Aurora, or why German and France are banning IE

Posted by k | Posted in Uncategorized | Posted on 18-01-2010

As you’ve probably heard, Google recently announced it had suffered an attack on its GMail servers from China.

An Internet Explorer zero day exploit was to blame and now Germany and France are advising its citizens not to use IE.

The exploit used is called Aurora and is now on the lose all over the Internet.

Here’s a video on how it was done:

And here’s the source code: http://seclists.org/fulldisclosure/2010/Jan/285

A domain to link bait: real world example

Posted by k | Posted in Uncategorized | Posted on 15-01-2010

As I don’t have time to do this today, maybe some of my readers can try it.

  • Register this: HumanLamb.com (its free as I am typing this)
  • Scrap and rewrite this: http://www.dailytelegraph.com.au/news/sheep-gives-birth-to-human-faced-lamb/story-e6freuy9-1225819071357
  • Send to Digg.
  • Buy 50/75 Diggs.
  • Wait
  • Change content / 301
  • Profit.

twitter

Posted by k | Posted in Uncategorized | Posted on 26-11-2009

Just a quick post to announce I am on twitter now: http://twitter.com/BlackHatDomain

Setting cron from PHP

Posted by k | Posted in Uncategorized | Posted on 20-11-2009

When you do a web search for cron and PHP, you always find how to run PHP from cron, but there’s no info what-so-ever on how to set cron from PHP.

Doing BH means dealing with a lot of automated tasks. Automation on PHP means cron: crons that run scripts that do web spidering, process data, scrap content, auto post, you name it.

Doing REAL BH, requires more complex scripting: scripts that dynamically change the cron: that’s to say change the cron table according to external conditions, found by the script itself.

It’s not rocket science, and you only need to know two things:

  • 1.To format a classical unix timestamp to cron, you need to use this: $cron_formated_date = date("i H d m *", $timestamp);
  • 2.To set a cron from PHP, you need to write the above + the command to call to a text file and call shell_exec ("crontab /home/user/mycronfile.txt");

Knowing those two tricks, you’re free to create anything.

Adding a new line to your actual cron table
$comandstring = $cron_formated_date." /usr/local/php5/bin/php /home/user/myphpscript.php > /home/user/myphpscriptoutput.txt 2>&1";
$actualcron = shell_exec ("crontab -l");
$newcron = $actualcron."$comandstring\n";
$f = fopen ("mycronjobtemp.txt","w");
fwrite($f, $newcron);
fclose($f);
shell_exec ("crontab /hone/user/mycronjobtemp.txt");

How do I delay my cron 15 minutes?
$temp_cron_date = date("Y-m-d H:i:s", $timestamp);
$new_cron_formated_date = date("i H d m * ", (strtotime("+15 min", strtotime($temp_cron_date))));

How do I list my cron table?
shell_exec ("crontab -l");

How do I clear my cron table?
shell_exec ("crontab -r");

How do I reset my cron table?
Save the crons you always run to a txt file and load that file to the cron table to reset it.

How do I create random crons?
I leave that to you.

Why are random crons very important?

  • 1. Because Google is smarter than ever and will detect your auto content feeding pattern. (Unless you make a clever use of WP and postpone your posts on a random base)
  • 2. Feeds where you’re getting the content from detect your pattern and ban your IP. It has happened to me reading RSS feeds from major newspapers.

Domains + Botnets + Parking = $$$

Posted by k | Posted in Uncategorized | Posted on 21-10-2009

If you subscribe to this blog, you know I don’t post frequently. And I like it that way. Some say you have to post regularly or else you’ll lose your subscribers. I don’t agree.

I have unsubscribed blogs before not because they don’t post but because they post too much. They post everyday because they have to and not because they have something to say. To them I say: Our time is precious, stop regurgitating the same thing over and over. And there are a lot of those out there on the SEO area.

Unveiling real unique good black hat info is always a dilemma. You’ll keep your readers happy but you sentence to death the method exposed. It will only last on the direct proportion on the number of readers you have, and how pro-active they are. That’s also why black hat blogs don’t get a lot of link love from their readers: the smaller the number of people who knows about it the best.

Congrats, you’re one of the few who reads this blog, as today I am going to unveil a technique you have never ever read anywhere on the Internet before. It has been used by black hatters for some time now with great success.

Its success comes from three main factors:

  • - you can implement it in 10 minutes and with almost no tech skills
  • - you can earn a lot of money, passively!
  • - no one can accuse you of black hat schemes

As you know, since spam started bringing people to jail, professional spammers have turned their attention to other methods of spamming: posting on blog comments and forums.

