Hack of Attack-for-Hire Service vDOS Snares New Mexico Man
Security Bot last edited by
A New Mexico man is facing federal hacking charges for allegedly using the now defunct attack-for-hire servicevDOS to launch damaging digital assaults aimed at knocking his former employer:undefined:’:undefined:s Web site offline. Prosecutors were able to bring the case in part because vDOS got massively hacked last year, and its customer database of payments and targets leaked to this author and to the FBI.
Prosecutors in Minnesota have chargedJohn Kelsey Gammell, 46, with using vDOS and other online attack services to hurl a year:undefined:’:undefined:s worth of attack traffic at the Web sites associated withWashburn Computer Group, a Minnesota-based company where Gammell used to work.
vDOS as it existed on Sept. 8, 2016.
vDOS existed for nearly four years, and was known as one of the most powerful and effective pay-to-play tools for launching distributed denial-of-service (DDoS) attacks. The vDOS owners used a variety of methods to power their service, including at least one massive botnet consisting of tens of thousands of hacked Internet of Things (IoT) devices, such as compromised Internet routers and security cameras. vDOS also was used in numerous DDoS attacks against this site.
Investigators allege that although Gammell used various methods to hide his identity, email addresses traced back to him were found in the hacked user and target databases from vDOS.
More importantly, prosecutors say, someone began taunting Washburn via Yahoo and Gmail messages while the attacks were underway, asking how everything was going at the company and whether the IT department needed any help.
:undefined:“:undefined:Also attached to this second email was an image of a mouse laughing,:undefined:”:undefined: the Justice Departmentindictment (PDF) alleges. :undefined:“:undefined:Grand jury subpoenas for subscriber information were subsequently served on Google:undefined:…:undefined:and Yahoo. Analysis of the results showed information connecting both accounts to an individual named John Gammell. Both email addresses were created using the cell phone number 612-205-8609.:undefined:”:undefined:
The complaint notes that the government subpoenaed AT&T for subscriber information and traced that back to Gammell as well, but phone number also is currently listed as the recovery number for a Facebook account tied to John K. Gammell.
That Facebook account features numerous references to the hacker collective known as Anonymous. This is notable because according to the government Gammell used two different accounts at vDOS: One named :undefined:“:undefined:AnonCunnilingus:undefined:”:undefined: and another called :undefined:“:undefined:anonrooster.:undefined:”:undefined: The email addresses this user supplied when signing up at vDOS (firstname.lastname@example.org and email@example.com) include other addresses quite clearly tied to multiple accounts for John K. Gammell.
John K. Gammell:undefined:’:undefined:s Facebook account.
Below is a snippet from a customer service ticket that the AnonCunnilingus account filed in Aug. 2015
:undefined:“:undefined:Dear Colleagues, this is Mr. Cunnilingus. You underestimate your capabilities. Contrary to your statement of :undefined:“:undefined:Notice!:undefined:”:undefined: It appears from our review that you are trying to stress test a DDoS protected host, vDOS stresser is not capable of taking DDoS protected hosts down which means you will not be able to drop this hosting using vDOS stresser:undefined:…:undefined:As they do not have my consent to use my internet, after their site being down for two days, they changed their IP and used rackspace DDoS mitigation and must now be removed from cyberspace. Verified by downbyeveryone. We will do much business. Thank you for your outstanding product We Are Anonymous USA.:undefined:”:undefined:
Gammell has pleaded not guilty to the charges. He has not responded to requests for comment. The indictment states that Gammell allegedly attacked at least a half-dozen other companies over a year-long period between mid-2015 and July 2016, including several banks and two other companies at which he either previously worked or with whom he:undefined:’:undefined:d interviewed for a job.
In late July 2016, an anonymous security researcher reached out to KrebsOnSecurityto share a copy of the vDOS databases. The databases showed that vDOS made more than $600,000 in just two of the four years it was in operation, helping to launch more than 150,000 DDoS attacks.
