BSides CT 2023 - illwill: FINDING MOBMAN

um and uh yeah hi your kids hi your wife got our own official cyber felon here um I'd like to introduce uh our next speaker ill will talking on uh finding mobman thank

you uh yes so I'll start off with a little slide here of who I am security consultant red teamer penetration tester also as ran said cyber felon um been kind of in this industry off and on for the past 20 plus years professionally in the past like decade or so that was great but basically this whole talk is about how I got started into infos SEC and what kind of guided me along the way um so we're going to be talking about the origins and evolution of sub seven sub seven was basically a Trojan that came out first one initially came out in 99 working on it in 98 released it around like February of 99 it was

basically a back door Trojan a rat which was remote access tool basically wasn't the first of its kind but it was one of the originals that kind of got people into cyber security pretty much uh one of the podcasts I was listening to was like one of the programs that launched a thousand infoset careers basically the basis of this tool a lot of knowledge that people gained of how computers work pretty much and push it towards security uh sub seven its name itself basically from another Trojan that was out at the time called netbus basically the author had switch netbus reversed it and basically came up with Sub sub 10 and then uh added a seven instead of a 10

and that's basically how he uh he named it at the time originally the first couple of versions they were for Windows 9598 probably up until the last few releases it didn't work on NT based uh computers so uh Windows 2000 was one of the first um that people were actually using then over to XP when XP rolled out so he eventually moved up and and and got that working on NT machines a lot of it was like a hardcoded issue he had like the RAS passwords basically when you used to use dialup uh all that stuff would be stored on the computer and he had it hardcoded on there to pull those uh Ras passwords up if it didn't find

them it would crash so essentially the program itself started off as just a simple goey with a bunch of buttons on it that you can do all types of stuff uh connecting to the server pretty much basically there's a few different components of it and basically you start off with a server is something that you would send to the victim you would have the client and you would have the edit server the edit server would edit the server to your likings basically any notifications that you got any information about the victim and all the stuff that you wanted to do so you would edit the server send it to them once they they uh clicked on it it would

basically give you a notification that hey you can get on this computer this was back in dialup not a lot of people had firewalls not a lot a lot of people had antivirus not a lot of people knew what the hell to do on their computers so it was very simple to trick a lot of people a lot of people got into social engineering you know getting this on a person's computer they would send them send them a file call it like my pictures.exe or my pictures.com any type of H file type that was executable at the time and then he basically started pulling in different stuff from different uh uh back doors starting up

the guey getting the guey better having more features adding more stuff on there and eventually it rolled out to its final version before he stopped coding it which was 2.2 which a lot of people didn't it actually worked a lot better than the original versions but people were too confused on how most of the stuff worked because it it was using a lot of plugins it had a lot of new features So eventually he just got frustrated and went back and went from 2.2 back to 2.15 he basically fixed a lot of stuff that was broken on there and got that stuff working um I think one of the final releases they did at Defcon they were handing out floppies to

people at Defcon and basically spreading it spreading it that way along with like the the certain websites that they were on so as you see here the icons for the uh the different components edit server server sub seven if you didn't know what the hell you were doing a lot of people would click on the server the server was conf preconfigured for a few different things so if you downloaded a shady site some might somebody might have it preconfigured for all their notifications and that they would you would become their victim clicked on it a lot of people wrecked a lot of computers that way because nobody was paying attention to how Stuff work and

they're just basically like okay I can hack with this let me just click on everything again with the with the uh the client the edit edit server all that stuff the the guey basically is everything that you configured on there and then you had all the different features on the menus itself you would have first Connection menu You' have the ip scanner basically you'd scan Network ranges for just one port open so usually by default the 27 374 was the port that was open you wouldn't want to do this a lot a lot of ranges or huge ranges because at the time isps there weren't a lot of people on there there wasn't a lot of noise there wasn't a lot of

traffic so a lot of times your ISP would kick you off or you would get warnings to to be kicked off if you were like just scanning out right the second functionality is to get PC info basically it just pulls up info on the computer so if you had anything stored in either your emails or or the computer system itself if you named it what your username was the get home info was basically your address book for for emails and then you would have the server options basically when you're connected to the server you can change any of the settings on there so you can basically change the port that it's working on you can remove the back door

