a large number of wallets at once.
Such products, as I said, are few, but they are much better than these ordinary ones that I mentioned, because they work according to some mask, for example, in a wallet the number 1 can be replaced if it is in your list of transferred wallets.
Pavlovich:
Well, I understand.
Hacker:
One will change to a small letter l, a five to an s, and it will not catch your eye so much. And the chance that the victim will transfer money to you increases.
Prices for viruses
Pavlovich:
Are these clippers expensive?
Hacker:
No, the average price for clippers is probably around $100, they start at $50 and end at $500, but I haven't seen any that cost more than $500. In short, from $50 to $500.
Pavlovich:
What about stealers?
Hacker:
Stealers? Now, let's say there are 5 main stealers on the market. These are Vidar and Raccoon. This is a small race service. Raccoon costs $200 a month, Vidar $300. Of the regular ones, there are Tauras, Tauras, Ficker and... I probably won't say more.
Because they are constantly either scamming or closing down. There was Predator not long ago. From Predator. Yes-yes-yes-yes. Tauras. Allegedly, the coder handed over his project to another person, and he improved it. Now Tauras costs $100. That's it. Predator closed down. There was also Krot, Koski, they too...
What is a "build"?
Pavlovich:
Well, in short, there are enough on the market, right? Let it even cost 5 pieces. It costs from 100 to 300 dollars. And you have already mentioned the word Build several times, just what is it for our viewers and the young ones who do not understand?
Hacker:
Build is a copy of the virus that the coder gives you, with which you will work. That is, some kind of customized, configured for you, undetectable by these antiviruses, right? Well, he gives you a clean file, a clean build, which you will have to encrypt, and this is your file, which is tapped into the place you need. If a stealer, then to the admin panel, if a clipper, then it just works, if a miner, then also just works.
Well, the builder is the creator, creates the build, this is what he uses.
Ratniki
Pavlovich:
And you also said Ratniki, that is, in my time there were no such words, in general, what does Ratnik come from?
Hacker:
It comes from Remote Administrative Tool. I don’t even know what they are used for, because it is rather for... Well, it’s like Teamviewer now, that is, probably. Yes, it’s like you can’t use it for any serious actions. You just have full access to the computer. You can open KMD, run some of your own scripts.
Pavlovich:
KMD, he means the command line.
Hacker:
You can transfer something to yourself through file managers-files, but I don’t see how they can use it for work, for some kind of profit.
Pavlovich:
But in general they exist, they are made for something, right?
Hacker:
I don’t know, they are usually sold on some lol-steam or hack forum, but you won’t get much profit from it.
Pavlovich:
In short, essentially the same Teamviewer, which will allow you to climb.
Hacker:
Yes, it's better to install it on your computer, the admin there, and log in from the phone, do something, control.
HVNC
Pavlovich:
And you also mentioned HNVC.
Hacker:
Well, HVNC is essentially the same as Ratnik, only you have the ability to have a parallel session with the victim, and you will work with their hardware, and they will not know anything about it.
Pavlovich:
So, essentially, if a person has an open HVNC port, let's say, yes, on their computer?
Hacker:
No, rather, when you dump an HVNC build, you have a server that is located somewhere on your server, and there is a client. You distribute the client, which itself will open the ports and knock on your server. You can go in and, using the victim's browser, go to PayPal or a bank account and perform any actions.
Because if you simply stole files with a tiler, cookies, passwords, then when you go into this account, you, well, will be charged fraud, wherever you are. The Pulps will fraud you or Bank America.
And with HVNC you log in directly from the victim's IP, all sorts of browser fingerprints are saved from his browser, all sorts of plugins, and the chance that this or that payment will give you is maximum.
Pavlovich:
Well, in general, if I understood everything correctly, HVNC, yes, it is such a thing, also just a malicious program, which, if you throw it on the victim's computer, it will open VNC ports for him, let's say, and through these ports you will connect there, and you will be able to just do your computer, and he will not see anything, right? He will not do anything. That is, it will not be like on TeamUvery, that the mouse moves, that is, you see.
