August 10, 2012

Hacked Web sites aren’t just used for hosting malware anymore. Increasingly, they are being retrofitted with tools that let miscreants harness the compromised site’s raw server power for attacks aimed at knocking other sites offline.

It has long been standard practice for Web site hackers to leave behind a Web-based “shell,” a tiny “backdoor” program that lets them add, delete and run files on compromised server. But in a growing number of Web site break-ins, the trespassers also are leaving behind simple tools called “booter shells,” which allow the miscreants to launch future denial-of-service attacks without the need for vast networks of infected zombie computers.

absoboot.com’s configuration page

According to Prolexic, an anti-DDoS company I’ve been working with for the past few weeks to ward off attacks on my site, with booter shells DDoS attacks can be launched more readily and can cause more damage, with far fewer machines. “Web servers typically have 1,000+ times the capacity of a workstation, providing hackers with a much higher yield of malicious traffic with the addition of each infected web server,” the company said in a recent advisory.

The proliferation of booter shells has inevitably led to online services that let paying customers leverage these booter shell-backdoored sites. One such service is absoboot.com, also reachable at twbooter.com. Anyone can sign up, fund the account with Paypal or one of several other virtual currencies, and start attacking. The minimum purchase via PayPal is $15, which buys you about 5 hours worth of keeping a site down or at least under attack.

If you’d prefer to knock an individual internet user offline as opposed to a Web site, absoBoot includes a handy free tool that lets users discover someone’s IP address. Just select an image of your choice (or use the pre-selected image) and send the target a customized link that is specific to your absoBoot account. The link to the picture is mapped to a domain crafted to look like it takes you to imageshack.us; closer inspection of the link shows that it fact ends in “img501.ws,” and records the recipients IP address if he or she views the image.

When I reviewed this service, the “booter statistics” box said it had more than 450 registered users who had used the site to launch some 5,816 DDoS attacks. I wanted to find out more about the brains behind this offering, so I sent a message to the site’s owner by clicking the “contact” form on the homepage. I identified myself as a reporter, but received a short “not interested” reply. The response came via the email address rrawbb@gmail.com, which had the alias Robert Danielson assigned to it.

Orgy’s profile on hackforums. Note the bigkesh.com reference.

Things got a bit more interesting when I Googled absoboot.com, and found that it was being promoted at hackforums.net by a 23-year-old user named “Orgy,” who claimed to be owner of the DDoS service, and the person responsible for a software design firm called BigKesh.

It’s not clear what kind of software BigKesh is involved in devising, but the historic WHOIS records from DomainTools tell me that the rrawbb@gmail.com account is the registrant of record for Bigkesh.com and another domain — bigke.sh. The Web site registration records for the latter domain indicate that it was registered a year ago by a Robert Danielson, of 30 Tumbleweed Ct., Sumter, South Carolina.

Further Google-fu led me to this article in the Johnson City Press from June 2011, which said that a (then 22-year-old) man named Robert George Danielson at that Tumbleweed Ct. address had been arrested and charged with a string of auto and home burglaries, including the break-in at a local police chief’s home in which firearms were stolen. Danielson reportedly entered an Alford plea in that case (a plea of guilty containing a protestation of innocence); the current status of that case is unclear. On June 29, 2012, the 23-year-old Danielson was arrested again, this time near Myrtle Beach and for driving on a suspended license.


102 thoughts on “‘Booter Shells’ Turn Web Sites into Weapons

  1. Fukkireta

    Krebs = retard.

    There’s millions of other booters out there. Why single this one out?

  2. A friend

    Brian, not sure if the picture of the house those idiots posted is real (no need to tell us). But if it is, you need to maintain that garden, looks like a jungle!

  3. herpderp

    for a man who prizes himself on security and what not, you should know that there is thousands of booters out there, personal vendettas never get a man anywhere, welcome to 2k12 sir

  4. george

    Now, finally compelling evidence that (traditional)-crime does not pay (enough). This chap had to round his income by turning to cyber-crime too.

    1. Anarchy

      He wasn’t arrested, he actually made a thread about it on Hackforums saying that he used a name that wasn’t him to register the website. Basically the writer of the thread just fucked up big time while loosing respect. Also @George, he didn’t commit any crimes. All he made was a booter which can be used to test your servers and other things. What his users do with it isn’t his issue.

      1. george

        @Anarchy
        The fact that he used someone else’s name to register his website might be the only truth in your post. Notwithstanding the discussion about what the booter is actually used for, the fact that he registered a site with someone else’s identity shows clearly he was aware of the legal status of running a booter and is obviously a serious violation and reason for the registrar to suspend the address. I don’t even go into detail on who is the rightful owner of the servers who actually perform the DDoS “test” attack and if absoboot.com peruse them legally. The fact that you claim otherwise leave no doubt in my mind that you have some connection with the absoboot.com owner/operator.

  5. pbe

    The reason why brian chose this one booter is because other booters aren’t a threat. This booter was coded by a knowledgeable person (somewhat). this is the only owner of a booter on hackforums that has appropriate PHP knowledge & networking.

  6. amplicafication booter super polymorphic d00zer

    fsockopen(“tcp://127.0.0.1”, 13, $errno, $errstr); // 1337 hackforums doozer.

    Brian krebs i am not impressed by your performance 😀

    When i see the pic of hackforums i was happy because i think that maybe the admin was exposed as a informant.

  7. Peter McLeod

    Hi Brian
    I’m a bit puzzled by the “Hidden due to low comment rating. Click here to see.”
    Sometimes one will open immediately, and another just stays hidden no matter how many clicks – is there a way around this? It’s kinda frustrating.
    I’m using Firefox with Javascript enabled.

    Thanks in advance for any help

    Peter

    1. BrianKrebs Post author

      Hi Peter. Sorry about that. Give me an example of a comment you’d like to read? I have to warn you though, at least on this post most of these are hidden with good reason.

  8. Peter McLeod

    Hi Brian,
    Thanks for getting back so fast – I know you’re extremely busy.
    If many comments are hidden for good reason that’s good enough for me – it was just curiosity on my part – no big deal. And some of the ones I’ve managed to open must be very insulting to you, what are they thinking?
    e.g. Kreb’s-A-Tard
    August 10, 2012 at 12:34 pm.
    I hope these jerks don’t get you down and depressed. I think you’re amazing – you must have saved a lot of peoples’ sanity.
    Your faithful admirer,
    Peter in Sydney New South Wales.

Comments are closed.