itself uh you can update the server itself basically it would just upload to the newer say like you had the 2.51 you would just upload that it would execute that and then you'd be working in the in the newest version and then you would have the IP notify which was basically kind of I think it was probably one of the first of its kind was IRC actually command and control stuff over IRC which as you know like Cobalt strike and and all these different c2s that are out now they basically use that type of functionality where you know multiple people can jump on and attack stuff at the same time it's just not not one

person um icq was an old messenger back in the day that you would just get notifications they had an API that you can basically just a web get to and basically it would just it would just shoot you a message it would you would just enter the uin and whatever message you want to put on there so basically say like victim's online at this IP address this port Etc then you would have email notifications basically same thing just in the body your email you would have that information keyboard basically key loggers sending Keys uh retrieving those key logs itself basically would work in the background so even if you were disc connected you could basically go and grab those those

logs themselves look for any passwords filter any passwords out and you can wipe the logs all that stuff the chat basically it popped up a small chat dialog box you could talk to your victim like you were like a customer service or something like that so so in the event that you were doing a social engineering basically you would do that stuff you pop some stuff up and you get them to do certain things that you needed them to do so if you said like hey you need to log into this website and fix this blah blah blah you can kind of control them that way and then you had the Matrix which was basically if you were you know

someone new at a computer your whole screen turns black pretty much and you can't do anything but watch this person pretty much type to you and and you can answer to so basically your whole screen would just fill up with this black screen The Matrix would pop up basically you they couldn't do anything until you Clos that out pretty much or they shut off their computer message manager is pops up different message boxes so like errors stuff like that you would you can change the icons to X's exclamation points Etc and change the text on the title and body of the of the message box then you have the spies you could spy on the

different Messengers icq aim MSN and then uh IC icq takeover basically you can take over that user session as them and basically create more victims you could basically send them links C them into into clicking on stuff and basically you know it goes by the friends list pretty much they they all know you know who you are and they just trust you with that a little bit more you would get the FTP server which was basically it would open up an FTP server on the victim s uh you would be able to grab any type of files from that from that PC that you had access to again Windows 98 95 there wasn't much Access

Control list stuff like that um for the user so basically you had run of everything pretty much if you want to upload stuff into certain spots startup folders to execute other stuff and just basically read all their data again with the Raz passwords that's that was the uh the cache passwords dial up passwords all that stuff would be pulled from there and and just displayed on the screen a lot of times icq aim those were in the in the registry they were en encrypted a certain way you would just have to decrypt them I think aim at the time I don't know if it was the original version or or version down the line was

basically they use Blowfish encryption so they take your password encrypt it and then throw it in the registry and basically what the program did was just decrypt it from the registry static key and then basically um show you in plain text app redirect basically you could execute any programs on the computer itself or execute anything as a program basically it was just the using the windows shell execute functionality and then it would just show the output so if you were to execute command. exe or command.com I think it was at the time you basically look like you would have a shell on that computer and you basically could do whatever you want on there and

then Port redirect is in you know if they had other stuff that they had access to you would be able to redirect it to that IP that that port and stuff like that redirect that data didn't work too well obviously on L because there was no way for sub seven at the time to connect in it was basically a direct connection you cann't somebody was on DSL and they're behind a landan there was no way for you to connect on there you can get all the notifications because it's outbound but coming in does nothing then you got the file manager again um something for you to to browse the drives folders and everything look for any type of Juicy information that

you may have uh Window Manager give the ability to see all the open Windows it would give you all the names of the windows that are open so youve got notepad open you got internet explorer open it would have all that and give you the ability to either hide it disable it show it process manager at the time there was like a crap Task Manager in Windows 98 didn't have a lot of functionality it was basically the API just showed you like the exe name no paths or anything you didn't know what was really running on there you just got a list of all the exe so if you knew what to kill without breaking the

computer you can kill those processes that had AV on there A lot of times AV didn't really have protection that it used used to have so you're able to just K kill anything I will pretty much Texas speech would be another thing that would care off people would be whatever you typed and sent to this person it would be translated by true voice which was a a plugin that you would upload that translated text to speech pretty much it was kind of the the original to that so basically you would just type out like you know what I Know What You Did Last Summer or something like that and it would just play through your speakers

and scare the [ __ ] out of you you got the clipboard manager which would anything that you copy pasted it stays in that clipboard you could just take all that data on there A lot of times people copying passwords it may be still in the clipboard so a lot of lot of good information on there and again going back to the ircbot the original type of C2 where again you and your friends can join in the fun it's not just you sitting at this your guys are you know your friends on IRC or your you know whoever you're talking with Once that's connected in you have control of that of that bot pretty much you can send all

