…in which, our intrepid security geek finds out that there is a $400 bounty on his head.

Posts like this don’t have much technical content, but they’re fun, and the last one has been a wildly popular part of the site.  While you’re laughing your butt off, I hope you take away the real message here: do some background research on who you’re dealing with in the computer security scene.  If you got here by googling up information on this particular skiddie, then you’re already one step ahead of the game.  Just because someone has a legit-looking website and blog doesn’t mean they’re on the up-and-up :)

Since my first post about Yousif’s activities, I’ve had the pleasure of many late-night phone calls from him, being DOS’d for about a half hour, and having his friend threaten to hack my coffee maker.  I was promised a beat-down at Black Hat, although I unfortunately could not make it.  I am, however, sort of disappointed that I don’t warrant being stabbed, like Yousif has threatened to do to Lee Hinman over at the excellent writequit.org blog.  He is, however, willing to pay someone else to do the dirty work.

In the meantime, he hasn’t let up in his activities.  He has been hanging out on an Internet marketing forum, although his taste for script-kiddie hacking has not subsided.  He still has a penchant for attacking sites outside of well-defined pen-tests, still loves to threaten people who correct him, and runs his own small botnet.

Apparently looking to supplement his vapt-sec.com income with some cost-per-action fraud, he’s been hunting around for cohorts to develop software to fill out forms and offers on CPA advertisers, and to come in through his referral links from multiple IP addresses to fill out forms.  I took this as an opportunity to form my own “black hat” alter-ego, and have a good heart-to-heart chat with Yousif.  After a couple of boring evening chat sessions building up my “black hat” cred with him, he began to open up.

The following are some choice excerpts and quotes.  I’ve censored both his language and mine.  I do swear in-person, occasionally on IRC, and rarely on the blog, however I did ratchet it up about 12 notches with “elite yousif”, to build rapport.

Since he gets others to write his software for him, he occasionally gets his languages confused:

11:03:05 PM elite yousif: So
11:03:12 PM elite yousif: You know anyone who has botnets
11:03:39 PM bhb: i have a couple friends who might.  have a need?
11:03:50 PM elite yousif: Yeah
11:04:37 PM elite yousif: It’s quite helpful in CPA
11:05:16 PM bhb: yeah i was thinking of writing some code to work through a botnet, filling stuff and using the random ID generator
11:05:27 PM elite yousif: No need, lol.
11:05:35 PM elite yousif: I’m making something like that as we speak.
11:05:39 PM bhb: nice
11:05:50 PM bhb: what language do you code in
11:06:01 PM elite yousif: What language did I code this in?
11:06:11 PM bhb: yah
11:06:41 PM elite yousif: Net
11:06:54 PM bhb: c#
11:06:55 PM bhb: ?
11:07:21 PM elite yousif: nope
11:07:22 PM elite yousif: .NET <
11:07:29 PM elite yousif: Microsoft, ya know?
11:08:01 PM bhb: .net’s a platform, theres lots of languages you can code targeting .net
11:08:06 PM bhb: vb.net maybe?
11:08:13 PM elite yousif: Yeah, that’s right.
11:08:21 PM elite yousif: Vb.NET <

Don’t mess with this guy.  Especially in school:

11:56:56 PM elite yousif: No one ***** w/ me..
11:56:59 PM elite yousif: No one @ all.
11:57:02 PM elite yousif: Not even in school
11:57:03 PM elite yousif: They know
11:57:05 PM elite yousif: I can change their grade
11:57:09 PM elite yousif: expell them
11:57:10 PM elite yousif: frame them
11:57:11 PM elite yousif: etc
11:57:17 PM elite yousif: I can drop your docs too
11:57:21 PM elite yousif: know what shoe size you wear
11:57:23 PM bhb: heh nice
11:57:25 PM elite yousif: know your fam history
11:57:27 PM elite yousif: CC
11:57:29 PM elite yousif: S#
11:57:30 PM elite yousif: where u live
11:57:30 PM elite yousif: etc
11:57:59 PM bhb: knock some kiddies on their ***** online lol
11:58:18 PM elite yousif: lol
11:58:59 PM bhb: ***** haters lol
11:59:09 PM elite yousif: I know AOL internals too
11:59:11 PM elite yousif: ppl who work there
11:59:13 PM elite yousif: with high privs.
11:59:14 PM elite yousif: can easily
11:59:16 PM elite yousif: hi jack
11:59:19 PM elite yousif: any AOL/AIM account
11:59:22 PM elite yousif: and get info behind it
11:59:23 PM elite yousif: =D
11:59:31 PM elite yousif: i social engineer as well
12:00:08 AM bhb: hah that’s useful

