> Over the past year, we've worked together to build and improve this project. It has been an incredible journey, and I'm immensely grateful for all the contributions, feedback, and support from each one of you.
It has been an incredible journey doing crime together with y’all. Huggles and fuzzies! ^_^
I simply don't understand that vibe. I guess I’m just old cause back in my days, the crime geeks openly did was warez and that seems substantially less evil to me. This software is explicitly intended to victimize individual users. I simply don’t get how someone can get so “incredible journey” about that sort of stuff, you active worked to make the world worse.
That guy is literally providing technical support in GH issues. No way. People complain about logging into stolen accounts and the developer is happy to help. There's a pinned page on how to disinfect your system, accompanied with a vibe of "should've been more careful, idiot!"
Seeing this happy-OSS-community praise from someone providing a turn-key malware solution for even the most technologically incompetent jerks is just harrowing.
Being careful is not enough, you also have to be competent. You can be careful all you want, I had to expain to an HNer earlier for example how .js files on windows are actually native executable scripts. Is a lay person supposed to know that for example?
Depends, some containers like vhd and iso don'get the warning or archive formats not supported by windows like rar or 7z either. And that warning is very ineffective.
> A lay person should not be operating a computer.
This isn't the 60s. Computere are made and marketed for regular lay persons/general public.
hmmm so when you do projects with people and someone you haven't heard from in a while shows up and wants to show you what they are working on your first thought should be to grill them in the third degree and ask them the color of their underwear to make sure it's them...
Oh, but their disclaimer says, they don't do crime: \s
"Disclaimer: This program is provided for educational and research purposes only. The creator of this program does not condone or support any illegal or malicious activity"
I guess it is a gang like mindset. Exploiting others and preying on the weak. And I am not that old, but I actually also do remember other and more dark hack activity from the past, than just warez.
What are you talking about? There were entire “demoscene” advertisements in pirated games back in the day touting the awesomeness of Razor 1911 or whatever.
Interesting how malware is essentially allowed on GitHub, seeing as the top result here has ~500 stars and has features advertised to steal much more than Discord accounts. I have a recollection of downloading a program from GitHub (which has 1.4k stars right now) whose installer had an opt-out malware bundled -- I reported the repo three times, and they didn't take any action. Chocolatey team did step in and remove it on their platform, but I wonder why GitHub didn't take any action
I would differentiate 'malware implementations' from 'malware'. A hacking tool presented with its harmful features at face value, with adequate warnings, is not quite the same as an attempt at tricking people into downloading or bundling something dangerous. I believe Github makes the same distinction in allowing hacking tools. They also allow byte-reversed or zip-encrypted copies of well-known malware for the purpose of study. There's no way to keep out the bad guys while still allowing security researchers.
Lots of these issues don't mention hacking their own devices but rather someone else's (and some are from obvious script kiddies). I don't think the claim of being an educational purpose tool really holds merit in this case.
I would understand the first definition if not for the fact that these pieces of software under the topic really don't have any legitimate usage in my opinion. Unless you're explicitly making the argument that the code is the important part (& should be kept on GitHub for the purpose of disseminating the programming methods used to create it, despite their purpose), I just think that GH is being used as a 'download link' if not an aggregator for projects like these. And, they're used for the express purpose of infecting other machines, presumably of people who are none the wiser
Sure, but I would be willing to make the argument that the net benefit you'd get from the maybe one or two people willing to genuinely examine the project's internals is hugely outnumbered by the measurably thousands who want to ruin someone's life
I don't work in the sector, but my imagination always figured that those one-or-two people would not-infrequently happen to be those (possibly actual r7) devs that write metasploit modules to arm all-colored hats.
You don't need to steal crypto wallets and credit card info in a pentest because it's a crime. Unless you argue some companies store crypto wallets and credit card info that belong to the company on computers and that is why all these people are writing stealers? Lol
Is it a crime to steal a crypto wallet. Razzlekhan and hubby were convicted of money laundering with the latter also being charged with hacking BitFinex.
I'm not sure the legal system is ready for charging for crypto "theft". What if the unimaginable happens and there's a private key collision that results in two owners ... If they both use the account without noticing the other but one eventually closes the account, is that still theft?
It's pretty clear when an account or computer is hacked and yet neither razz or hubby were charged with theft ... Hubby essentially got convicted of tax evasion like a '30s gangster.
