10
Aug 12

‘Booter Shells’ Turn Web Sites into Weapons

Hacked Web sites aren’t just used for hosting malware anymore. Increasingly, they are being retrofitted with tools that let miscreants harness the compromised site’s raw server power for attacks aimed at knocking other sites offline.

It has long been standard practice for Web site hackers to leave behind a Web-based “shell,” a tiny “backdoor” program that lets them add, delete and run files on compromised server. But in a growing number of Web site break-ins, the trespassers also are leaving behind simple tools called “booter shells,” which allow the miscreants to launch future denial-of-service attacks without the need for vast networks of infected zombie computers.

absoboot.com’s configuration page

According to Prolexic, an anti-DDoS company I’ve been working with for the past few weeks to ward off attacks on my site, with booter shells DDoS attacks can be launched more readily and can cause more damage, with far fewer machines. “Web servers typically have 1,000+ times the capacity of a workstation, providing hackers with a much higher yield of malicious traffic with the addition of each infected web server,” the company said in a recent advisory.

The proliferation of booter shells has inevitably led to online services that let paying customers leverage these booter shell-backdoored sites. One such service is absoboot.com, also reachable at twbooter.com. Anyone can sign up, fund the account with Paypal or one of several other virtual currencies, and start attacking. The minimum purchase via PayPal is $15, which buys you about 5 hours worth of keeping a site down or at least under attack.

If you’d prefer to knock an individual internet user offline as opposed to a Web site, absoBoot includes a handy free tool that lets users discover someone’s IP address. Just select an image of your choice (or use the pre-selected image) and send the target a customized link that is specific to your absoBoot account. The link to the picture is mapped to a domain crafted to look like it takes you to imageshack.us; closer inspection of the link shows that it fact ends in “img501.ws,” and records the recipients IP address if he or she views the image.

When I reviewed this service, the “booter statistics” box said it had more than 450 registered users who had used the site to launch some 5,816 DDoS attacks. I wanted to find out more about the brains behind this offering, so I sent a message to the site’s owner by clicking the “contact” form on the homepage. I identified myself as a reporter, but received a short “not interested” reply. The response came via the email address rrawbb@gmail.com, which had the alias Robert Danielson assigned to it.

Orgy’s profile on hackforums. Note the bigkesh.com reference.

Things got a bit more interesting when I Googled absoboot.com, and found that it was being promoted at hackforums.net by a 23-year-old user named “Orgy,” who claimed to be owner of the DDoS service, and the person responsible for a software design firm called BigKesh.

It’s not clear what kind of software BigKesh is involved in devising, but the historic WHOIS records from DomainTools tell me that the rrawbb@gmail.com account is the registrant of record for Bigkesh.com and another domain — bigke.sh. The Web site registration records for the latter domain indicate that it was registered a year ago by a Robert Danielson, of 30 Tumbleweed Ct., Sumter, South Carolina.

Further Google-fu led me to this article in the Johnson City Press from June 2011, which said that a (then 22-year-old) man named Robert George Danielson at that Tumbleweed Ct. address had been arrested and charged with a string of auto and home burglaries, including the break-in at a local police chief’s home in which firearms were stolen. Danielson reportedly entered an Alford plea in that case (a plea of guilty containing a protestation of innocence); the current status of that case is unclear. On June 29, 2012, the 23-year-old Danielson was arrested again, this time near Myrtle Beach and for driving on a suspended license.

Tags: , , , , , , , , , , ,

102 comments

  1. Nothing new about DoS shells / booters..
    Kids will be kids, and it’s mainly that group which HackForums consist of.

    Many of the kids also register at free webhosting services which accept PHP to try and host their booters there.

    We see alot of these failed attempts.

  2. I agree with the first comment. I actually just signed up an account there myself and it’s hillarious because I’m a long-time fan of Krebs on Security.

    I plan to use my account for good though, not evil. I’m about to DDOS some spammers, like I do with all the Hack Forums booters. They call me the “Dexter of Spam” πŸ™‚

    It’s funny because spam is another negative externality of youth hacker sites, but I can use their own tools to neutralize it.

    • Denial of service attacks are the Internet equivalent of bombing a neighborhood when you don’t like one of the inhabitants.

      Almost all of the people hurt are innocent and unrelated to your dispute.

    • Wow you are a great internet white knight, I bet the ladies dig it.

  3. And let’s hope this is enough information for the relevant authorities to prosecute and deprive this criminal of his freedom in prison away from computers.

