Oriģināli publicēju savā blogā, bet tā kā dažiem solīju te pārpublicēt, tad te nu ir.
Jau iepriekš atvainojos par angļu valodas kļūdām. Varat droši komentāros uzdot savus jautājumus, bet neapbižojaties, ja es jums visu nepasniedzu uz paplātes, bet gan ielinkoju kādu pamācību.
Lately a lot of people on a Latvian gaming community have started to sell Steam wallet money, most of which hasn't been earned in legit ways. I was bored and looking for an adventure, so I decided to dig into a particular user activities, after someone else reported him.
The first thing I did was look if he has registered in the Gaming community before, nope, not even once. Castiel, the guy who reported him at the beginning pointed me to a video he most likely uploaded under an alias.
So I decided that I will pursue this case only if I can link this video to the offender.
Well, well, well, what do we have here. He showed his skype username publicly on the gaming community website... And I was able to link it to the alias Google+ profile of the offender, by just googling. This guy isn't smart, but hey this is just the beginning.
Okay, let's start analysing the malware, starting with the simplest - bintest.
Nothing interesting here, looks like the file is encrypted.
Well, then I should run it. Though before doing it, I should take a few precautions.
- Ran it in a Virtual machine, so my main operating system files can not be messed with.
- Installed OpenVPN client on the Virtual machine and connected to it my own VPN, routing all connections through it.
- Launched tcpdump on the same machine as OpenVPN server so I can sniff all traffic coming from Virtual machine.
Okay, everything is set, now I just have to launch the infected file.
Nothing interesting happens on the screen, though looks like the Virtual machine is now infected. Let's see what tcpdump is showing us.
Hmm, just after launching the infected file it tried to look up domain "diaenay.no-ip.biz", definitely not a domain which a freshly installed Virtual Machine should look up.
At first I thought, hmm, looks like just random characters, but then I realised. I've seen it before.
Lets have a moment of silence for this retarded individual whilst facepalming ourselves...
Unfortunately, I can't get hard enough evidence to report it to local authorities, because the domain name was seized by Microsoft at the beginning of July and now is resolving to a Microsoft owned IP address.
29.07.2014 Okay, time for an update
After a little bit social engineering by my friend, we were able to get a newer video out of him under another of his aliases.
And there it was, the awaited working RAT, which doesn't resolve to a seized subdomain.
Reverted my Virtual machine to the just installed state and ran the infected file, whilst sniffing on traffic.
Okay, let's see what the tcpdump output is showing us
Looks like it is trying to resolve a new domain name, definitely not a domain name which a new Windows installation should resolve.
And the domain name currently resolves to a Baltcom owned home user IP address.
After looking up the domain name the virtual machine started to contact the RAT.
Let's see if I can find out who it in the gaming community.
Yeah, as I expected. But to top it all off, he is authenticating using a Latvian Facebook equivalent - draugiem.lv. Looks like I can connect the username to his user and find out his real name.
Okay, got the id, let's just follow the link now. https://www.draugiem.lv/user/4590799
Voila, the perpetrator has been found.
Thanks for reading my first blog post ever, feel free to leave a comment.