XRumer is often designated as the top tool to do it. But it is not. It pales compared to using botnets of zombies. There are even IRC channels fully dedicated to botnet renting.

I am not endorsing these practices anyway. I am just pointing out they exist and we are going to profit from them.

Here’s what you need to do:

  • 1. Install some forum software, the older the best: phpbb, punbb, smf. Any of those will do. Make life as easier as possible to bots, disabling CAPTCHA and other similar functionalities. Real old forum scripts don’t even have them.
  • 2. Let the word know about your forum, but don’t use spam techniques. Just register on some directories. Optionally you can simple do nothing and wait. The previous step was just to speed up the process. Soon you’ll find your forum full of spam posts. Don’t worry its part of the plan. Let the spam bots feel at home.
  • 3. When you think there’s enough activity, park the domain. That’s all. You can easily earn $50* or more daily from each of your domains. This value will decrease as bots will lose interest on your forum. When that happens, it’s time to put the forum up again…

You see, most of these bots are using zombie computers to spam: so, it’s not easy for the parking companies to indentify it as spam, since there’s not a proxy, a TOR node, or a gateway IP to put against their db of spam hosts. The smaller the Parking company, the less protected it is against this. So, parking companies take note.

If they ever contact you, what should you say? Easy, that you had a forum once (take some time to configure it so that it will look real), lost interest but kept it online. Recently you have discovered it was being taken over by spam bots and decide to remove it and park the domain.

Sure, there must be a lot of fraudulent clicks but you’re absolutely covered and cannot be blamed.

Last, but not least, and this is the best part: even your parking company can profit from you and have nothing the ad provider can point on them, as they were just parking your domain.

Yes, it’s the ad feed provider responsibility to detect and invalidate the fraudulent clicks. So, in the end, you are cheating the big sharks, so sleep tight at night. I can assure you those values are already being assimilated on their balance sheets.

* Aprox value for 10000 spam posts, 50% conversion ratio (yes, it’s that high as bots click everywhere) and 0, 01 clicks (expect this to be real low).

eBay (inadvertently) reveals secret code to detect cookie stuffers

Posted by k | Posted in Uncategorized | Posted on 21-05-2009

Patrick, from Blogstorm posted about the recent filings in the eBay Inc. v. Digital Point Solutions, Inc. et al case whereby the plaintiff eBay Inc. alleged Defendants engaged in cookie stuffing to defraud Plaintiff. So far 80 documents have been filed in the case but the most interesting is number 68 which is the Second Amended Complaint against all defendants. Filed by eBay Inc.. (Eberhart, David) (Filed on 3/26/2009) (Entered: March 26, 2009).

Some quotes from this Second Amended Complaint which mentions Digital Point Coop Network are very interesting:

eBay placed a special “gif” image on the eBay.com home page. This special gif was served to any browser receiving an eBay cookie. eBay had observed that Defendants’ cookie stuffing schemes caused the user’s browser to be secretly redirected to eBay’s home page for only a short period of time—sufficient time for the cookie to be stuffed and little or no more.

The cumulative results of the investigation demonstrated that over 99% of the traffic directed by DPS and KFC during the time period of the investigation did not receive the gif image, and was therefore fraudulent cookie stuffing traffic.

This is very interesting for all you cookie stuffers out there: eBay has, in the past or still, used some code on his own page to detect fraudulent cookie stuffing.

What they reveal is the very common one pixel tracker method, but their tactics might have evolved since 2007.

So, forget about those fake image and similar stealth one time hit cookie stuffing scripts. On eBay you have to iframe load the whole page and preferably, do some random navigation.

How to create a Black Hat Seo Botnet

Posted by k | Posted in Uncategorized | Posted on 08-05-2009

Every REAL Black Hat Seo who lives up to its name has his own botnet, in order to easily link spam or social vote (among other actions). This post will teach you, in detail, how to build one of your own!

What these bots do is they receive orders and act accordingly. Either, visit a simple url, fill a form or click on a button.

So, what do you need to code? You need to code a bot that:
- Self extracts itself when running another program and quietly installs
- Runs hidden every time the PC starts
- Periodically checks a given URL for new orders
- Executes orders

There is however some ethic involved! What it DOES NOT do:

- No personal information what-so-ever is collected from the zombie PC. It means behaving better than most spyware and even G itself which calls home on Chrome with all your sexual fetishes.
- Absolutely no harm is done to the zombie. Even the resources’ usage is kept low. (memory and cpu)
- It will self-destruct in x days.

First select your language: Visual Basic, Delphi or C. Forget .net or C#. Anyway this post will be about what to call and where, so it’s good for all languages.