the commands you know just just through text on IRC reads all the data and kicks back whatever whatever information or whatever it's doing this is the file manager here basically again it just shows the drives shows you can dou load download you can edit files you can basically do whatever you can in front of the computer you can even set the wallpaper so if you want to put some like you know weird picture on the background of their desktop kind of like the ransomware does now and it's like you know shows stuff like that is pretty much based on all the all the crap that was around 20 25 years ago it's just they have some newer features

they might have you know better coding stuff like that where you know there's there's more ways to to kind of hide stuff you can you can execute Shell Code there's all types of stuff that you know originally started from these Trojans you know kind of the basis of of it and it's like kind of like you know the great artists you know don't don't paint stuff they steal it's the same thing with like uh the industry pretty much even from the c2s the antiviruses they all have the same shitty features they all have the same bells and whistles it's just a matter of like how you know how they're going to be you know how

they're going to be perceived and how they can make money off a lot of stuff fund manager was basically all the stuff that you can do just to screw around with a victim I mean again a lot of the a lot of people they were they were doing it for chis and Giggles it wasn't really it wasn't really like a an evil thing for for most people a lot of a lot of it was just them screwing around like how can I prank my friend you know you can turn on the webcam and see what they're doing if you know at the time if they did have the old shitty like you know 100 pixel webcams you could pop

that stuff up and and kind of Li live stream it it's almost almost a live stream it's just multiple pictures were being taken out of such a small range that even on dialup it was it was pretty quick so it was there wasn't any not a lot of compress on the time A lot of times they're using bitmat files but because you know the stuff was so small it you know went pretty quick I think I think the desktop background stuff or or viewing the desktop that did that did uh translate to jpeg just because it was such a huge huge file to do I think it did uh do it on server side where it

reduced the file before sending it that way you had you know you had less bandwidth that you're using flip the screen basically you flip it up and down vertical and horizontal and uh just screw with people printing stuff again you can just print it you have that a printer attached to the machine you just print whatever the hell you want on there the browser is basically you can send people to a specific URL a lot of times there was other stuff that was out back in the day so if you needed to get some more access or stuff on the computer getting people to open up like click for pay type sites where every time like somebody went to that site you

would get like a penny or something like that so A lot of times people use it for that where they can get people to click on stuff A lot of times there was browser exploits in Old Firefox Internet Explorer just by viewing viewing the page half the time you can get owned by a zero day you know you have access to the computer but you know this would help elevated access on type some type of stuff depending on machines and then with the resolution you know changing the Monitor and the colors for the the windows taskbar you can change the Windows button itself to whatever you whatever icon you wanted you can change the colors to it screen saver basically

you can start a screen saver with any chosen text so if you know if you don't want them to see you moving the the mouse around or have have you see them doing anything on the screen you could start that up or you could just screw with somebody to basically lock them out and do whatever you want restarting Windows you can just rebooted all that stuff and then you've got the the sound you can record sound if they had a microphone hooked up to the computer a lot of times desktops they either did or didn't but at the time you can record stuff that was going on in there pull that data down and see what's going on

in that environment date and time wasn't much it's just like you can you can set the DAT T date and time just to do uh time stamps on stuff where you know you know it looks like you know this file was created five years ago and they're like oh it's always been here whatever and then the extra stuff was just I guess the most famous one of this is the CD ROM open and close everybody's favorite cup holder you know you would you would own somebody and you know you would pop open their CD ROM to scare the [ __ ] out of them you know someday for for you know stabbing somebody over TCP

IP if that RFC ever uh comes to fruition kind of be the start of it and then start you know hiding hiding certain things from the user screwing with their caps if they're typing you're just [ __ ] with them by you know turning caps on scroll and all that stuff so let's see so this is the edit server I'm going to have a just a pop quiz I want to see if anybody knows what this sound is doesn't play let me see if I could get it to play anybody know what that is who said who who said it over here okay you said it uh where's Kevin here give him a prize so icq was again one of

