[ryanlol]

Majority of our bandwidth does not come from these so called "reflection attacks". But is in fact "real" bandwidth.

We are using actual 0days to compromise the (about 100k-150k) servers we have.

I'm actually rather excited for the eventual technical analysis of our net by someone with actual technical competence. It might end up causing quite a bit of noise.

[meowface]

Oh, that's pretty interesting, and a refreshing change from what you normally see in this space.

I seem to recall you guys (I think it was you guys, may be mixing up with another group; I also know you were supposedly kicked out of HTP at some point, which adds to my confusion) using one of the Rails YAML handling 0-days to acquire bots a while ago. I think someone was logging the IRC channel where they were being joined to.

Would it be fair to say the other bots are mostly a result of other web app vulns, or are you guys actually finding 0-days in native applications as well?

Do you actually have a full vulnerability research team, or is it just like 1-2 guys finding vulns? HTP's stuff like Coldfusion and MoinMoin was definitely pretty impressive.

[ryanlol]

There was a few rails YAML bots on an IRC for maybe an hour before another bot was loaded on them. (But that was like over an year ago)

A large chunk of the boxes we control do not have any sort of web apps running on them.

[meowface]

Pretty impressive then.

I understand you may not want to reveal much for opsec purposes, but just one question: the Lizard Squad guys seem like very run of the mill script kiddies. Why would you help them, if you are? Kind of seems like a skill and motive mismatch. Forgive my ignorance if the situation is more complicated than that; I'm just going off of what Krebs wrote.

[ryanlol]

Ones public actions do not necessarily equal ones skills. The motives behind LS are more complex than some journos believe, something that should be obvious by the darkode connection alone.

Krebs seems to be pretty lost, especially considering that he thinks we've been attacking his site for past 40 days or so. That's just not true (and anyway, if Prolexic couldn't keep PSN up why would they be able to keep his site up?), only thing linking us to attacks against him was a joke in the topic of our fake recruitment channel telling people to take his site down for an hour or so.

Anyway, as for my motives (besides money, of course)? You don't get access to this many boxes without stumbling on at least something interesting.

[meowface]

The darkode thing was certainly interesting. It just doesn't seem to match up with what you see coming out of the @LizardMafia twitter. Though perhaps that's intentional deception.

I'm guessing part of the plan is to continue gaining infamy and notoriety to sell services, starting with the stresser. I also wouldn't be too surprised if perhaps the stresser is a sting op or honeytrap on your part, with the money as just an added bonus.

[ryanlol]

One thing you should understand, we currently have basically two types of clients. First is of course the kids who go to lizardstresser.su and buy the $20 plan so they can attack people they play video games with.

Now, on the other hand we have our corporate clients. These corporate clients usually contact us via email or over forums and either make us a fixed offer or request a quote for a given target and time-frame. Now, these types of clients are usually willing to pay tens, if not hundreds of thousands of dollars to disrupt their competition for a couple of days.

The second type of customer is obviously our main source of income, and what better way to find those clients than worldwide media publicity?

It'd be funny if this ended up being a sting op, wouldn't it?

[Donzo]

Care to share any information about these 0 days: affected systems, programs, or other hints?

[ryanlol]

Lots of it is the sort of equipment you wouldn't notice. Not exactly embedded stuff though.