A while ago, I found a readme.txt sitting right on top of my D**-NET Honeypot and this was the beginning of a whole turn of event that is, let's say, funny at the very least. I opened the readme.txt in a text editor and this is what I saw:
Don't you have anything else beside than porn on your PC?
For the past 2 month all the fuck shit you have given me is nothing but porn!
600GB of fucking porn you shit head.
You did not even download The Avengers 2012 1080p BRrip X264 2 2GB YIFY even though you search it! All you did was downloaded another fuck show!
Fuck! Are you a seller in the night market or what?
And you had even given me the fuck shit trojan you gotten from the porn site!
I am so fucking pissed that I want to fucking delete all your donwloaded porn for you now!
Eat shit and die you pig!
Some part of the swearing I did not appreciated and obvious I deleted it here. Well, angry? Actually not... I had him / her monitored for the past 2 months and I guess since he had left me a note, I should be a polite guest and write him one. but he / she was actually so frustrated that he / she actually delete my files and removed the RAT from the honeypot.
Well, lucky Whisperer 4 was on the Honeynet and it got his / her email when he / she updated the RAT config via email SMTP. That's why you should NEVER use unencrypted SMTP. :P So naturally, I send he / her an email, POLITELY.
Thanks for staying on my PC for the past 2 months.
Firstly I must thank you for being a nice hacker by uploading your RAT msi with both your client and server inside. It was a well written piece of code, but I am pretty sure you did not wrote that anyway.
Secondly, I thank you for actually screening through those files on D: and confirmed that they were ALL porn. I did not really have a look through all of them myself.
In order to evade me, you must had packed your files several times when you perform a remote upgrade, but that was why my AV had flagged you on the second week you were in on XX XX 2012. I had to even put in an exception rule in my AV for your RAT, but I guess you did not found out.
Your random changing of ports was good, perhaps a function build in to your RAT, but it gave me lots of trouble to put in firewall rules so that your RAT can connect properly outside.
You other tools wasn't impressive but I guess its your fault for not testing it against a W2K8 server.
I guess you should at least had thank me for the 600GB of porn which you so patiently downloaded. I thought you would had realized by the first 50GB or so...
Lastly, I would like you to know I actually downloaded The Avengers 2012 1080p BRrip X264 2 2GB YIFY, but its on M: drive. Why did you not look there, but kept staying on my C: and D: ? Was it for the porn?
Thank you for participating on the malware collection exercise on my honeynet.
How many of you laughed? I don't know. I sure did the hell laughed my head off.