You'd be surprised. The law isn't rigid like computer code . The intent and mindset of the defendant is all that gets prosecuted. If you can convince the jury the perp intended to gain money by accessing that information, it could be a spreadsheet for all they care. It is both theft and a violation of CFAA.
But breaking the law can never be part of the rules of engagement when the company doesn't have authority to give you permission to do something (take an employees financial property).
Presuming there exists something like a provider/customer relationship for users of Discord, it's now Discord's job to step up and fix it; unfortunately years of Microsoft getting away with horrible security has cemented in our collective heads that "malware" is some abstract thing that, you know, just happens.
Ehhh, I would hesitate before blindly believing the claims you see on these repos. It's easy to say stuff like that in a README.md, and maybe at one point it was true, but these are literally thieves, so... take it with a grain of salt.
Especially considering the fact that there are discussions in the issues in these repos from the codeowners who "don't condone illegal activity" actively providing guidance on how to use the stolen data to login to victim's accounts on various services.
I mean -- I think my main point here, and to the other commenters who are saying "I'm happy that they don't take things like this down" -- is that I think the dynamic shifts a little bit when the point of the project, the explicit reason for its creation is malicious, & the entire point of it existing on the platform is for other people to use it maliciously
The code will continue to exist regardless of whether you see it on GitHub. Script kiddies can just as easily share the source code or binary in a zip file on a forum somewhere, or even on Discord. All you'd accomplish by removing it from GitHub is adding a censorship layer where some GitHub employee or algorithm now needs to determine what's "allowed" on the site. Are you sure you want that?
Even before considering the deleterious effects of censorship, it would simply be more work for everyone and unlikely to benefit anyone. Not to mention you'd lose valuable telemetry that could be used in investigations after the fact (e.g. if someone is accused of stealing photos from an ex on discord, and GitHub can positively identify them as having downloaded a malicious tool to steal Discord tokens, then investigators could subpoena GitHub for those download records).
If there is a problem here, then hiding the code that exploits the problem does not eliminate it. It's Discord's responsibility to mitigate the scale of risk associated with a stolen token. A program that grabs a token on your machine probably shouldn't be able to use it to exfiltrate all the data from your Discord account. And similarly, it probably shouldn't be so easy for any program running on the machine (as a non-root user) to retrieve such a token in the first place.
Does having it on GitHub not inherently promote it as a sort of aggregator for stuff like it? Instead of having to search for a forum somewhere, they simply have to look at this cool GH topic, and there they now have ~40 options at their disposal
abusive child porn is easy to find, we should have that on a fun easy entry level site like github...it's called a slippery slope, if no moral line is drawn, where do we end up?
Abusive child porn is a well defined content type that is objectively classifiable. For better or worse, so is copyrighted content (according to the rules of the DMCA claim process).
"Harmful software" is a much blurrier line. Is a GitHub URL being used as a dropper in an active malware campaign? That will probably get a repository removed. Is the source code for malware published on GitHub? That's not harming anyone in its current form, just like the source code of Popcorn Time isn't pirating movies.
Do you want to ban any content with a readme claiming it can be used maliciously? What if I want to publish a basic keylogger implementation for an open source cybersecurity class? Where's the line between educational content and cyberweapons? And even if it's a weapon, how do you know I don't have permission to install the keylogger on a system, like one belonging to a company paying me to pentest them?
Every time I hear someone use the “slippery slope” argument, what they’re actually doing is making a strawman argument.
I can assure you, script kiddy code on GitHub isn’t going to lead to people uploading kiddy porn on GitHub as well. The two are not in any way related, let alone one being a slippery slope for another.
> The code will continue to exist regardless of whether you see it on GitHub
You can extrapolate this to literally anything - "we should allow hosting CSAM on GitHub, since it's on the Internet anyways and we can't do anything about that"
> If there is a problem here, then hiding the code that exploits the problem does not eliminate it.
There's no problem here. This code only exploits the naivety of whoever was social engineered into running it. A session token gives access to the account, by design - it's the way the internet works. The only way to steal a token is by having full access to the machine, and at that point there's no possible mitigation. Even if you completely eliminate persistent sessions, which is a major UX regression, malware can still hook into a running process and steal the active session.