the notifications that you would get on there if you had a lot of victims for sub seven and you dial up to uh to online when you when you get online because of your bandwidth because of your shitty computer with like 64 Megs of Ram uh running Windows 98 se you would get something that and you would have like a million notifications that would just lock up your computer for like the first five minutes that you signed on but it was a great notification because it was instantaneous anytime that they signed online or you know started up their computer basically that notification would come straight to you and you could just get right in get on their computer

and just do what you what youever you wanted to do so again the edit server is this is the the pregame for your server or your back door you've got the startup method so basically R run all these all these different ones that like antivirus and all these people know about R run R run service the win any files uh the windows uh any files was the less known method which was basically or actually sorry the system in file which which would basically had a line in there that said explorer.exe you put a space after it and just put you like your server name like server.exe or my.ex and that would basically execute anytime that that person booted up their

computer that server was running this the not known method which was one of the first of its kind that screwed a lot of people up because antiviruses once they started picking up sub seven it would delete that server.exe so when you went to go boot up your computer it's looking for that server.exe in the registry and it's not finding it so anything that you that tries to open on the computer like notepad internet explore explore itself everything's broken on the computer and effectively it kind of bricked the computer from your AV it wasn't wasn't so much the server's fault uh it just basically the AVS were really crappy at the time where they didn't they they were relying on

static locations uh strings everything in the file but they didn't they didn't think of the different methodologies that were used to clean up after the the fact so stuff like this did affect people you got the the again the email the IRC icq you've got the the password to protect your server at at one point there was a server that was introduced I'll get into that later but basically the uh server was introduced with a master password so mobman who created the program actually put in a a number in there that allowed him to get onto any of the sub seven servers of that of that version there was another one in there I think it was a just a blank

password which was a bug in there that like if you got the password prompt to log into the server you just hit enter don't type anything else just hit enter and it just kicks you right into being connected then you got your your uh your different installation methods you can change the port of you want you know a lot of times firewalls are are isps were looking for that Port so if they found that you were infected or something like that they may block some stuff on there so it was always good to change that or kind of blend in you know Port 443 stuff like that then you have the different IRC Bot names all that stuff and you can

also change the icon of there a lot of people what they would do is just change or take the the uh the icon for a bitmap or or JPEG and use that as their icon and again just changing the file name to something like do it it would always be like you know mypix.com stuff like that and and you know when they downloaded that they just looked they saw oh it's a familiar like jpeg icon on there me just click this and get owned pretty much um this actually shows how how far back like I've been playing around with this uh back in like 2002 that not known method um I created a VBS script that

actually went through went through and cleaned all the all the stuff up because I did have friends that I played tricks on that like if I [ __ ] up their computer you know it enabled me to go in and fix any of the stuff that like say like the AV erase something on there basically I could I could use this to get all those different those Red Run methods those those winin methods and the unknown methods off there and just revert it back to the way it was and sub seven gotten so popular that people were binding the server with another executable they were binding it with like a Winamp and it was so popular

that people were making sub seven Winamp skins to bind with it and send it out so a lot of you know there's a lot of lot of trickery going on again it's going back to the social engineering it's the same stuff as as fishing emails where you're just trying to get somebody to click on stuff or download it a lot of we sites a lot of you know different IRC channels where people are just trading and saying oh you know I've got the the crack copy of something I've got this I got that you know just trying to get everybody to click on it so basically that's the a broad overview of sub seven itself all its features this is a chat

GPT of why sub seven was relevant pretty much they kind of like geared it toward Ras being eyes it was used for this it was used for that yes it was but a lot of it was like 10year old 12-y old kids playing pranks on their friends playing pranks on their teachers trying to change grades it wasn't like anything super crazy but it it was it was used a lot and a lot of of attacks back like 20 years ago when this was the only C2 that you can have and the only way that you can get on a computer control stuff or the you know by not breaking into stuff that's a you know a service or a web

server that had some sort of flaw so again the comparison between now and then you know everybody's you know Cobalt strike uh Nighthawk um Havoc sliver all those different c2s that are out now the only difference on a lot of them some are open source some are some are not some are paid uh corporate stuff it's just basically you just say hey this is my company now I'm going to sell this to you and uh you know we're gonna have some shady business agreements to say like hey I'm gonna I'm gonna backo you with this but there is some crack copies out there that are floating around people that are not paying for it not doing it legitimately uh not getting