Yes. And by the way, we used to bully like that as children, well, in our youth there constantly, that is, through AirAdmin they infected there, they threw AirAdmin, and man, well, it was cool as a child to watch, he there pulls the mouse in one direction, and you in the other.
Hacker:
No, for such purposes, of course, you can use Ratnik and turn off the mouse, turn off the keyboard. You see a person playing some game, you take his mouse, turn it off. Well, it's funny, yes, but there is no serious profit.
Keyloggers (Keylogger)
Pavlovich:
And keyloggers, from the name itself I already understand that it simply records all keystrokes, but all these other software that you just listed, all other types, do the same.
Hacker:
Well, they don't log every keystroke the holder makes on the keyboard. And the logger, I wouldn't say at all that it is some kind of mass software, because there is no point in loading it en masse. You won't track each user, what he presses where. Stealers have a function that, if they find a link in the passwords that you need, say, from a crypto exchange or PayPal, then there is a loader function, and you can download another keylogger to that computer.
And in this case you will be able to monitor what the user presses. In general, it is usable for crypto, there are all sorts of cold wallets like Bitcoincore, on which a password is set, the wallet is encrypted, and this password is not stolen by stealers.
And you can wait for the moment when a person opens it, Bitcoincore, the keylogger will send you a message, well, not a message, but, roughly speaking, in the log you will have text that Bitcoincore is open, and after some time the person indicated some password when sending funds. That's it, you learned the password, and you can go to this wallet.Dat, which the stealer stole from you, and do something.
What are keyloggers used for?
Pavlovich:
In general, the keylogger is not used en masse then, but it is an auxiliary tool for the same stealer to steal the most hidden passwords, so to speak.
Hacker:
Yes. Well, it can also be suitable for some pinpoint attacks. If you need to penetrate, say, some network of the RDP company, and you don’t have admintraffic, you couldn’t raise them with exploits, you can install a keylogger on this computer and wait until, say, the system administrator comes and enters the password from or from the account admin panel or from the antivirus to disable it.
Pinpoint work with a keylogger is a good thing.
Pavlovich:
Translating into simple language that you understand, you can, in short, install a keylogger on a computer, yes, to find out the password from Instagram, and there download secret love correspondence with a lover, yes. But if seriously, then simply when the network gets infected from the outside, and you can’t get from it to increase your rights to go through the entire bank network, for example, then on the
administrator’s computer, for example, a logger is installed, well, you don’t have enough rights to go further into the network, just install loggers, you steal his admin password.
Hacker:
Well, yes, you wait until he runs it himself, and then you will see it and be able to use it.
Ransomware and encryption viruses (extortion viruses)
Pavlovich:
Ransomware, encryption viruses, I already had Nikitin in the issue, there from Group-IB. Ransomware is encryption programs that encrypt the contents of your computer, your, for example, organization of companies, and demand, in general, a ransom in bitcoins most often.
Hacker:
What about this? Well, either manners, or bitcoins. By the way, I do not agree with the person who talked about Ransomware. It seems to have been said there that only 25 percent of passwords are decrypted. The rest is either a scam, or people themselves cannot decrypt what they infected. In our segment of the market, so to speak, Russian-speaking, CIS, there are no products that cannot be decrypted.
There are popular Ravel, Abaddon, a couple more. There have never been cases when... Blockades. Blockades. Well, it's impossible. These people have a huge reputation. There are deposits from 10 to 100 bitcoins on forums. These lockers have never had a single case when there were some bad cryptos that they couldn't decrypt.
The most famous, probably, of the ransomware is Ravel, because they blocked, well, the operators blocked it, more precisely, Ravel himself is the creator, they blocked banks, Jack Daniels, Trump had some news about 43 million dollars, they could rip him off.
