The Digital Underground: Interview with RinCe

by Chris Boyd, Wayne Porter

Acting on a tip-off,  FaceTime Security Labs researchers, a division of leading IM Security firm FaceTime Communications, uncovered two "botnet" networks that collectively represented up to 150,000 compromised computers, one of which was being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location.

In addition, after systematic research of the various groups involved, we uncovered a number of websites where up to forty or more files were being shared around this community, and reworked for individual Botnets. Commercially available remote admin tools (similar to the ones employed here) were used to gain complete access of the end-user's PC - files could be uploaded, downloaded, or whatever the Botmaster felt like doing with the machine.

However, what the Botnet master really felt like doing, was downloading the payment database application to the PC, then scanning for misconfigured shopping carts using the end-user as the fall guy.

In Part 1, we looked briefly at the history of the attack and what the potential dangers were. This time round, we're talking to the individual who made the initial tip-off and assisted with gathering valuable intelligence, some of which has since been forwarded to the relevant Federal Authorities. If you're sitting comfortably, take a detour into the Digital Underground - keep your arms inside the booth at all times...

(Note - Paperghost is the online alias of FaceTime Security Research Manager Chris Boyd, RinCe is the individual who came forward with key intelligence and the chat was conducted via Instant Messaging).

Paperghost:  Hi RinCe. We might as well go right to the beginning – have you always been into computers, or is it a recent thing?

RinCe : Basically, I’ve been brought up with computers all my life since I was 6, playing Warcraft II with my uncle on a LAN. I got into 'hacking' through leaving college - it was something to pass the time. I also hosted a few "hacker" websites for a short while and that got me interested in the scene. I grew out of it rather quickly as I had a taste of what it’s like to be on the receiving end of a hacker.

Paperghost: Really? What happened, did someone hack you?

RinCe: In a word, yeah. I know it sounds pathetic, but I lost my entire email account to a Trojan and lost 3 job interviews because I never got the Email back in time. It made me realise something so small can affect somebody's life like that in a major way.

Paperghost: …and that put you off the "scene", so to speak? I can imagine you'd be pretty wound up by that. We come across lots of people who got burned by either being a pusher or a victim, and it can have some pretty extreme effects.

RinCe: Yep, absolutely. So after that, I stopped the child’s play and that’s what leads to me reporting a group of hackers.

Paperghost: And just so people know, how did this come about initially?

RinCe: I was on Digg.com and was reading an article of yours, and saw the “Report a Sucker” button - I clicked and we got talking! At first, I was just reporting a Botnet that I knew about and the usual Adware stuff…

Paperghost: Adware? Any examples of the Adware they used to push? Or still push now, for that matter? We've seen plenty of examples of Adware being used in conjunction with Botnets in the past...I imagine the same rings true here?

RinCe: Active X kits, pay per install etc...I wouldn’t know what company though. Having been around the scene in the past is a great way to find out new information.

Paperghost: And that past on the fringe certainly helped here…tell me how you came across the information that these guys were involved in pushing some of these files.

 RinCe: Well, someone I’d known from way back sent me a random message on IM, asking me if I would swap a Paypal account for 10 credit card numbers. Obviously I didn’t have anything to give him, but I did wonder how he had so many credit card numbers. So I ask, and he simply blurts out that they’re using a script to steal online databases of CC numbers. Next thing, he’s sent me the script. They trusted me as I didn’t make a big “public” deal of dropping out of the scene at the time I got hacked.

 Paperghost: …and do you think the specific people you were contacted by are aware that this particular exploit is being run by groups besides themselves?

 RinCe: Yes as the exploit was posted on [censored]. That’s how I really “got into the scene” – I’d be given new IM spreader sources / Packers to check out.

Paperghost: Ok - just to clarify, when you say IM spreaders, you presumably mean scripts that need compiling and attempt to infect people automatically via things such as IM, yes?

RinCe: Yes - I still get messages on my msn from a certain hacker saying 'Testing new IM spreader'.

Paperghost: Lovely. So, at this point – you’ve given us a whole bunch of information, right? And, interesting as it is, we still (at this point) need some proof. So tell me, how did we go about getting some hard evidence that this was going on?

RinCe: Well, I got the hackers to trust me with promises of free IRC servers and paypal accounts - I got them to “loan” some of their bots to a Honeypot which you saw fill up with drones. The server was monitored and we got their IPs. One guy even showed me where he lived using Google Maps, without me even asking for it. We were playing around with it looking for directions to an interview, next minute, he’s saying “Check this out, there’s my car on the driveway!”

 Paperghost: That’s pretty stupid, considering the risks involved. Do you think people in hacker groups are easily exploitable? Seems like you only need to hit the scene for a while, then offer them something and they're falling over themselves to land themselves in trouble with incriminating evidence.

RinCe: I’d say it helps if you’ve hit the scene for a while - it would take a lot of time to build trust between fellow hackers. But most hackers are greedy - show them a plate of something they want and they’ll give you the info. I used to hang in Bot trading channels – kids buying and selling exploits / bots. If you had the latest unpatched exploit, you were basically rich.

Paperghost: Now we see a lot of Bot trading forums - most of the time, these "public" forums contain source code that’s corrupted, and bots that are backdoored. However, lots of them are run by fairly well known names in the hacker scene. Are these boards just fronts for the guys who run the "private" forums to get a good view of the landscape and make the little guys think they’re big fish?

RinCe: Dead on the money – for example, the [name censored] was basically a front for newbies to get approved. If you were trusted or smart, you got access to the private forums, full of non-corrupt source codes. If I remember correctly they had a database of 200 working bots ..all versions of RXBot and Phatbot. Basically, it was a whole new forum with files and Beta testing.

Paperghost: The beta testing is interesting I saw an example of this just last week. Are there lots of public betas, or are most private Betas for the real “hardcore” bots?

RinCe: Definitely not alot of public betas – it’s mainly people who know the coders, like the beta for Erazers NTpacker (which packs an .EXE so it remains undetected from scanners and the like). They used 2 release 2 versions – public and private. People with upgraded accounts could use the private one.

Paperghost: And presumably they had to pay to upgrade?

 RinCe: No - basically if you show respect, hook them up with apps…quote me on this. The hacking world is 1 big market place, trading stuff for stuff like the black market. If you get your hands on something amazing, like a new IE exploit, you’re a God in the hacker world - you could ask for anything, or any price.

Paperghost: with that in mind, it’s pretty interesting that you dropped out of the scene. The sky’s the limit for anyone who really wants to make a go of it. Knowing what you know, are you ever tempted by thoughts of "what if", or are you happy with what you're doing now? What do you see yourself doing in six months time, say?

RinCe: Well I wouldn’t go back into the 'scene' as it’s ruthless. I’m happy working for a company that develops safe e-commerce based websites – kind of ironic. I’ve moved on with my life recently now, have my own flat and a good job. So in 6 months time I can see myself sitting in this very chair, in this very studio doing a job I love. Though I must admit I did enjoy helping to bust some hackers!

This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.

Related Articles

• Instant Messaging E-Commerce Exploits- Judgement Day
• Spyware Warriors and the Digital UnderGround: Part 1 Podcast
• Spyware- Potential for Terrorism?

Read other articles (back to full list)