you know the access that there's there people that are taking the Java from Cobalt strike that they're cracking the the way that it looks at register key so there's not so much you know of a comparison uh it's almost like the same the same comparison to a gun like you can give somebody a gun they can use it to stop the bad guy or they could be the bad guy so that's the same thing with the with Trojan's back doors uh remote access everything like that and just who's sitting behind it so you know legitimately you know you can use call ball strike you can send that out you can you can send fishing emails and gain

access to there but in the same turn there's these Bad actors that are out there currently that are doing the same exact thing the same functionalities a lot of times these red teams they're learning heavily from the IR side of the house where you know they're looking at where where all these Bad actors are doing stuff and They're copying and they're mimicking the same stuff there was a time that like when I was at mandant we had gear that was uh based off of I think it was Unk something 92 or something like that where we actually got flagged as being like one of these Bad actors from I think it was like China or Korea or something like that

that we were on a network and one of these edrs basically picked us up and basically wrote a whole thing saying this is why why it's Korea but it was actually us so you know using these same tactics losing uh using all the stuff from the miter framework basically getting all the all the different stuff from dayto day where you're using it for good you know these people are using it the same way for bad and they're working hand inand not so much you know working hand inand but the same functionality the same features the same methods of doing everything so as Roman said I was a cyber felon um back in the day this is

I'm going to say about 2010ish I had gotten a visit by the FBI I didn't know what the hell they wanted they basically came asked me a [ __ ] ton of questions uh one of them consisted of the sub seven Trojan now being 2010 and and uh sub seven wasn't around for years and years for the original version they got it in their head that it's heavily redacted but they got it in their head that one of their people that they picked up basically said that I was the one of the co voters responsible for sub seven now again this is seven years later after the last version and basically they came and paid me a visit

and knocked on my door and said hey you know we're uh we're looking at this and at the time I had gotten in trouble a couple years prior for something unrelated I was I was currently like you know on probation for that so I wasn't wasn't in a good light anyhow but because I was kind of under the thumb of of the government at the time they figured it'd be easier just to come pay me a visit now all this this stuff here like this Foya that I got this was probably took me about three years to get that back from the government on basically you know why the hell they showed up I didn't know anything of why

they were there why they were asking questions uh and basically none of their stuff made sense uh until this came out they had asked me about bot Nets they were heavily asking me about botnet stuff at the time Microsoft and the New Haven local office were working hand inand to actually disable uh they were hacking back pretty much computers that were infected with Bots and and the bot net stuff so basically Microsoft went to the FBI worked with the FBI and said hey we know all these Bots are on these computers we need to get them the hell off and we need to do something about it so that kind of got me into my second

mode of sub seven like first it was using it now it was like okay you know what's what's the FBI looking at me for this and all of a sudden there's a guy that appears in about two years later comes in a Rolling Stone magazine and basically introduces himself as mob man so I'm like oh that's awesome that's the original mob man and basically said you know he's living in Florida now he originally coded sub seven to steal passwords from Ultima Online which you know typically a lot of people were doing they were using that for their advantage to steal gold all this other stuff from the online games and basically sell it and make more money

and kind of get an edge on the game pretty much so he went he went by the uh the handle of Tampa Greg which you know I started looking stuff up I found him on on Skype and ended up like sending him a message I said hey you know I used to be on your RC blah blah blah you know I use this XYZ and he's like oh that's cool he's like I'm working on a new sub seven I'm like oh that's cool like send me a copy like I'm not gonna click the [ __ ] but at the time he sent me he sent me this this exe and I I threw it into a

a VM and basically ran it it popped up a very shitty gooey of a black square with the you know typical Matrix green buttons on there and he even he even messaged me and said it even opens your CD ROM blah blah blah so I was like oh yeah that's cool I'm like you know you're writing in Visual Basic I'm like what happened to Deli like why aren't you you know why aren't you you know coding in the same thing he's like oh you know it's it's easier this and that I'm like yeah but then you have to send all the the dlls the ocx files uh unless you're really coding down and dirty with