Pavlovich:
So Revil is simply, it turns out, the name of this virus extortionist, let's say.
Hacker:
This is an affiliate program that provides its build to the cryptolocker The difference between Revel, Avadon and some other Nightwalker is particularly small They have different encryption methods For some, it can go in several streams at once Someone communicates with people themselves, well, operators
Your task is to infect, and it will communicate for you There is essentially no difference between these products They encrypt everything, antiviruses have not yet come up with ways to decrypt them, well, and it is more likely simply impossible to do. Because all sorts of shadow copies are deleted, everything is blocked, and all files cease to be useful to you until you pay.
Pavlovich:
In essence, it turns out that if you are infected with this virus ransomware, all your files are encrypted, you can either pay, and they will give you the decryption key, or tell you to fuck off, if you have it on your computer in some third-party hard drive, here in my backpack, all the backups are obtained.
Hacker:
Yes, if you have a backup on an external hard drive that was not encrypted, or somewhere else, then you can easily recover from it.
Pavlovich:
But if I had it on my computer, somewhere in my work, then the people who block my network, my computer, they will, of course, find all this and erase it in advance, so that I will pay 100%.
Hacker:
Yes, usually you either pay or waste time, if you do not have backups, trying to restore something, remember. By the way, ransomware is now in such a fashion, if you refuse to pay, they can either leak your information, information, important encrypted files from companies, they are posted in the public domain or sold to someone, and also, if you decide to think for a long time about what to do, the ransom amount will double or triple in N number of days.
Ransom amount for computer blackmail
Pavlovich:
And what are the ransom amounts on average, or do they depend on the companies?
Hacker:
No, basically the minimum is either 200 or 300 dollars, you can't specify less, and then, of course, it depends on the company, depending on what you encrypted, their ability to pay, you set the price yourself.
REvil and Avaddon, their affiliate programs
Pavlovich:
And these, you said, Revil, Avadon and others, these are just ready-made, virus writers have created these ready-made encryption viruses, and you rent them from them, and your task comes down to what? Just to distribute them as much as possible?
Hacker:
Different affiliate programs have different approaches to the set of their clients who will distribute, Let's say, schoolchildren who will load lockers on some, well, cheap traffic, so to speak, to India, well, let's say, to an ordinary person. They don't need it, it causes more problems, takes more time. Usually they remove people who have access to corporate networks, who know how to get good quality material.
Perhaps they take some spammers who can spam emails, well, such more or less quality traffic. Well, you say, they take it. Yes, you have to come to the selection, you can buy some cryptolocker that someone wrote, but it will usually be worse than those provided to you through the affiliate program.
Percentages and profit turnover
Pavlovich:
And the distribution of percentages, so I found an affiliate program somewhere with this malicious cryptolocker, I took it, passed their selection, took it, distribute it, I don’t know, through a YouTube channel for example, or with some spam, or just write on a social network, look, you were caught jerking off, and that’s it, I infected a whole bunch of people, and they paid me, some of them
paid the ransom, in what proportions is it divided between me and the owner of this ransomware virus?
Hacker:
Usually the percentage starts from 30-20 in their favor, you get 70-80, and it goes up to about 10%, they keep it for themselves, if you have, like the ravels, 100 thousand dollars a week. Turnover, well, profit. In general, you can get to 10%.
The fact that they take more is rather an out-of-the-ordinary case, and you shouldn't use such an affiliate program.
How hackers become virus distributors
Pavlovich:
And how they advertise, it's just a little surprising, how they advertise themselves, that is, either those who are interested in them somehow google them, find them, or they, that is, as I understand it, the affiliate program, it simply created a good product, this digital virus, yes, but it cannot live without those who will distribute it, how do you find each other?