    Hopefully for a long period of time.

  4. The only ‘good’ thing about DOS from a web server is that it originates from a single IP and can therefore be blocked easily. Of course, with many compromised web sites, it begins to look like a DDOS.

  5. so cant that absoboot site be shut down by someone? isn’t this illegal

    • Probably, and yes selling services that DDoS Web sites is illegal here in the United States.

      • DNS and HTTP service for both absoboot.com and twbooter.com are provided by cloudflare.com. Whether this fact remains in a few days will be a test of cloudflare’s position on abuse.

        Anyone can send an email to abuse@cloudflare.com explaining why you think the customer of these domains should be booted. Take 2 minutes for your Friday good deed.

        Great article, Brian!

        • When I let cloudflare know they were serving Blackshades RAT they took it down the next day.

          • Nice. Well I contacted cloudflare and received this in response:

            “Note — CloudFlare is NOT a web host for this or any other website. We don’t provide web hosting services for any site except for cloudflare.com.”

            Either their abuse department literally doesn’t know what their business does, or was lying.

            $ dig ns +short @8.8.8.8 twbooter.com
            vera.ns.cloudflare.com.
            josh.ns.cloudflare.com.

            $ dig ns +short @8.8.8.8 absoboot.com
            eva.ns.cloudflare.com.
            fred.ns.cloudflare.com.

            $ dig a +short @8.8.8.8 twbooter.com
            108.162.195.48
            108.162.195.148

            $ dig a +short @8.8.8.8 absoboot.com
            108.162.194.198
            108.162.199.99

            These are all CloudFlare IP addresses on AS13335, owned and operated by CloudFlare.

            I hope they’re not going the “anything for a buck” route. Let’s check again in 3 hours.

            • Cloudflare does a lot of money with victims of DDoS.
              Its not good for business to take down your strongest supporters πŸ˜‰

            • How about you stop annoying the ISP’s if the website is offending you. It’s not the ISP’s responsibility to care about the content of their customers. It’s like you contact a car manufacturer seeking justice because someone crashed in your car.

              • Oh sure. So hypothetically speaking anyone should be allowed to host child pornography then.

                A widely held view (or even legal predendent possibly?) is that ISPs should not be *held responsible* for what they’re customers do – so hypothetically they cannot be held responsible for hosting child pornography if one of their customers is doing so.

                Not that ISPs are absolved from all responsibility for mitigating unwanted behavior.

      • Brian under what law do you think selling DDOS services is illegal?

        That’s a purely ignorant statement. DDOS tools are used regularly in academia and business for stress testing. There’s nothing illegal about it.

        Check your facts next time.

  6. Fredrick Parkinson

    You should do a review on EliteStresser.com
    From what I’ve seen, it’s much more advanced than absoboot.

  7. “Anyone can sign up, fund the account with Paypal or one of several other virtual currencies, and start attacking.” @Brian: what is the current state of blacklist technology?

    • Blacklisting from what angle? You quoted the PayPal part of the story, so I’m not quite sure what you mean.

      • My intent is to seek advice on methods that an honest business can use to protect its good name. I wished to narrow the topic to avoidance of miscreants when doing business. The blacklist would be used at some point to either prevent an account from being created or to cancel the account before the honest business is unknowingly associated with the “dark side of the Force.”

      • He owns a shitty e-payment provider nobody knows or cares about, he now wants to know how to blacklist evil doers because he is so srs bsns but in reality he just wants to get attention on the internet.

  8. Facebook Stockholder

    Watch out the big ddoser might attempt to ddos your site now for making a report about him. Do you think the feds will take any interest into him now?

  9. Since you’ve signed up and accepted the terms of service, I assume you’ve read them. I noticed you didn’t make a note of that. Shame that pathetic investigative journalists such as yourself only look at how it can be used for evil, rather than good. Additionally, most of your article is wrong about many, many things.

    I did find it funny that elite stresser came here to try to advertise, though, lol. He’s pretty desperate.

    Anyway, thanks for the free advertisement, nonetheless!

    • Well, clearly among the things I got wrong was the attribution.

      dsl-74.pool13.2.sumt.ftc-i.net

      • haha, oh man

      • Well, this is Tha Sneak from HackForums.net.

        Not everyone on HackForums is a blackhat or a idiotic kid, like myself. I actually assist others across the internet under various unknown aliases specifically with malware and technical issues related to the Windows operating systems.