VB you know you have all these different dependencies for the file like you can't just send a straight at exe sometimes it's looking for the the windsock ocx there's all types of different reasons not to use that and that's you know one of the reasons that the original L man had done it so that was all find and well and then Flash Forward like five years the darket Diaries if you guys have heard them online a lot of great stories Jack resider you know has a bunch of great backgrounds on people of you know how they got from where they are where to where they're going one of them happened to be mob man and I said

okay let me listen to this started listening to it I hit up all my friends that I used to talk to back in the day I'm like yo check it out he's on here blah blah blah he's finally talking and we all came off with the same same Viewpoint at the end like that's not [ __ ] mob man like he doesn't know anything about it anytime that that Jack had brought up um sub seven he had diverted the conversation and basically said like oh yeah you know it just nonchalantly yeah it's just something I wrote and then he would go on to a different subject he would go on to Ultima Online he would go on to you know

saying that you know he hacked AT&T because his phone bill was too high and so that's why he got arrested and that's why he you know he wasn't coding the stuff anymore you know he gave a very generalized like hey I'm a user type vibe to everybody like he had used it yes but he didn't give any details or insight into you know why he created it other than the ultimate online or you know where he's gone where he's been pretty much he basically just had a very vague view of life you know up to that point pretty much from the past 20 you know 15 years so I actually met Jack at at Defcon at a tel freak party talked to

him about the whole the whole podcast pretty much and I said you know essentially this guy is not the real guy I have some evidence that shows that he's not I also have talks that I had with him where he's basically saying like hey this where the master password comes into play uh you know this master password uh you know can you explain why you came up with this long digit here and he's just like uh you know two plus two is four carry over the five I was born on a you on a Monday so that's why I did this and you know 144 was the start of my icq number and then like

1980 was my my year of birth and then out of 15 so he he came he came up with a really way of explaining it um I also started started to grill him on kind of the people that were in the scene at the time and he was just like oh you know I'm so shot I don't remember any of that stuff so I you know he's pretty goofy so I I kind of cut it off like you know I knew he was kind of kind of strange so I was just like okay I'll just let it slide and go from there then he was on another podcast that's no longer I think they shut it down like probably a year

or two ago it was called the many hats Club out of the UK basically they had a two-hour podcast with him and it was basically the same thing it was just him talking about OT online for the reason for it he would always offset the the questions anything that anytime sub seven came up he would just basically brush it off and start talking about something else and and go to a different subject it was very if you didn't know you know you kind of figured it out but it kind of a lot of stuff didn't add up so I basically went into looking at when he said he was starting it he was born actually at the same the sameeh year as

the real mob man so so they kind of coincided with this stuff I started looking into him I saw a lot of like arrest records around that time nothing for AT&T but just stupid [ __ ] that he was getting into around the same time that sub seven was like kind of petering out new stuff wasn't being created and uh so it was kind of kind of good kind of bad and also his icq number you know nothing matched up there was just the first two digits not even the three digits started looking up the real mob man I started hitting up all the old people back in the day just seeing like if they knew anything I finally got a

hit on somebody saying like oh yeah he's got this Twitter account with this name used that and then when you do OSN research basically you go into to see like where the hell they're at what usernames we using on different sites everything um so basically I found him on Kick first which I actually had his real picture I didn't know if it was him but I did edit it out because I I don't want to kind of like blow blow up his spot but basically found him backtracking finding where he was located where he was from uh where he used the other other names he actually had two different license plates that had something related to the stuff that

he was doing that actually I found online so I actually found his Jeep when I contacted him I sent him a whole bunch of these pictures and said hey your real name is is the the password for this ZIP file you know let me know let me know if you can open it basically we had a lot of back and forth talking about all the stuff that was going on in the day how I found the Jeep all this other stuff and basically started moving over from emails Discord and kind of getting a lot of information about him how he grew up in Romania he was actually in Canada when sub seven was created he was

actually in Canada he wasn't in Romania anymore Greg had said that like he never left the United States he doesn't even have a passport so that doesn't coincide and then there was all the different clues that he left in the different programs in the abouts of the different versions of sub seven or the posts on his website where it says like you know I moved to Montreal you know or I was at XYZ in Windsor Ontario he was where he was going to school so all this stuff basically it it fell into place so when I I got to talk to him he actually started sending me evidence that he was the the real mob man one being the

sweatshirt that he was selling on the site at the time which anybody could have bought really but he still had this [ __ ] 20 years later I don't know anybody that has like an old sub seven shirt and then he found an old notebook that actually had his name and address from 1999 where he was actually going through and writing all the different form code all the different stuff all the checklists all the different versions of sub seven that he was working on you know adding the port scanners all the stuff adding all the stuff to the back of it everything that was in this this notebook he just scanned in s to Mees