Since then, two alleged co-owners of vDOS :undefined:—:undefined: two 19-year-old Israeli men :undefined:—:undefined:have been arrested and charged with operating an attack-for-hire service. Aside from Gammell:undefined:’:undefined:s case, I am not aware of any other public cases involving the prosecution of people who allegedly used vDOS to conduct attacks.
But that will hopefully change soon, as there are countless clues about the identities of other high-volume vDOS users and their targets. Identifying the perpetrators in those cases should not be difficult because at some point vDOS stopped allowing users to log in to the service using a VPN, meaning many users likely logged into vDOS using an Internet address that can be traced back to them either via a home Internet or wireless account.
According to a review of the vDOS database, both accounts allegedly tied to Gammell were banned by vDOS administrators :undefined:—:undefined: either because he shared his vDOS username and password with another person, or because he logged on to the accounts with a VPN. Here:undefined:’:undefined:s a copy of a notice vDOS sent to AnonCunnilingus on July 28, 2015:
:undefined:“:undefined:Dear AnonCunnilingus , We have recently reviewed your account activity, and determined that you are in violation of vDos:undefined:’:undefined:s Terms of Service, It appears from our review that you have shared your account (or accessed vDos stresser from several locations and platforms) which is against our Terms of Services. Please refer to the following logs and terms:\n- AnonCunnilingus logged in using the following IPs: 188.8.131.52 (US), 184.108.40.206 (XX) date: 06-08-2015 18:05\n\n- 8)You are not allowed to access vDos stresser using a VPN/VPS/Proxy/RDP/Server Tunnelling and such.\n- 3) You may not share your account, if you will, your account will be closed without a warning or a refund!:undefined:”:undefined:
What:undefined:’:undefined:s most likely limiting prosecutors from pursuing more vDOS users is a lack of DDoS victims coming forward. Inan advisory issued last month, the FBI urged DDoS victims to report the attacks.
The FBI requests DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident. Field office contacts can be identified atwww.fbi.gov/contact-us/field. IC3 complaints should be filed atwww.ic3.govwith the following details (if applicable):
- Traffic protocol used by the DDoS (DNS, NTP, SYN flood, etc)
- Attempt to preserve netflow and/or packet capture of the attack
- Any extortion/threats pertaining to the DDoS attack
- Save any such correspondence in its original, unforwarded format
- Victim information
- Overall losses associated with the DDoS attack
- If a ransom associated with the attack was paid, provide transaction details, the subject:undefined:’:undefined:s email address, and/or crypto currency wallet address
- Victim impact statement (e.g., impacted services/operations)
- IP addresses used in the DDoS attack
- Traffic protocol used by the DDoS (DNS, NTP, SYN flood, etc)
Make ISO from DVD
In this case I had an OS install disk which was required to be on a virtual node with no optical drive, so I needed to transfer an image to the server to create a VM
Find out which device the DVD is:lsblk
Output:NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 465.8G 0 disk ├─sda1 8:1 0 1G 0 part /boot └─sda2 8:2 0 464.8G 0 part ├─centos-root 253:0 0 50G 0 lvm / ├─centos-swap 253:1 0 11.8G 0 lvm [SWAP] └─centos-home 253:2 0 403G 0 lvm /home sdb 8:16 1 14.5G 0 disk /mnt sr0 11:0 1 4.1G 0 rom /run/media/rick/CCSA_X64FRE_EN-US_DV5
Therefore /dev/sr0 is the location , or disk to be made into an ISO
I prefer simplicity, and sometimes deal with the fallout after the fact, however Ive repeated this countless times with success.dd if=/dev/sr0 of=win10.iso
Where if=Input file and of=output file
I chill out and do something else while the image is being copied/created, and the final output:8555456+0 records in 8555456+0 records out 4380393472 bytes (4.4 GB) copied, 331.937 s, 13.2 MB/s
Recreate postrgresql database template encode to ASCIIUPDATE pg_database SET datistemplate = FALSE WHERE datname = 'template1';
Now we can drop it:DROP DATABASE template1;
Create database from template0, with a new default encoding:CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = 'UNICODE'; UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template1'; \c template1 VACUUM FREEZE;