> And similarly, it probably shouldn't be so easy for any program running on the machine (as a non-root user) to retrieve such a token in the first place
What are you even saying? How does Discord/Chrome then read their own session data/cookies? Should we run them as root?
On my machine "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies" doesn't have any special permissions, I'm able to open it up with Notepad spawned straight from my shell.
Maybe I'm misunderstanding NTFS permissions and this is expected, I don't do a lot of Windows, but worst case for the malware is that it has to show a UAC prompt, and if you made someone click "free-discord-nitro.exe" they'll probably click through that too.
Permissions are fake, especially Windows ones. If someone is running code on your machine, they can access any data on it.
On a Mac, if a program (not the user in a file selection dialog) attempted to read a file in ~/Library/Application Support/Google Chrome/, then it would trigger an alert like "[App] from Unknown Developer wants to access files in the ~/Library folder. Allow them?" You'd also need to have manually opened system preferences to have allowed the unsigned app to run in the first place.
And yes, a user could click through that. The primary responsibility is always on the user, within the bounds of what the OS allows them to do (as an extreme, a mobile app certainly cannot access data from another app's keychain or configuration directory - but this requires a highly restrictive OS). But the point is that an application should still make an effort to use best practices provided by the operating system for protecting sensitive data. And in the case of Discord, at least on Mac, it should probably be storing tokens in the Keychain, not the filesystem (maybe it does, idk). Yes, malware can hook the process but not without compromising various OS sandboxing mechanisms, which usually requires the assistance of the user clicking past scary warnings (and even going outside the flow of alerts to explicitly disable protections).
It’s a grey area between what is malicious and what isn’t. A lot of people aren’t going to agree.
ytdl is a great example of that. For Google, it’s “stealing” people from their platform by allowing individuals to download content in a way that doesn’t increase engagement and ad views. I don’t personally agree that ytdl is malicious but I do understand how some could make that claim.
Then what about tools that are legitimately intended for research purposes but could still be abused?
The problem with freedoms is they have to work both ways: if you aren’t prepared to allow abuse of that freedom then you certainly aren’t going to allow legitimate but unpopular uses either.
From a glance, none of these exploit vulnerabilities in Discord/Telegram, they'te just garbage you have to convince someone to run. There's nothing to be learned from their source code, no legitimate action the companies can really take to improve their software and stop this and no way to use the software for anything other than trying to ruin someone's life.
If you want to go ahead and make the free speech argument, feel free, but I don't buy it.
"This repository is for ethical purposes and to use the scripts to learn and improve in python :)"
People who use this or program it for others to use in the wild are human garbage and should be socially isolated, it's as simple as that. It's their moral choice and when they choose malice, they will have to be morally judged. To the least.
Yes. It allows you to impersonate someone, cause issues for other players under their name, sell them on to others to want to do bad things like that etc.
In Roblox's case there are items that sell for thousands of dollars. In Minecraft's case there's a very large marketplace for the accounts themselves - the game has a lot of cheaters that get banned from servers regularly and cycle through accounts to keep playing.
Not even close. It takes down a whole computer. My son downloaded a file he thought was a friend he hadn't heard from for awhile to look at the project he was working on. Had to wipe the computer. Fortunately his brother had the skills to save his files and check that they were clean. They also used his card to charge steam account stuff. Had to warn all his friends he had been infected and nuke his discord including his own server. Had to get a new bank card.
> I'm doing bad shit, but please don't get angry at me. I'm not the problem here, you are
"For educational purposes" is the new "It's just a joke, man."
I get the argument that non-disclosure isn't working ("isn't perfect" would be a better phrasing) and that once the source code is out there, you can't contain its spread. But I'm not making a political argument here on how to prevent this from happening, but a moral argument (pretty obvious in my post). Basically if you spread this "for educational purposes" *wink*wink* you are part of the problem and most of your justifications are worthless and disengenuine. And if you're really a free speech advocate you allow me my moral judgement.
You are right. That is not to say that discord has a ton of security issues. For example, thousands of people, myself included have been screaming from the top of our lungs for years that sending files over discord creates public links that anyone can access and yet that issue was never addressed.
Fun fact: Discord has a 5-year-old feature request to add support for a 24-hour clock (the global standard). Apparently it doesn't show up on their dashboard because it's "answered" even though the answer is "switch to English UK if you want that"
For some context, a 'stealer' usually looks for saved credentials on your computer, browsers, disk, etc, and sends them to the hacker. Like others said, an exe that you have to run to be affected.
