Tuesday, April 3, 2012

UK Zeus user G-Zero Sentenced

According to today's Daily Mail, court details have now emerged regarding Edward Pearson, a 23 year old hacker from York, England known online as "G-Zero", and his activities involving the Zeus and SpyEye trojans.

Pearson was ultimately arrested after his girlfriend, Cassandra Mennim, tried to pay for hotel rooms at the Cedar Court Grand Hotel and the Lady Anne Middleton Hotel, both in York, using stolen credit cards. (Pictures of the hotels were in the Daily Mail's original story on this case on February 20 - Computer whizz faces jail for writing programme to steal personal details of 8 MILLION people, including 400 PayPal accounts.

G-Zero Gets Doxed (June 2011)


Although these details are not shared in court, the Hacker world has known who Pearson was for some time ... on June 3, 2011, on the hacker forum "OpenSC.ws" - a site where Trojan authors and botnet herders meet and greet and buy and sell from one another, a user named "cr333k" posted these details. His post read:

"I dedicate this post to ED aka G-Zero because he is the reason I obtained this material" (referring to the leaked version of SpyEye v.1.2.8.0 and v.1.2.99.39).

"So in his honor, I will chase him off the internet."

Cr333k then proceeds to document G-Zero's use of Spyeye, claiming that G-Zero was in charge of the Spyeye servers at 89.149.202.104 [Leaseweb in Germany] and 91.211.11.192 [a serverbox.de account hosted in the UK], and claiming that his main IP address was 178.86.2.40 [a Ukrainian IP], but that he also used the IPs 94.12.53.50 [a SkyNet broadband account in the UK] and 77.103.230.142 [a VirginMedia/Telewest residential cable modem in the UK].

He provides userids and passwords to several of his sites, including the details of his "webnames.ru" account in the name of "GZero" and his hosting.ua account in the name of "rogue2" (with the same password.)

He claimed at that time that his name was Edward Pearson, and that he was in control of the email accounts gzero@9.cn, eddypearson@gmail.com, solipsis@w.cn, cellar@9.cn.

He gave his address as: Edward Pearson, 11 Regatta Court, Oyster Row, Cambridge, Cambridgeshire, cb58ns, UK, and shared his userid and password for his Liberty Reserve online money account

Cr333k claims to have stolen $5500 from Pearson's account...no idea if that is true.

(Eddy also had his superstrong password hash dumped by the guys at Zero For Owned. When they dumped Eddy's details out of the RootCult website after SQL-injection of their database, Eddy's GroundZero password was shown to have an MD5 hash of c8837b23ff8aaa8a2dde915473ce0991. Bad news. That would mean his password was "123321". Not a good password choice for a bad ass hacker. Of course that dump was from 2006, so Eddy would have been ... 17??)

Loose Lips


Probably not a good idea to tie your bad-ass hacker name to your real name in such things as your SoundCloud account (Userid: GZero Name: Edward Pearson, Cambridge, Britain (UK) soundcloud.com/eddypearson

He did the same thing back in 2009 when he was trying to share his online video ripping system on the forum DigitalSpy. His ripper service was distributed from "ripple.net" which he registered with his true personal details, but advertised in the DigitalSpy forum with his hacker handle "GZero".

Domain name: RIZZLE.NET

Administrative Contact:
Pearson, Edward eddypearson@gmail.com
93 Brampton Road
Cambridge, Cambridgeshire CB1 3HJ
GB
+44.7912558447

GZero's post on July 13, 2010 to "HackForums.net" was also pretty interesting:

Alright guys,
Basically I've not been part of the "scene" for many years, long before botnets, around the "how do i hack hotmail?" era. I got very bored of the bunch of rude little pricks that seemed to engulf the place.

Who remembers Zebulun hey? :p

Anyway, I a freelance programmer (C,C++,PHP,Python+many more) and pentester, the legit kind!

I was playing with one of the public copies of the the Zeus botnet, and I have simply fallen in love!

Basically, I'm have all the skills to really do some cool stuff here, coding is my day job, and have until now been working with a private group to make a bit of cash on the side, just not with bots.

Basically, I can do Programming, Custom Hacking, Bulletproof hosting, Setups of anything, FUDding things, Some very sneaky stuff to do with botnet takeovers, CC stuff, Been stealing the latest drive by sploits (NOT the packs), reversing em and then hopefully I'll make a real nice exploit pack if I have the time.

Basically I only just got onto botnets, and I LOVE WHAT I SEE. That said, I have been working with malware, hacking, financial stuff and the darker side of things for many years, just with a group I trust, not involved in the "scene"

Long story short, I want to to talk to people, learn more about the way things are done, and ideally work with somebody, or do some work for them in exchange for a decent copy of Zeus.

Basically, I'm trying to get on this and I have everything else pretty much setup, but I'm just not happy with using a public Zeus. REALLY want to get everything JUUUST right before really get stuck in ;)

MSN me guys, even if you don't have what I want, a interesting discussion is always nice and I'm always nice and helpful. I do have some vaguely private softs to share, but really this is my problem, for this to be GOOD, I need a good bot, and I LOVE Zeus...

MSN:
gzero@9.cn
solipsis@w.cn




8 Million Identities?


According to the police, on one of Pearson's computers they recovered 8,110,474 names with birthdates and postcodes for adults living in the United Kingdom. He also had details of 2,701 credit or debit cards stolen between January 1, 2010 and August 30, 2011.

At one point Pearson used a program he had written in Python to test potential PayPal accounts, and successfully confirmed more than 200,000 PayPal account details.

David Hughes, the prosecutor in the case, says that Pearson also hacked into systems belonging to Nokia and AOL, which caused Nokia to disable certain of its systems for two weeks while it reviewed the intrusion.

(The Nokia intrusion is believed to be the August 2011 SQL Injection of the "developers.nokia.com" website)

Intellectual Challenge?


Although the crown paints Pearson as a criminal mastermind, his defense attorney, Andrew Bodnar, claims that he was not interested in large-scale theft, but considered this merely an intellectual challenge. To support his point, he claims that the total documented theft, despite possession of thousands of cards, was only £2,351 or about $3700 US Dollars, mostly in the form of fastfood orders, pizza, and to pay his cell phone bills.

This is quite a difference between the original charge, that Pearson "plotted a £350,000 fraud" ($560,000 USD).

Mennim's lawyer called her a "vulnerable young woman who found comfort in Pearson following a difficult previous relationship." He describes her as a straight A student who is ashamed of her actions and will pay back the money she owes the hotel.

Pearson was sentenced to two years and two months, and Mennim to 12 months of supervised release. Although Pearson did not SELL the details he had gathered, it was demonstrated that he shared them with other hackers online, and the judge took this into consideration in the sentencing, as she said "Your computers and software were a devastating tool kit. I accept you didn't sell this information, but you shared it with other computer programmers, and you had no way of knowing how THEY might use this information."

The ultimate charges, to which the pair plead guilty:

Pearson - "Making an article for used in fraud and two counts of possession of an article for use in fraud."

Mennim - "Two counts of obtaining services dishonestly."

According to the original charges, the couple were also dealing the drug MDVP, also called "super cocaine". Apparently those charges were dropped. They seem consistent with his lifestyle - for instance, see this post on Cannabis.com from October 2007 where Eddy announces he has just moved to Cambridge and is looking for "connections" via his MSN chat account, eddypearson@gmail.com. This is consistent with some of his HackForums.net posts where he describes himself as "High and Pissed Off".

No comments:

Post a Comment