They talk about Justin Beiber.
For Example: you are such a bad ass, i hate to see the mamby pamby – On 2/5/11, Aaron Barr firstname.lastname@example.org
Cloud computing. And Discovery of a password sniffer…
Stu, HBGary found this on multiple machines at BH, I don't remember exactly how many. The sample is attached. BTW, the attacker who was in BH was Chinese and coming from Chinese addresses - we saw him on the webservers and also he was using direct VPN connections - but I don't have the logs or anything to prove that to you - it was just what I picked up in conversation while our guys were down there. The author of this sniffer is LZX, a chinese hacker who, BTW, is also the author of ZXSHELL. here is a snippit of my email to Rich ---> Rich, Logger.DLL is a gold mine. Your boy is chinese. The tool he is using was developed for those chinese haxor's. The key is the call to "LsaApLogonUserEx2". This is part of the login cracking scheme, and the file "logger.dll" is actually a copy of "pluginWinPswLogger.dll" - do a search on that. You can load the DLL using: regsvr32 /n /i:c:\xxx.log c:\logger.dll Attached is the original release. Password is infected. It was written by LZX and released in August of last year. The dll will log credentials to a text file. Use encase to search for files that contain patterns like this: [03/17/2010 15:16:13] LogonType: 2, MessageType: 2 Domain: HBGARY-QA-01 User: qa Password: 123qwe That will be the creds that were captured with that tool. The guy is probably stashing those somewhere, probably deleting the file once he grabs it, etc. Still working on shit... -Greg --- another followup email ---> The author, LZX, hosts the password sniffer at t00ls.net. If you want to get technical for the customer, the tool places a function hook on LsaApLogonUserEx2 in the DLL msv1_0.dll. That is how the tool steals logon credentials. The hook will work for all of the following logon types: - remote over the network IPC$, explains the ePO domain credential - runsa command - port 3389 remote desktop connections - local logon at the workstation nasty little bugger...
Cheers when an article makes the Mainstream press. Like…
HBGary Intelligence Report
January 19, 2011
ZDNET: When Bots Chat With Social Network Participants
Everything except but important things. They are comparable to the Iraqi intel service. A bunch of people scanning the internet and collecting cash from the clueless. I did like the Topiary screen cap that sent them in threat defense mode to the FBI.