A social engineering mastermind, to be sure.

Here, he’s a little sore that his affiliate program dropped him after figuring out his referrals weren’t legitimate:

12:03:12 AM elite yousif: you haven’t made any money in CPA yet?
12:03:43 AM bhb: haven’t even started.  just been reading up on it on the side, besides coding and work
12:04:30 AM elite yousif: ah
12:04:40 AM bhb: you made much?
12:04:42 AM elite yousif: I got my account terminated
12:04:45 AM elite yousif: 2 days ago
12:04:48 AM elite yousif: from a network
12:04:52 AM elite yousif: ***** bro, i swear
12:04:52 AM bhb: haters
12:04:53 AM elite yousif: I lost
12:04:56 AM elite yousif: 2000+ dollars
12:04:59 AM elite yousif: I better get my ***** back
12:05:00 AM elite yousif: OR
12:05:08 AM elite yousif: I’m gonna make my affiliate managers life a living HELL
12:05:14 AM elite yousif: I have access to her AIM account
12:05:15 AM elite yousif: verizon
12:05:17 AM elite yousif: photobucket
12:05:19 AM elite yousif: paypal
12:05:20 AM elite yousif: blogger
12:05:23 AM elite yousif: and some other *****
12:05:25 AM elite yousif: and facebook
12:05:29 AM elite yousif: she doesn’t know it yet
12:05:31 AM elite yousif: but I phished that *****

Bragging about taking down RSnake’s site (note: there’s an excellent chance this never really happened):

3:00:44 AM elite yousif: you know rsnake?
3:00:46 AM elite yousif: robert hansen
3:00:48 AM elite yousif: famous as *****..
3:00:49 AM bhb: yeah
3:00:51 AM elite yousif: k
3:00:51 AM elite yousif: well
3:00:53 AM elite yousif: his site
3:00:54 AM elite yousif: let me find it
3:01:03 AM bhb: ha.ckers.org or something
3:01:22 AM elite yousif: nah
3:01:23 AM elite yousif: his company
3:01:29 AM bhb: oh i dunno
3:02:26 AM bhb: sectheory?
3:02:58 AM elite yousif: yeah
3:02:59 AM elite yousif: rofol
3:03:02 AM elite yousif: i ddosed that
3:03:03 AM elite yousif: with my friend
3:03:04 AM elite yousif: in like
3:03:05 AM elite yousif: what
3:03:06 AM elite yousif: maybe
3:03:09 AM elite yousif: 3 mins
3:03:10 AM elite yousif: it was down
3:03:14 AM elite yousif: some security expert eh?

If there were any doubts about how he’s taking part in CPA fraud:

4:44:10 PM bhb: how are you supposed to make any money at it if you arent botting it anyways lol
4:44:25 PM elite yousif: what do you mean?
4:44:48 PM bhb: like automating it through a bunch of proxies/bots
4:45:02 PM bhb: how can you find that many people wanting to do it legit to keep making money
4:45:14 PM elite yousif: lol
4:45:17 PM elite yousif: u infect more victims
4:45:22 PM elite yousif: you market your trojan or w.e.
4:45:27 PM elite yousif: and more ppl open it
4:45:37 PM bhb: heh yeah so a loose definition of “legit” lol :D
4:45:48 PM elite yousif: yep
4:45:48 PM elite yousif: lol
4:45:59 PM elite yousif: you know what company is cool though?
4:46:03 PM bhb: you have nice custom trojans for it?
4:46:03 PM elite yousif: ******
4:46:10 PM elite yousif: i talked to the owner
4:46:10 PM bhb: cool you work with them too?
4:46:12 PM elite yousif: really cool guy
4:46:14 PM elite yousif: says
4:46:18 PM elite yousif: i can do black hat if i want
4:46:21 PM elite yousif: and he wont term. my account