        When he said he didn’t want to talk to you, you disrespected him by potentially (I’m not positive if that’s his real information) publicly posting his information and spreading lies. There are programs that can be made for good and for bad. It is up to the person who is using it for what they use it for not the person who created it. I’m not defending booters and such, I’m just saying..

        What you did is post his information publicly by doing so you opened him up for a variety of potentially harmful attacks people could possibly use some of the information in your blog, if true, to harrass him and SWAT him. I’m pretty sure if he requests that his information be taken down, that you MUST do it or he can file a lawsuit against you, which you probably wouldn’t want.

        Anyways, I’m just chiming my two pennies in. Whatever kind of attention you’re trying to gain out of this I hope it was worth it.

        -Sneak

        • I don’t always take unasked-for legal advice over the Internet, but when I do, it’s from a guy who calls himself Tha Sneak.

        • So other than your name making you sound like an idiot you’re also claiming that it’s OK (“not illegal” in other words) to hack websites and place a DDoS tool on them because the DDoS tools “can be used for good”. I realise criminals are often pretty dumb but that takes the cake …

          Can I install a botnet node on your computer then? I promise even though I’ll hire it out to anyone who pays it’s OK because it might be used for “good”.

          Also Brian has not posted any private information, it was publically available. It can be used for good or bad you might say.

          • You’re clearly very unfamiliar with this branch of security. Even OWASP provides tools capable of (D)DOSing for educational purposes.

            • Another script kiddie who simply cannot fathom that placing a program onto someone else computer is illegal and that the possibility that the program might be used for non-illegal purposes does not change this.

              /facepalm

              • That’d work if absoBoot was placing any software on any servers unknowingly or without the owner’s consent, but that’s simply not the case. These booters don’t use “DOS shells” anymore. It’s done with spoofing now. Much easier to manage. You seem to be just another script kiddy that can’t seem to realize that.

  10. Kreb,all the ToS on the HF booters cleary state it’s for stress testing your own network there for the owners can get away because they are running a legit service.

    You sir are a ********************************.

    • that must be why the site offers a service to sneakily find out someone else’s IP. to help them stress test their own networks. i got it, yeah

    • Kreb's-A-Tard Is-A-Tard

      Yes because a ToS means shit when you knowingly allow all your customers to attack websites they don’t own.

      I smell a stream of retarded HF kids seeping from the rocks.

      • its quite funny how many people think that it’s legal and okay to sell services that the vendor *knows* is being used for illegal purposes.

        it’s called creating an instrument of crime. if you sell something like malware or an attack service with knowledge that it is being used to help commit a crime (DDoS), you can be held responsible.

        the american justice department has come out and said it could charge a malware writer or service offerer with aiding and abetting, or conspiracy to commit a crime. they said the prosecutors would still have to prove the seller intended for the code or service to be used in criminal dealings. i imagine that offering a service that lets you figure out someone else’s IP sort of indicates that the person running this service is encouraging its use against others, if not also assisting.

  11. Great work, Orgy wants to attack your site i did one better πŸ˜‰
    http://absoboot.com Looks like tango is down?

  12. He modified asoboot index to show this source code for it to appear as if its down:

    Website is currently unreachable

    document.cookie = ‘cf_use_ob=0; path=/’;

    Website currently unavailable
    The website you are trying to access is currently unavailable. Please try again at a later time.If you are the site owner, here is a help resource to help resolve the issue.

  13. Have fun getting swatted by everyone on hackforums Brian πŸ™‚

  14. GigaStress coming soon. Thanks guys.

    @Kreb, you’re pretty pathetic posting personal information when you don’t consent to others posting stuff about you. Stop self-proclaiming yourself to be some anti-hacker internet warrior when in reality you’re not achieving anything but satisfying your own lack of happiness by trying to make others feel small.

    • huh? seems like Krebs just posted what is in whois information for the booter site, which is hardly private. maybe if someone is going to run a site like that, they should take more care to hide or obfuscate their whois information.

      • I have to agree with that. Most of these clowns are doing all this crap from their own home.

        Like they said in “Hackers”: “That’s universally stupid, man.”

        By the way, when I click on the “Like” button, I get a cross-site scripting warning from NoScript… Need to fix that, Brian…or NoScript…

  15. I’m wondering how someone would go about knocking an individual user offline, as suggested in the article. Maybe I missed something (always possible), but it sounds like all this service can do in that regard is to provide you with the user’s IP address, and there’s lots of other ways to get that.

