Briefly mentioned by Ducks in his "snippets":
- Note to self: The nick "n" is probably also known as elitet0kr, EvilAnarchistGuy, nathanownzu, t0k3d, EliteRAHA. Remember the guy from a couple of years back: Nathan?
I don't know what he mean by the last sentence, I should have a chat with him about that. But the info about his other nicks are correct with one exeption, I doubt that he is "EvilAnarchistGuy". I also add another of his nicks which is very interesting: t0k3d. More about that one later.
Anyway, on bulkerforum.biz he was offering proxies for sale.
A post from Tue Feb 05, 2008, not so long ago:
Hello,
I am selling high quality IP restricted proxys that are HP scanned and have anti-honeypot code working at the bot-level to get rid of those tricky HPs. As of now there are 1.5-2.5k working, unlisted (spamcop, spamhaus) proxys online at any given time. The list is reset every 1.5 to 2 hours, depending on what the customer wants. The proxy supports socks4 and socks5, no HTTP as of yet, sorry.
The cost is $150/week for every IP authorized on the proxys. This includes scanning/proxy checker servers as well. Many people ask me why they have to pay for the scanning/proxy checker server. It is simply because every IP takes up space in the IP authorization bracket, and that is what I base the price on.
If you are interested, my Skype is savethedogs. PM me for AIM and MSN.
Legal proxies? Hardly.
He had another posting back in September 2007 with some nice screenshots.
There are also some other screenshots floating around which can be tied to his highly illegal activity. And a domain name legi0n.net (now expired) is highly interesting. That domain has been involved in some criminal activitity a few years back (nicked from http://www.f-secure.com/v-descs/ircbot_es.shtml):
The backdoor's file is a PE executable file about 8 kilobytes long, packed with MEW file compressor and patched with PE_Patch.
When the backdoor's file is activated on a computer, it copies its file to Windows System folder as MOUSEBM.EXE and then starts the copied file as a service named 'Mouse Button Monitor', described as follows:
Enables a computer to maintain synchronization with a PS/2 pointing device.
Stopping or disabling this service will result in system instability.
If the backdoor fails to start its service, it tries to inject its code into Explorer.exe process. When active, the backdoor connects to one of the following servers on port 18067:
esxt.is-a-fag.net
esxt.legi0n.net
Then backdoor joins an IRC channel called '#p2' using the hardcoded password and creates a bot there. A remote hacker can control a backdoor via a bot that it creates in the '#p2' channel. A hacker can do any of the following:The backdoor has the ability to spread to remote computers using the PnP exploit on port 445. Please see the following page for detailed information on the vulnerability:
- scan for vulnerable computers and spread to them using PnP exploit
- download and run files on an infected computer
- find files on local hard disks
- perform DDoS (Distributed Denial of Service) attack
- perform SYN and UDP flood
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
Detection
Detection for this malware was published on August 15th, 2005 in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2005-08-15_05
You asked for screenshots?
Here is a couple, note his nicks and his website. I split this one in two:
More screenshots will be added if needed.
Someone should kick his Butt.