Hacker:
Yes, there are news items, there are just some news on the forum. Ravel recently made a 100 bitcoin deposit on DamageLab. Is this some kind of Western hacker forum? No, this is a Russian-language forum, it is actually quite old. Now it is called XSSIS, or AS, if it is a regular domain. 100 bitcoins, well that's a good deposit, that's a million dollars.
Pavlovich:
What did they deposit it for?
Hacker:
Just to show that they have a good product, they are serious, they want to work only with people who know how to work.
Pavlovich:
And there are many like you, for example, who take these ransomware viruses from them and distribute them.
Hacker:
It is difficult for good affiliates to get in, because there is a very strict selection and the number of places is limited. The more people, if you have an open set, let's say, Take everyone, you give a room to Kaspersky, give some other EBS specialists your product, so usually sets of 5-10-20 teams that use. And when some team works poorly or stops working, the affiliate kicks them and opens sets again.
There will always be those willing to work with some famous affiliate.
Hackers' capabilities
Pavlovich:
Well, and who wants to work, then we smoothly move on to another block of questions. Who are these people who want to work and what capabilities.
"Brutitting dedicated servers"
Hacker:
Do you have? They work with Rance Weyer, rather people who have been in the virus business for a long time, they can either brute-force, brute-force dedicated servers to suddenly get into some network. Someone works with Cobalt Strike, Burp and some other penetration tools.
Pavlovich:
Brute-force dedicated servers is simply scanning the Internet for vulnerable servers, preferably corporate ones, right?
Hacker:
Well, as a rule, you just scan, take a range of IP addresses, add them to the brute force software, there are two of them, from Z668 and NLBRUD, you add the range of IP addresses, the range of ports that you scan, 3389, 33389 and so on, load a database of passwords, passwords and logins there, and start...
Pavlovich:
You simply load a database of passwords and logins into the brute force, yes, just so that it goes by your dictionary and picks up combinations, so that it can quickly... If it encounters an easy password on some server that it starts to crack, it encounters an easy password, picks up according to your dictionary, it will very quickly give you a whole bunch of servers.
Hacker:
Yes, and when you get access to any one machine, you can fire it up, suddenly it turns out to be some kind of network, and then you start working on the network, and you can infect a good bunch of servers.
Money turnover from spreading viruses
Pavlovich:
Well, how much do they earn if they deposited a million dollars, let's say, on one of the forums, how much do they earn per month, according to your calculations?
Hacker:
The affiliate program itself, I think, is millions of dollars per week. Millions per week. Even per day.
"Code of honor" of Russian hackers
Pavlovich:
And it turns out that it is you, who took these ransomware viruses from them and spread them around the world. Is there a code there, like the carders used to have, the journalist keeps asking, like not to touch RU computers, or something like that.
Hacker:
Yes, of course. All the software in general, all the malware that is sold on our market, as a rule, does not work on CIS computers. It is detected either by the keyboard layout that you have, if there is RU, then that's it, it does not work, or by the current IP.
Pavlovich:
Well, one of my friends was recently infected, there, an accounting company, there...
Hacker:
But these are most likely some not very good or our people who work, who ordered custom software, because buying one that will work on the CIS is quite difficult in our, at least, Russian-speaking segment. Well, that is, there is some kind of code after all, right? Yes, yes. They don't even block hospitals, educational institutions, even if they are Western.
There was a recent case when they attacked, I don't remember what, but in the end they infected a hospital with ransom, and supposedly because of this a patient died. After she died, Interpol wrote to this partner using the contacts they left, like you made a mistake, because their message said that they were blocking some other resource, but for some reason they hit the hospital.
Interpol wrote that you made a mistake, and the partner gave the decryption key, because it is not good to block this in a hospital.
Pavlovich:
So hackers finally came to the understanding that despite the money, they should not block everyone?
Hacker:
Yes, usually the work is carried out by some companies that can pay, to whom this blow will not be as Well, strong, than ... Well, it's conscience, some kind of moral values. Blocking Russia in a hospital is unhealthy.