    But how do you DDOS an individual user? Basically you’d be DDOSing their ISP and most of the big ones (Comcast, Verizon, et al) can more than adequately fend off an attack on their network. DDOSing a website works by overwhelming a single webserver, but most individuals are on the ‘net via a network. While I’m not 100% sure of this, I think that a flood of traffic to a single IP address on a network would be managed by the network, with the load distributed and possibly slowed down, or outright detected as an attack and dealt with as such.

    But I’m just guessing. Anybody know what would happen on a well-managed network if a flood of traffic was directed to a single client IP address on it?

    • 1) Your router will burst out in flames, because a 20 bucks router is not build for that amount of packages per second
      2) Your internet capacity will be reached, as if you used your whole bandwith to download stuff

      The ISP is not responsible for ddos mitigation, you can’t expect protection for that discount price.

      • Ok, I see your point, for individual users who cheap out. However:

        1) My 1000 bucks router is unlikely to burst into flames from the incoming traffic

        2) My ISP doesn’t employ bandwidth caps

        So, what you seem to be saying is that individual users with super cheap routers on a network that enforces immediate bandwidth caps might be in trouble. But even Comcast only assesses bandwidth usage on a month by month basis. At the end of that month they might terminate your account, but in the meantime, how would you get knocked off the ‘net?

        • You must not understand how DDoS works.

          Your home internet connection speed is probably 50mbps download / 10mbps upload at most if you’re usingComcast. Comcast does not allow you to exceed this amount of bandwidth per second, regardless of an overall limit throughout the month. This means that if someone DDoSes your IP address and the attack exceeds 50mbps, or whatever your network download speed is, your network connection will be over capacity and you won’t be able to do anything via the internet.

          • Ok, I was just using Comcast as an example of an ISP with bandwidth caps, and I’m not sure you understand what ISPs mean when they advertise certain upload and download speeds. Maybe you do, but when I was a Comcast customer over a year ago I often exceeded their advertised limits and nothing catastrophic happened because my total bandwidth over a month’s time was always well under their cap. Nor did they make clear that anything catastrophic would happen if their “limits” were exceeded in the short term, and I paid careful attention to any such announcements of that type that they made. Maybe they’ve initiated such a policy in the last year, but if so they would be standouts in the field of ISPs. And there’s good reason for that. It would be a lot more expensive to continuously monitor live bandwidth use on every IP address in the network and to take action to shut down overloaded nodes based on bandwidth usage than it would be to simply eat the traffic and take up the problem with individual offenders after the fact. Comcast said as much when they first introduced bandwidth caps, that even monitoring individual users’ bandwidth on a month by month basis posed some difficulties, and it took them quite awhile to implement that system, with many fits and restarts.

            So maybe what you say is true, but it would be a very recent development and not many ISPs are as aggressive in network management as Comcast is, so far as I know.

  16. Escalate!

    Since CloudFlare is harboring these criminals, the next step is to report abuse to its upstream providers, such as nlayer.

    Send an abuse report to abuse [at[ nlayer.net explaining that one of their customers is aiding and abetting DDoS by providing CloudFlare with transit service. That’s the truth.

    nlayer.net is a supporter of NANOG and certainly doesn’t want to be on the wrong side of this.

    • nlayer has most curtainly nothing better to do than to investigate claims of circlejerking self proclaimed internet cops.

      • Take note everyone: the DDoS people don’t want their providers to know they’re committing crimes. So report them.

        abuse [@[ nlayer.net

  17. It’s a stress server. People use it how they want to. Your attempts of embarrassing him with personal information kind of backfired, good luck with your pointless unofficial maggot website.

  18. Richard Steven Hack

    You gotta laugh at these guys telling us this guy is making a “stress server” out of the goodness of his heart given his RECENT criminal record.

    Mind you, I believe criminals can change and become productive citizens. But I think it’s a safe guess that doesn’t apply here.

  19. Richard Steven Hack

    BTW, it’s not clear to me how a “server” has “1,000 times” the power of a “workstation”… In what respect is that true? Because if so, Dell and HP are seriously underpricing their servers compared to their workstations… πŸ™‚

  20. Captain Obvious

    You are a fucking idiot. You don’t even know what cloudflare is do you? It covers up your IP so your website cannot be taken down by DDos Attacks. No one is hosting their site on Cloudflare you fucking jiggaboo. Don’t begin to blame cloudflare for doing wrong.