Then, I managed to get him on the subject of yours truly :) :

5:02:12 PM elite yousif: LOL
5:02:19 PM elite yousif: http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0545.html
5:02:21 PM elite yousif: that link u sent me
5:02:25 PM elite yousif: i know the guy who wrote that
5:02:27 PM elite yousif: wesley mcgrew
5:02:30 PM elite yousif: that dude is such a *****
5:02:36 PM bhb: he talks like one
5:03:01 PM elite yousif: he started talking ***** about my business and me because he claims that i hack around sites without permission and that i gave him access to my computer, WTF..
5:03:25 PM elite yousif: so i told him to go to black hat in vegas, and he said hes not going this year — i told him if i saw him id tackle him

I’m not really sure if the following about the director of Black Hat contacting him is true (I never contacted the Black Hat folks about it, since it’s not really a credible threat).  He probably just made it up after he found out how much Black Hat costs:

5:05:11 PM elite yousif: u know what he did
5:05:11 PM elite yousif: he spoke with teh director of black hat
5:05:11 PM elite yousif: and he told him that i would beat his ***** if i saw him
5:05:11 PM elite yousif: so he got scared
5:05:11 PM elite yousif: so the director listened to him
5:05:20 PM elite yousif: and said i cant attend black hat this yea
5:05:20 PM elite yousif: year*
5:05:38 PM bhb: lol that’s hilarious did the director email you or something
5:05:44 PM elite yousif: no he IM’d me
5:05:51 PM bhb: ahah
5:05:52 PM elite yousif: then i followed his profile and he actually WAS the director of black hat
5:05:54 PM elite yousif: oh well
5:05:59 PM elite yousif: he knew i wasn’t kidding

This did happen, although he and his friends would usually get bored and give up after a few calls:

5:06:00 PM elite yousif: i called him
5:06:03 PM elite yousif: 1000 times
5:06:07 PM elite yousif: i cussed him out badly
5:06:12 PM elite yousif: and i demanded to talk to his wife
5:06:14 PM elite yousif: so i can cuss her outtoo
5:06:17 PM elite yousif: her out too*
5:06:18 PM elite yousif: but he wouldn’t elt
5:06:20 PM elite yousif: let*

Remember kids, don’t DDOS on a school night:

5:14:51 PM elite yousif: ask him if i DDoSed his *****
5:15:03 PM elite yousif: he’ll either lie and say ‘it’s server issues @ night” or he’ll admit like a ***** i owned him
5:15:25 PM bhb: hah what an idiot.  how long did you ddos him for
5:15:36 PM elite yousif: for about 2-3 hrs
5:15:42 PM elite yousif: i was bored and it was late
5:15:45 PM elite yousif: i had school next morninig
5:15:47 PM elite yousif: so i let him go
5:15:48 PM elite yousif: lol

There’s a $400 bounty on my head.  My wife, a friend, and I considered faking some photos and video to claim it, but I guess we’re just too nice:

5:33:36 PM elite yousif: can you go to missipi?
5:33:39 PM elite yousif: ill pay you like
5:33:42 PM elite yousif: 400
5:33:44 PM elite yousif: to beat his ***** for me
5:33:46 PM elite yousif: no joke
5:34:03 PM bhb: lol maybe if im hard up for some money one day
5:34:14 PM bhb: you should definitely go though, that ***** would be classic
5:34:28 PM elite yousif: do u know anyone would do it?
5:34:34 PM bhb: show all the whitehats that you dont ***** with the blackhats cause they take it into RL
5:34:36 PM elite yousif: i seriously will pay $400 for it
5:35:06 PM bhb: i dont know anyone up for that but it shouldnt be too hard to find
5:35:20 PM bhb: lol craigslist, i bet theres tons of local rednecks there that would do it
5:35:27 PM elite yousif: lol
5:35:35 PM elite yousif: id rather talk to someone i already know
5:36:03 PM bhb: hah just tell them the money transfers when you see a jpg of his bloody nose lol
5:36:33 PM elite yousif: rofl
5:36:35 PM elite yousif: good idea
5:37:28 PM bhb: http://northmiss.craigslist.org/
5:38:10 PM bhb: i dunno what category lol
5:38:15 PM elite yousif: lol
5:38:17 PM elite yousif: murder
5:38:20 PM bhb: loool
5:39:57 PM bhb: services – labor & moving, that probably has the most steroid pumped rednecks
5:40:15 PM elite yousif: lol
5:40:21 PM elite yousif: bro i would never do it off tehre
5:40:27 PM elite yousif: ***** u know feds just hang out there
5:40:30 PM elite yousif: waiting for somone to ***** up

I’ll leave you with the last words he had to say to my dummy AIM account:

7:28:14 PM elite yousif: yo
7:28:30 PM elite yousif: is there a way to make your cd burner recognize dvd-r’s?

Brilliant.

 

Update: In the interest of fairness, I have decided to approve pretty much any comment that Yousif wants to post to this blog entry, and I’ll even quote them up top here. He can use the opportunity to express regret, remorse, state that he wants to change his ways, or he can just call me a redneck fruit. Here’s what he has to say currently:

This is total bullshit and has been modified for the intent of a joke, all of this data is falsified.

I’ll add to this, if he comes up with anything else.


It always amazes me how often and blatantly people will incriminate themselves. Even today, when most (or at least most dangerous) attackers are motivated by profit, there are still “script kiddies” that simply do it to make themselves seem cool among their peers. To meet this end, they have to brag, show off, and command respect in a way that runs completely counter to the usual desire to not get caught or exposed. Sooner or later, they show off to the wrong person.

This is the case with Yousif Yalda, a 17 year-old from Skokie, who has been in contact with me over the past several months. If the subset of security professionals on my Twitter feed are any indication, I’m one of many people in this field that he has been in touch with recently. Throughout this time period he has tried hire me for his web security and penetration testing business, VAPT Security and discussed, at length, his desire to make it big in the security industry. He also has quite a temper, which would flare up when I dismissed requests to work for him, refused to post comments to his blog, and criticized some of his work. This is when he would make allusions to his “black hat” past, terrorizing AOL with Visual Basic programs written by his friends (no, I’m not kidding).

I’m all for someone throwing their hat in the ring, and I also think it’s fine for someone to put their “black hat” past behind them, perhaps even using those experiences for the forces of good. I do, however, expect people like Yousif to conduct themselves professionally and not damage the image of penetration testers as a whole. Running assessments and attacks on sites without their permission, showing off confidential documents stolen from organizations, and attempting to infect others’ PCs with trojans are not ethical activities for penetration testers to run outside of an agreed-to test.

Going back to how people incriminate themselves, I wouldn’t have found out the extent of Yousif’s activities if he hadn’t invited me to along to see, and if he didn’t have such a desire to brag and demonstrate his (mostly imagined) skills. Previously, he had mentioned running scripts and tools against other sites, and admitted that he had not asked permission beforehand, but I had never seen any of it first-hand. Then one day I saw his away message set to this:

I just figured he had gotten owned. Copying and pasting the link showed it going to his IP address on 5800, which is typically a web interface to a VNC server. I didn’t get a response on the AOL name when I asked if he was having problems, but then he showed up on gtalk:

It was an invitation, not only to the people on his “buddy list”, but also to anyone who could check his away message (basically anyone on AIM). I clicked, and was dropped into a VNC session (without mouse or keyboard control) watching Yousif Yalda “drive”. Over the next few hours that night, Yousif was in a veritable script-kiddie zone. In an effort to impress another friend on his AIM buddy list, he went through several “hacks”, past and present, of varying success. All this with the knowledge that who-knows-who-else was watching.