The most common way is for users to just download and execute it from a website or in an archive over email. No vulnerability exploitation needed, the guys that actually use vulns install a rat in addition to stealers and sell access to the computer/network.
Is that really the case? The Chromium documentation states the opposite.
> Why aren‘t physically-local attacks in Chrome’s threat model?
> We consider these attacks outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your device as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your device, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome — all applications must trust the physically-local user.
At least passwords and cookies are encrypted with DPAPI on windows. Stealers get around it by simply decrypting the vault on the victim's machine and sending the unencrypted credentials back to attacker.
Really? I use the `pycookiecheat` python package to read out the cookies from Chrome while it's running no problem. Great for automating certain private APIs that need the correct cookie to keep functioning.
Why do people go after Discord accounts so hard? They're not commonly used for OAuth into third party sites, they don't house money, and Discord makes it hard to get all the data out of an account anyway (GDPR request only returns your half of conversation, etc...). I don't understand.
Additionally, It's the only platform I've been hacked on. Someone compromised a friend's account and said they had made a game they wanted me to try (I'm an indie game dev so it seemed legit)
Same reason mail servers are a massive target, it's for sending out spam. People are more likely to click suspicious links if they're coming from a friend.
A lot of discord users are script kiddies or non technical users for whom Teamspeak 3, Ventrilo, Mumble, IRC, or Jabber were “too hard” to setup making them easy targets.
I’ve been a discord user since July 2015 and it was nice until people began to use it as an everything app and the hordes of children joined. I really really despise the discord userbase because they’re the new generation of the eternal September that ruins the internet.
Yeah "discord stealer" basically means that it is a stealer that uses discord webhooks to deliver data from the victims. "stealer" is a type of malware that typically grabs cookies and saved login data from installed browsers along with extension data such as crypto wallets.
True... Though I've seen projects selling Discord hacking as a SaaS. And I never understood who was paying for that service and why. I also don't know enough IRC to know if hacking it was monetizable in that way
A buddy of mine got hit by one of these recently. He got a message from a friend asking him to try a demo of new video game. His friend is a video game developer so this didn't seem suspicious. The "video game" had a landing page and everything. Turns out that his friend's account had already been hacked and the "video game" was a stealer like this. TL;DR: he lost his account and that same hacker tried to get me with the same scheme.
Discord support has been completely unhelpful, because he didn't have 2FA enabled before and the hacker added it.
"oops I got hacked when I hacked and/or tried to hack you" is a pretty old trick... I would be cautious about this friend.
At least it was just discord. I'd treat this as a valuable lesson on the virtue of 2FA especially if they have a habit of running untrusted executables (especially with admin permissions...)
I don't think you should feel safe just because you have 2FA enabled. Local malware can wait until the next time you have to provide your second factor, and then use it to disable 2FA, etc.
My main takeaway from looking at some of the repositories is that they are deathly afraid of being run in a VM, because they think that means someone is trying to reverse engineer them. (Which I suppose makes sense; test untrusted software in a VM, if it doesn't do anything evil, then run it outside of the VM.)
At the end of the day, running local exes is about trust. Having 2FA enabled reduces the attack surface you have exposed, even if it doesn't eliminate it as you point out.
I think they just mean that recovering the account post-compromise was not possible because they didn't have 2fa already setup to authorize them as the true owner of the account, not that 2fa would've prevented the issue
Some of the projects target only discord but others are like you siad. They steal browser login/payment/cookies crypto wallet, password manager dbs and a whole lot more. They then sell this info to whoever wants to pay for it on criminal chats and forums.
These are open source but the popular ones are paid malware (as cheap as a few dollars though) you get on those same forums/chats that have more features, evasiveness and nice control panels. But arguably, discord is a nice enough control panel lol.
> Over the past year, we've worked together to build and improve this project. It has been an incredible journey, and I'm immensely grateful for all the contributions, feedback, and support from each one of you.
It has been an incredible journey doing crime together with y’all. Huggles and fuzzies! ^_^
I simply don't understand that vibe. I guess I’m just old cause back in my days, the crime geeks openly did was warez and that seems substantially less evil to me. This software is explicitly intended to victimize individual users. I simply don’t get how someone can get so “incredible journey” about that sort of stuff, you active worked to make the world worse.