  21. The things are old, lame, and mainly used by “leet script kiddies” to knock eachother off Xbox Live in-game. Mainly marketed to the gamer community as a method of either cheating or getting revenge against a rival.

    These things do seem to work against a home line – having been flooded several times, they knock you off for like 30 seconds. mostly an annoying disruption.

    Also, most of those “booter” control panels have some rather amusing vulnerabilities, ranging from SQL injection in the login, to shell upload (as a logged in user), to insecure account management (activate your account without paying) to hardcoded backdoors or backdoor accounts.

    Seriously, these things are lame. However, they are quite a dangerous tool in the wrong hands…

    Most of the “shells” are created by exploiting WEBDAV or RFI vulns, and in some cases, by skiddies scanning for RDP then manually installing XAMPP/WAMP on the compromised box and installing their shell. Lame.

    • This comment would have been true 2 years ago. Maybe you should get with the times as DDoS tools and their capabilities have advanced greatly.

  22. You do realise, Mr Kreb, bad things are going to happen to you?

    This post was a mistake, you were a mistake, quite frankly, I suggest you delete this.

    -M3ltD0wn

  23. Keep up the good work Brian. I don’t think anyone else is doing this kind of reporting…. and, the various characters you attract to your comments section are excellent illustrations for your stories too …

  24. I don’t think most booters use shells anymore. Most use spoofing.

  25. It’s interesting how you find it great how you can post information online about people, and think you get away with it! Have a taste of your own medicine!

    http://pastebin.com/BetWN09d

    • Truly you are a skilled researcher. Well, at least you got the IM accounts right.

      As many here have already noted, I didn’t publish anything outside of what was published in a public WHOIS listing. The fact that response has been so vehemently directed at trying to release my personal information suggests that the data in the WHOIS is accurate.

  26. Yo,

    Look what I found, typing in random domains as you do!
    http://briankrebsdox.com/

    Nice of you to post all of your personal information for all to see!

    Also, mind accepting my Skype friend request? Wanna chat!

    -M3ltD0wn @ HF.

    • Aww, how sweet! You bought a domain for me? I am touched. πŸ™‚

      • It is pretty impressive how they managed to get something so public as your age wrong. Watch out, they’re after you!!!

      • This story was interesting to me, but not the part about the booter. May I ask why you focused on that so much, Brian?

        I’m not trying to be so critical, but those weren’t big news back in the 1980’s and they ubiquitous now. Not to mention, I’d bet this isn’t the first time you’ve owned a DDOS technology yourself is it? I point that out just because anyone with a passing interest in computing has.

        We even used them at school at Texas Tech in Networking class.

        The reason I found this story interesting is because of the part where he robbed the Chief of Police!!! Let’s talk about THAT! It sounds like it’s straight off of Batman.

      • Well, I only paid a fraction of the money I made from your advertisement here, so it was the least I could do to thank you for all the money you’re making me. Hey, would you mind making some more posts about me?

  27. Let’s just hope these kids never stop making their booters because if they do then thousands of people working in InfoSec are going to be out of a job. Selling DDOS protection has been big business for the past 10-20 years.

    • “Let’s hope these home burglaries continue — otherwise all the cops and insurance salesmen will be out of a job!”

      Script kiddies are the job creators, and security people who put them in prison? They took are jarbs! Turk ur durrrrrrrrrrrr

  28. There seems to be a lot of aggressive censorship by Krebs and comment spamming by the kids. What’s this about?

    Are the comment thumbs up / thumbs down just here to count how many proxies the kids have or how well Krebs can censor comments to his liking?

    Is this news or just one Hack Forums member (Brian) being flame bait for the younger members?

    • If Brian is “censoring comments” which is a pretty idiotic statement to start with since you can click once to view them so what? It’s a privately owned website, he can remove what he wants if he sees fit to do so.

      • He is indeed censoring comments by preventing certain people from posting here (sending all comments from those users to a moderation queue). Censorship is wrong, especially in journalism. Preventing spam is one thing, but keeping people from telling their side of a story that he so wrongly reports on is just wrong.

  29. I’ve been watching this for a few days now, over at HF there are multiple threads of children raging about this article and posting “krebs dox”, which appears to contain only information he published himself.

    It’s actually shameful, being a security researcher must be so boring when 99.9% of “hackers” are mentally challenged children who cry about their beloved booter leader taking a hit.

    I love reading this blog, but watching these spoiled children makes me lose hope in the human race.