logging start...


[0x0] The background:

All information written is linked to blackhats connection/rings for surveillance purpose
It has dual purpose: (1) for Evidence to be self-confirmed yourself beforehand and (2) Intelligence.
Note for LEA: DO NOT HIRE THIS INDIVIDUAL, your information will be spread among lizard squads.
The guy is a scammer, a liar and full of dirty trick, he is still secretly malcoding & setting up bad botnets.

Warning:
1. The information shared below is NOT to be exposed publicly
2. Information gathering and sharing is done under MMD legal disclaimer for intelligence usage.
3. The contents, the url, the password and linkes related to this information are subjects that can be changed -
    without prior notification.
4. There is no in real life identification exposed in this information, exclusive to web signature details.
5. MalwareMustDie is NOT making any illegal activity for the data collective effort of the case, the the context is public surveillance basis.
6. The information in overall contains third party links. Please follow/browse the links outside of this documents with confirming the source first and please use precaution.
                                                                                                                                www.malwaremustdie.org


[0x1] Target name
Coder.ID: "SINDEN"


[0x2] Verdict
Coder.Verdict: Malcoder of ELF DDoS Malware aimed servers/routers/2Internet of Things.
                       PMA exploit in PHP & Perl to spread the IRC ddos botnet
                       Provoking blackhats to spread botnet by howto, code share, build share
                       Receiving pay job for setting up offensive botbet (DDoS/Backdoor)
Malware.Name:  GAYFGT/TORLUS/LIZKEBAB (bad guys name version)
                      Bashdoor/Bashlite/LizardDDoSer
Malware.Ref3:  PMA (see [0x4] PoC)

[0x3] Coder Identification
Coder.Handle:  sinden aka sudoc aka heckrb0y aka obtect aka $DN aka SDN aka FuckSDN aka Taped aka Angle aka Axis, etc
Coder.Twitter:  https://twitter.com/intent/user?user_id=3220595931 
Coder.Site:      sinden.info (osdelete)
Coder.Email1: admin@sinden.info (obselete)
Coder.Email2:  sinden@riseup.net (temporary made)
Coder.Email3:  Weapons@outlook.com
Coder.Email4:  Molest@outlook.com
Coder.Email5:  Satanist@hotmail.com
Coder.Skype:   SDN, Tapped, Payroll, Rendering, Deployed, Intended
Coder.Snapchat:Angle
Coder.Kik:        Axis
Coder.Forum:   uid=2704622
Coder.Github:   https://github.com/obtect/ https://gist.github.com/obtect/
Coder.Keybase: http://www.keybase.io/sinden
Coder.TZ:         CEST, GMT +2, AKDT and PDT
Coder.BTC1:    1sindeNAirhFUD3JaVmTFjoUrSfuQapBb (legit) https://blockchain.info/address/1sindeNAirhFUD3JaVmTFjoUrSfuQapBb
Coder.BTC2:    147ShzZ19GDJS9ZZX64wjm3W745CJ37zHw (dark) https://blockchain.info/address/147ShzZ19GDJS9ZZX64wjm3W745CJ37zHw
Coder.BTC3:    12GnKurFJUyS68gtxw4EXfJ6gRpov7nq8j (dark) https://blockchain.info/address/12GnKurFJUyS68gtxw4EXfJ6gRpov7nq8j
Coder.PGP:       https://pastebin.com/c2d9BLrW
Coder.Pastebin: https://pastebin.com/u/SDN
Coder.Geo:       DE (claimed), UK (infra), NL (Infra), US (infra)

[0x4] PoC
Malware.Ref1:  http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html#gayfgt analysis
Malware.Ref2:  http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987 analysis
Malware.Ref3:  https://pastebin.com/V54vxbGN | https://pastebin.com/3CbPw3nB  GayFgt code
Malware.Ref4:  https://pastebin.com/3NE0nKxD  The PHP PMA malware botnet (with backdoor perl IRC botnet)
MalCode.Ref4: https://pastebin.com/u/SDN  < see well..
MalTut.Ref5:     https://pastebin.com/nmDFLaeu  Tutorial of Lizard Squad Botnet GayFgt
MalSvc.Ref6:   GoogleSafeURL Botnet setup (abandoned)


[0x5] Main Server
Earliest server information spotted:
2014-10-21 01:49:06 Zulu
Country: United Kingdom E6
Area: Gloucester
server213-171-219-239.livedns.org.uk
AS8560 Hoster: Fast Hosts LTD

Last server with information update :
2015-05-29 12:12:48 Zulu
Country : United States
City : Chicago State: IL
ip-160-153-16-19.ip.secureserver.net
AS-26496-GO-DADDY-CO Hoster: GoDaddy.com LLC

#Historial IP used (server, private will not be disclosed now);
2015-05-30`2015-08-03 | 160.153.16.19 | ip-160-153-16-19.ip.secureserver.net. |26496 | 160.153.16.0/22 | AS-26496-GO-DADDY-CO | US | godaddy.com | GoDaddy.com LLC
2014-12`              | 176.74.176.184 |  |13768 | 176.74.176.0/22 | PEER1 | US | internettraffic.com | Schilling Aviation
2014-10-21`2014-12-11 | 213.171.219.239 | server213-171-219-239.livedns.org.uk. |8560 | 213.171.192.0/19 | ONEANDONE | DE | fasthosts.com | Fast Hosts LTD, United Kingdom E6 Gloucester

[0x6] Evidence in Screenshots:



https://blockchain.info/tx/5c14f59b140f5a5903f2dec5d67d778b5d95ca7588805fbf04e965797788b2c4


(c)Intelligence collective & security community share from MalwareMustDie, NPO.