I took screenshots, and I’ve sat on them for a week or so now. I’ve decided that, since he doesn’t show any remorse or regret for the things he’s done, that at the very least his “targets” have a right to know who’s been pointing crappy scripts and tools against them. Potential clients should know how little he respects ethical procedures and confidentiality. Others involved in security that he’s been talking to (a seemingly large number) need to know who they’re dealing with. At the very least, know when you’re talking to him that there’s likely to be someone else watching on a VNC session.

On to the fun part: a look into the mind and actions of a script kiddie. We’ll start with an attempt to infect a friend with a trojan. Here he is making a copy of the server executable:

…and uploading it to the same hosting that he uses for his business:

I’ll spare you the logs of Yousif trying to convince his friend to download and run the trojan, which he disguised as the setup file for a Steam account. He managed to convince the victim after some time, and even got him to disable AV and firewalls, although unfortunately for Yousif, it appears that his victim was probably NAT’d behind a home router:

Despite its lack of success, it impressed Yousif’s friend he was showing off to enough to ask about the “CIA” name. A habitual liar, Yousif claimed he made it “2-4 years ago”. I have since found out that many things he will claim about his associations with others and things he has done have been greatly exaggerated (including claims that a well-known web security professional hacked sites alongside him).

Next Yousif showed his friend, and anyone else watching, a directory in which he keeps documents that he has apparently stolen from a real estate/mortgage company. There are many letters from banks about the status and balance of people’s accounts, taxes, and other personal information. I can’t even really show screenshots here, even of the directory listing here, as I would have to censor them so heavily it wouldn’t be worth looking at.

Here’s a couple of emails he sent to himself from hacked accounts as trophies:

Those are pretty old, but then he decides to show off some of his scripts and tools on one of the old victims (the latter of the two victims above).

He really likes a perl script that he has for doing RFI scanning, and Acunetix, which you might remember from my last post as the tool he pointed at this website. Thankfully, in this case, he doesn’t find much. Notice in the screenshot of Acunetix above that he accidentally pastes the URL to the current site he’s scanning right after the URL of the last site he scanned with the tool, revealing yet another target besides myself and the sites he scanned during his open VNC session.

For the last example of Yousif Yalda’s activities, we have him taking aim at a real estate investment firm that he has apparently been playing with for some time, judging from the dozens of entries in his browser history. As you can see, he doesn’t quite understand what he needed to substitute into the script before running it:

The funny part of this is that when he does go to try the RFI out, he realizes that he needs to remote-include a php shell, so he goes and does a web search for r57. Instead of finding the source code hosted on another site, or setting one up himself, he manages to find another site that is already running r57 as a result of RFI or similar, and tries (without realizing what he’s looking at) to include the rendered page from there instead of the php source. It’s a wonder that this guy has anything to show off to his friends at all, and one would hope he wouldn’t stumble around so much on a real penetration test.

So what do we take away from this? Despite claims that attackers now are motivated by profit, we still see script kiddies (mostly in their teens) that are launching attacks in order to gain the admiration and respect of their peers. To this very moment it blows my mind that he invited me and others to watch this, and at first I wanted to ask, “If this is what Yousif does when he has invited people to watch him, who knows what he gets up to when he’s on his own”, but then I realized that he thrives on the attention and admiration. Although it’s not the kind of attention that he wants, I hope that others in the security community (or even potential clients) that have been or will be in contact with him see this and realize who they are dealing with. His targets are also being notified so they can review their logs. While I thought about that for a while, I came to the conclusion that I normally notify other potential victims that I become aware of in any other kind of incident investigation, and these deserve no worse.

I have enough material on this to cover another dozen blog posts, and I might post a more lighthearted “deleted scenes” later on. If you have any interesting Yousif Yalda stories (which, if he’s tracked you down to talk to you, you do), feel free to post them as comments or email them in.

I’ll be back on a regular posting schedule with some book reviews, news commentary, and technical posts soon!

© 2012 McGrew Security Suffusion theme by Sayontan Sinha