it's like it's like who would have this if if they weren't actually doing it yeah there might be a oneoff but you know he even had the design of sub7 when he was coming up with this stuff he did all the artwork so that sub Seven logo was actually something that he drew and the and the original seven for the original version was also something that he had come up with uh he wanted to be an artist originally and then just got into coding from there you know then it's just basically talking about the forms coming up with the different ports to connect to you know other designs that he was kind of interested all the

different other features that he had on there intermingled with a like you know stuff from like a mechanic that he was you know had to call up you know have that guy's phone number on there and stuff like that all the commands that he wanted to add all the features that people were requesting um so I'll just I'm gonna Buzz through these real quick so I got like a few minutes there's a lot of fun facts about when you start to dig into it a lot of times his his his versions were were Cod name one of them was mu basically it stand for mostly use internet entertainment which is actually a slang for oral sex in Romania if you

if you just said set it out right the other one was Legends sub seven Legends which came out which was actually a strip club that he used to go to in in Ontario uh which he told me like that's how he was coming up with the names just random uh random stuff and this is this is the master password this is actually his icq number which you can see in every version of sub seven is is hardcoded into there his license plate from Romania when he was back where he moved and then his birthday itself he was basically was born the 15th of October in 1980 so that's how he came up with that string for that master

password it wasn't some random addition and math and all that other stuff um and the other thing was a a back door that was put into into sub seven which was a batch file that would erase everything on your computer if you if it found these certain icq numbers in the program it would create this batch file that would go systematically through recursively through your drive and erase everything uh it was against a rival coder named syphus that was uh that basically uh it was it was him originally that they found all these other ones I actually found in in the source code at one point which I'll get into in a minute so basically he added

everybody from syphilis is like IRC Trojan crew and added them in there so actually all these numbers not just the one that's listed on like Wikipedia and everything else there's actually 11 different or 11 different icq numbers two being the syphilis two numbers and then his uh his crew then basically just talks about on on there where you know people found out that that the hard drive killer was on there the guy who who uh had coded hard drive killer originally had posted about it being in sub seven so he was just basically answering on on the site of just basically talking about the website of of how everything was the IQ numbers I screwed up the uh the images here and

in the orders basically like he went through syphilis program here on the GIF and basically got everybody's IQ number and all their information from there and then basically added that to the code you know he would just give a [ __ ] you it's basically back in the day a lot of uh Trojan coders and all this other stuff they they would have these online IRC fights like who was the better and this and that culmination of this thing is like he also sent me a couple different versions of sub seven I'm releasing those on uh on gitlab the first version being 2.1.3 uh which was the version right before the hard drive killer it was basically two 2.1.4 which

is the bonus version that one got released just to screw with that syphus guy uh so this is up on my on my gitlab if you want to scan the first QR code to the left that's actually the deli code uh it's it's not super complete when he sent it to me there was a lot of missing components I work with somebody and and basically got all those compiled to to basically get into working code so the gift file here is also on the if you want to look at at your own Leisure it basically shows me compiling the the source and getting a seven open you'll see in the in the bottom folders the

server and the and the client being created opening it up connecting to the server and showing that you can actually you know connect and get on there the second one is something I wrote the other night with the help of of chat GPT was a python script that basically took the binary decompressed upx on it from that compressed exe or go in the resource files and I would find the encrypted hard drive killer in a resource of the executable once it was extracted from there he used I think it was a six-digit password to our exor uh key to dxor the file pretty much and make it to the plain text file so if you

actually go and get the 2.1.3 binary run my python script in the same directory it would actually extract that and extract the hard drive killer using the key actually was yeah it was a six it was actually seven digits but the last digit the way he coded it was [ __ ] up so that last digit if you if you notice in the bottom corner is a nine I can put like an X there and it'll still still decode it and then just wrapping up the the whole thing bringing back my my Nemo thing it's just this is the whole culmination of like my career of of you know back in you know 99 when this came

out was basically when I was getting my first computer uh basically getting into learning about it getting friends online where I where I teach stuff and I would learn stuff and and basically all the setbacks like getting arrested and then coming back and cleaning up my record and you know getting jobs at these different various companies and then just the journey you know the whole the whole infos SEC life pretty much up until this point is basically what moral of the story for Nemo is according to Jet GPT so I just wanted to wrap up with this thank everybody from M man R 101 uh dark SC and the old sub seven IRC crew that kind of helped me to to get up to

this point and should be good to go thank you everybody