Internet is media that was designed by UNIX engineer gentlemen with the good hope and heart to make people easier to communicate to each other around the globe. So some people think they can lie by online in internet, by faking some personalities, pretend to be good but actually doing bad activities in behind. These people maybe think "who knows?"
In malware fighting, to counter cyber crime, is important to cook our intelligence well, and we in #MalwareMustDie are good in nailing these liar / imposter cases. This is a one disclosure of the case.
For this investigation purpose we are pretending to accept the subject for the close intelligence activities, which the project is done now. Herewith we are Announcing and Clarify that the subject is NOT having anything related to #MalwareMustDie.
Trojan7sec
Breaking it down
This is probably the most obvious lie to anyone with any security background at all. This claim has many holes, I will go through each.
Botnet Estimates vs Actual
Botmaster usually have a fairly accurate way to determine the number of bots, usually via unique id's that are assigned to each computer on infection. Because security experts very rarely gain access to the botnet command and control panel, the estimated number of bots is mostly calculated by monitoring the C&C servers and logging the unique ips over the course of a month. If you understand IPv4, you'll know that there are far less IPV4 addresses than there are compters, in an effort to combat this, ISPs use a method called "IP Pooling", this simply means instead of assigning each client with a permanent IP Address, the ISP will maintain a collection of IPs that will be assigned on the fly (when a client logs on to the internet, they will be given an IP at random). Because so many ISPs use IP pooling, over the course of a month far more IPs would be logged than there are infected computers, resulting in the total number of estimated infections being far more than the actual.
Large Botnets That Fit The Description
Bearing in mind that botnet estimates are usually way over, the biggest botnet ever is thought to be conficker with an estimated 10 - 15 million infections. Conficker did not produce much spam compared to some of the much smaller botnets, it was also not involved in banking fraud, keylogging or form-grabbing, so conficker is off the table. Now we are not going to bore you by going through every single botnet and showing you how it doesn't fit that claim, so we'll cut to the chase. No recorded botnet over 1 million bots fits all those characteristics.
Stating The Obvious
There is zero chance that a botnet of that size would go unnoticed, never-mind one of the people involved then giving up and going to twitter to talk about it, the fact he owns a gym and what country he lives in (people have gone to jail for far smaller mistakes). We'd also like to state that no one with a botnet of that size would bother with DDoS, the money made from launching denial of service attacks wouldn't even amount to 0.1% of the potential botnet revenue, it would also draw unnecessary attention.
At a first glance this is probably believable to even people with a security background, although we cannot fully disprove this, we can state why it is highly unlikely.
Malware Marketplace
Nearly all of the the high level malware marketplaces are Russian-speaking only, Trojan7Sec is living in England, he does not speak any Russian, which limits him to English speaking forums (We could count the number of banking trojans sold on English forums on 1 finger). Of course he could have someone who is Russian-speaking sell the product for him, but it's very unlikely.
Quality of Code
We'd estimate the average price of a professional bot with said features at about $2k - $5k, 10k would be a push and likely come from a very advanced programmer. Here is some code Trojan7sec posted on his blog a month after he wrote the above post: Link, Mirror. This code is very beginner and low quality, it is not the code you'd expect from someone who can code HTML inject at all, never-mind an expensive piece of malware.
Firstly you'll notice there is no error checking whatsoever, if any of the GetModuleHandle or GetProcAddress calls were to fail, the code would crash the browser on injection.
Secondly you'll notice this "while(Process32Next(handle, &ProcessInfo))", there is no call to Process32First which is generally what anyone with any programming background would do.
Lastly he doesn't close the thread handle, or the snapshot handle. It's hardly the end of the world, but it's something any competent programmer would know to do.
There's also the non standard and over the top use of the #define directive as well as the unnecessary use of strcpy on data that could have been initialized during compile. This is not the code you'd see from a professional malware coder selling code for $10k - $20k, this is the code you'd see from a member of hackforums selling a $100 bot.
This is probably the only true statement, It's clear Trojan7Sec is a pathological liar, however "believable" may be a slight overstatement (saying that, some of his stories did make it to big news sites).
Again, more of the same. This time the number is rounded up to an even more unlikely 20 million, We also learn that his botnets uses tor, msn and peer to peer to communicate. If you remember recent news, a botnet of around 400k computers started using tor and was the talk of the internet. Not only would a botnet of the size being talked about here be noticed, but would likely grind the entire tor network to a halt. It is agreed upon by a lot of researcher that peer to peer botnets are the most complex to develop, not the sort of thing you'd expect someone who only knows C++ at an entry level. It is also important to add, that using IM services like MSN to control bots is ridiculous and the concept is limited to very small botnets and malware usually written by script-kiddies.
/r/netsec
UPDATE: The REDDIT posts was restored back and accessible now:
This is @Trojan7Sec #DELETED posts in http://t.co/dnT886RSuz w/user: throw4way1945 & promoting his botnet: http://t.co/axc3PSUkwD Cc:@NCA_UK
— MalwareMustDie, NPO (@MalwareMustDie) October 29, 2013
Inspiration
Debunking The Comments
Just in case anyone doubts this is Trojan7sec's reddit post |
Further, the subject in this post explained, the person arrested in Israel and asked to help defend against cybercrime was Hamza Bendelladj, a botmaster and seller for spyspreader known online as BX1. Hamza was not the Zeus coder and had nothing to do with Zeus (other than using it). Anyone who had access to any private forums would know this fact, only script-kiddie oriented forums such as hackforums were spreading rumors that said otherwise. Furthermore, the real story of BX1 is actually as per described in below:
@unixfreaxjp BX1 was arrested in Thailand and then extradited to the US earlier this year. http://t.co/QuKafaLyqQ
— Thomas Chopitea (@tomchop_) October 13, 2013
@MalwareMustDie @tomchop_ @unixfreaxjp @Trojan7Sec "Zues" is just how Trojan7sec spells Zeus.
— TM (@TouchMyMalware) October 13, 2013
Deleted Tweets of Trojan7Sec
These are some now deleted tweet of Trojan7sec talking about the bot he spent 4 and a half years coding. Here is a list of features, you'll notice some features such as polymorphic encryption and bootkit, such features he is certainly not capable of coding and are likely taken from the carberp leak.0-Days
How and Why
"Thou Shalt Not Lie.. When the truth reveals, it will hurt you!"
Additional:
@MalwareMustDie http://t.co/jKsXR2kHMI @Trojan7Sec Hack Forums Account :)
— Gorchevsky (@gorchevsky) October 16, 2013
For those who doubt facts we posted about @Trojan7Sec: http://t.co/FVZ2LH9EYx < UK, indeed #MalwareMustDie #NoMoreLie pic.twitter.com/XfaySQ92E0
— MalwareMustDie, NPO (@MalwareMustDie) October 17, 2013
Since @Trojan7Sec start LIES again, Here's bit of his ID for Case: http://t.co/FVZ2LH9EYx Cc: @NCA_UK @GlasgowPolice pic.twitter.com/GfU2eWY5QQ
— MalwareMustDie, NPO (@MalwareMustDie) October 29, 2013
@MalwareMustDie ------> @Trojan7Sec is an arrogant a$$hole that needs to learn some life's lessons. Im glad u r exposing his BS. @NCA_UK
— AdvTek (@advteksolutions) October 29, 2013
It looks like he is back on action in 2014, sensation? :-)
#MalwareMustDie.