It is no longer possible (since XP) to hide (the easy way) an application from the service tab, so be ingenious on naming it. You can and should however hide it from task list applications. Doing this is easy on VB using Me.Hid. On C use SW_HIDE. When I say ingenious I mean naming it after something an average user will believe its part of windows.

First thing the bot does is to check if this is a first time run. If it is, then it must install. You do this by checking the registry key. If it’s already there, it’s not a first time run. Use wscript.shell to read and write to the registry. It’s the most reliable and safe way to do it these days.

You will create a key on \Software\Microsoft\Windows\CurrentVersion\Run so that it runs every time the PC starts. Don’t use HKEY_LOCAL_MACHINE, because you will need admin rights to write there, use HKEY_CURRENT_USER instead.

An important thing to notice is that you can’t use the string “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” on your app. It will get detected by most recent antivirus. There’s however a cool way to trick them: use some very simple encrypt algorithm and decode the string only at run time. A simple replacement on “o” for “0” will do the trick.

Back on track, if the key is not there, it’s a first time run and you must install. When installing you need to extract the program. You must also let the parasite program run. (They both are the same on this example)

Where will write the app to? Forget about writing to c:\Program Files\ or even c:\. Everything you will get on VISTA is virtual paths. Use CSIDL_APPDATA to get a nice real path like: C:\Users\admin\AppData\Local.

(Instead of checking the registry key, you can also check if your program is already dropped. If it’s there, it’s not a first time run)

As it’s a first time run, let’s install. Install has three steps. Write the key to the registry as explained above, copy the program itself to the path you found, and rename it (don’t forget windows runs anything, it does not need to be an .exe) flag it to system and hidden, and finally do something to entertain the victim. You can shell call anything, from ie with a page to painter with an image.

That’s it, we’re set to go. Next time the user restarts it will load our bot.

Now how do we make contact? Well, forget about Mail and FTP. You would be noticed in no time. You should always hit a web page: either to collect orders or send reports.

Best way to do this is using Microsoft.XMLHTTP’s msxml2.xmlhttp object and the Dom document: MSXML2.DOMDocument. Simple, fast, asynchronous and stealth.

And how do you know user is connected? Well, again forget about checking the InternetGetConnectedState on wininet.dll. You have to do the most basic of all the things: use Microsoft.XMLHTTP object to hit Yahoo.com and see if it’s there, then you’ll know. (Don’t hit Google.com)

Now put it on a timer and check your site.php page to read instructions from time to time. These instructions can also include a self destruction order! In that case, you would delete the key and that’s it. You can also delete the app itself, but it’s more complex. No need to do that, it will just lay there forever.

On part II of this tutorial we will see how to pass orders to the bot and, most important, how to get the bot to obey. It’s fairly simple and best of all, on all sites we hit, we will be behaving just like if were the normal user of that PC surfing and voting on pages and social networks. No need to melt our brain on complex Javascript routines with dubious results and that are dependent on XSS holes that get patched on no time these days.

Now imagine you were about to launch a new website. How about having all your bootnet to vote for it o Digg, Stumble it, tweet it, and link it all over? It would be great, wouldn’t it?

No, it would not. This is not the way it is done. You simply can’t raise head too much above water or you’ll get caught in no time. Will see how this is done in part two, but I think you must been having an idea about it by now.

Free 50Gb hosting for 1 year

Posted by k | Posted in Uncategorized | Posted on 15-04-2009

Only 1000 new first members will get a prof free hosting account.

50 GB disk space;
500 GB bandwidth;
Support team 24/7 (chat, email and telephone)!
Unlimited domain management!
Unlimited Email boxes!
SPAM filter for your email;
Auto-responder;
Web-based email client;
POP/SMTP Access;
Unlimited FTP Accounts!
50 one-click programs including Joomla, Magento and etc.

Multiple server locations:
Bear (Great Britain)
Fox (Lithuania, Vilnius)
Wolf (Germany)
Ox (The Netherlands)

http://vip.host1plus.com/on-air/

Still more freebies

Posted by k | Posted in Uncategorized | Posted on 09-02-2009

€1 .com domains here: http://www.united-domains.de (IDNs also)

Free WP blog ON your domain here: https://panel.dreamhostapps.com/signup

No more excuses for not making money online. Hurry up, limited time and/or slots available.

Note: No affiliate bullshit links, just plain text clean links.

Some freebies

Posted by k | Posted in Uncategorized | Posted on 29-01-2009

You have two days to register .es (spanish tld) domains at $1 each (pay with dollars) on Gandi.net, no strings attached. Don’t forget it’s also valid for idn.es domains.

You can get a free domain on Register using this link. Not sure about the strings attached on this one.

And now comes the Black Hat part: how about a nice free .edu wp blog just for you to have fun?