The rise and fall of xVisceral
When he was free, Michael Hogue was a gamer like most of the kids his age.
In 2008, he was 17 years old playing Halo 3 in a drive to rise to top rank 50 in each mode of play. He tried and tried again but couldn’t quite reach that peak rank in one mode.
“I couldn’t seem to get it in Squad Battle,” wrote Hogue. “I was stuck at a 45.”
One day, in another game mode (Team Slayer), Michael was booted from his game by a player named HgB RoBeRt. Hogue immediately messaged Robert and asked him how he did it.
“Strange enough, the guy actually went on Teamviewer [remote control software] and gave me XR Hostbooter 1.4, Biozombie, portforwarded for me and gave me 50 bots. For no reason. He probably made me one of his bots, but that wasn’t the point, I could boot on Xbox Live. I started doing it regularly.”
Host Booting is a form of DDoS (Distributed Denial of Service) . The user infects computers which become zombies (or bots) at the user’s disposal. With your bots, you can attack a specific IP address by overwhelming that address with packets of information.
“The person’s modem or router becomes overwhelmed with information and slows down, possibly stops working depending on the size of your attack,” wrote user Brent328 in a newbie’s tutorial. “Host booters are usually used for cheating in video games, but many have a TCP or SYN flood options for attacking websites.”
HgB Robert had just introduced Michael to the basics of hacking and then handed him 50 weapons to work with. Hogue was hooked.
Michael played Halo into 2009 under names like xVisceral, IX VisceraL, xvisvis, Severed Saviorr and zParasite.
When the hacks Robert provided didn’t work on the newly released Windows 7, Michael decided he’d code his own tools.
First, Hogue set out to help others learn how to boot. He created a website and YouTube videos to help others learn how to boot. Soon, people were ripping his videos and posting them with infected links.
“I figured I would join in on the fun,” said Michael, known more widely by then as xVisceral. “I binded a poison ivy RAT to the XR Client. I managed to get them the same file size, with the same icon and same assembly information, so people believed it was legit. Many people learned how to boot, but whenever they got bots, I would update the DNS to mine, take their No-IP if possible, and delete all of their tools with Poison Ivy. I’m not proud of that, but, well, it happened.”
You’re going to need to know a few terms and acronyms to follow this story. Most importantly:
With an already sizable fanbase that he was infecting with RATs, xVisceral was looking to improve on coding malware. He found two hacker’s forums that would be invaluable in his growth: uNkn0wn.eu, Hack_Hound. On uNk and HH, Michael found a knowledgeable and experienced community willing to teach him what he wanted to know about coding and sell him the malware he wanted to buy.
xVisceral cited a few specific people who played a big role in his growth as a hacker: Users Stel and iD on uNkn0wn and Drizzle, Squeers, Pringles and Carbon on Hack_Hound showed Michael the ropes in those early days.
On uNkn0wn, xVisceral purchased a cypter called D-Crypt. A crypter is software that hides viruses, RATs, key loggers and various malware from anti-viruses. He’d pay $100 for one stub, a small but vital program in infecting users. The stubs would remain fully undetectable by anti-virus programs for over a month.
“With no proactive defense, it was amazing,” wrote Michael. “I would put up the same Adobe Photoshop CS4 torrent every day, and get over 1,000 infections per week.”
One of the hackers who sold the crypter and stubs to Michael was named Marjinz. It was through these purchases that Michael would befriend Marjinz. Eventually, Marjinz would become one of the most important people in Michael’s life bar none.
In late 2009, Michael began developing his own hacks. He spent six months learning to program in Visual Basic 6 for his first release.
xVisceral 1.0 , a potent DDoS attack tool, was released in February 2010 at a cost of $15. Michael, a budding marketer at the time, produced a long and attractive feature list for customers:
This is a screenshot of version 1.0d:
In late 2009, xVisceral was moving to a new community. uNkn0wn, his primary hangout, had been hacked itself and was taken down. He found and became part of a growing community in HackForums.net . This is where he first marketed his software.
In the world of hacking, HackForums is an interesting community. Because it’s huge (with 388,626 members) and extremely active, it’s unquestionably a valuable learning resource. HF attracts a wide range of people but is particularly famous for the masses of young newbies populating the forums, teenage hackers (or script kiddies of any age) often derided as pompous, obnoxious and ignorant by other communities and more experienced hackers of all persuasions. Even and especially HackForums regulars openly insult much of the community on the site.
Over the course of his two and a half year membership, xVisceral would make 9,255 posts on HackForums. Although he was occasionally active in other communities ( here he is on BlackHatWorld), HF became his home.
In 2009, 18 year old Michael Hogue enrolled in the University of Arizona. He would take at least a few computer science courses in the years he attended.
Shortly after the release of xvisceral 1.0, Michael produced xvisceral Mini (seen to the right).
Sales had been slow. xvisceral 1.0 sold about ten copies, netting Michael roughly $150 for months of work. xvisceral Mini was released for free. Although that didn’t help Michael’s bank account, he did gain a wider following. Whenever bugs or feature requests were sent out, Michael responded quickly, helping him to first earn a reputation for great customer support that would last for the rest of his hacking career.
In January 2010, Michael registered xvisceral.com to help organize his sales and activities. He used his real name and address (in Tucson, Arizona) to do so.
Up to this point, xVisceral’s programs provided tools for basic DDoS attacks. They were good but perhaps not great. He’d made only a small impact on the hacking scene and put an even smaller amount of change in his pocket.
Things were about to get a lot more interesting for xVisceral. Within a week of releasing xvisceral 1.0, Michael made the most important purchase of his life.
Over on the Hacker_Hound forum, someone was selling the source code to a RAT coded in Visual Basic 6. This was a coding environment Michael was familiar with but a fully functional RAT was a tool beyond his modest skill set He wanted to learn how it worked, how to build it and how to make money off of it.
“He wanted the source for $400, Western Union only, and I must send first and wait until he had picked it up,” wrote Michael. That’s a tall order and one that most people would turn down for fear of being scammed. “The user’s name was Marjinz. I remembered a guy who was nice to me and sold me a very welly coded crypter about a year in the past, so I trusted him. The sale went through, and I had spent $400 of my $500 that I had in the bank. If this project was a bust, then I would have gone broke.”
Michael soon released xvisceral 2.0 at a cost of $30. The name was the same but the tool was leaps and bounds more advanced. Instead of just DDoSing, this was a RAT that could take over another person’s computer completely and use it at will. DDoS was only one of the weapons in its arsenal.
This is a screenshot of xvisceral 2.1:
Michael described the reception to version 2.0:
This RAT actually sold pretty well. Well enough that I made back my initial $400 deposit in only a few weeks. However, after awhile, customers were asking for features that I simply could not code. I wasn’t experienced enough. And instead of trying to copy paste my way out of this one, I contacted marjinz. I said, hey, want to make some money? I’ve built up a customer base, and with your work, we can make some money. He didn’t even hesitate. Or negotiate. He simply said, “Sure, let’s go 50/50. But we must change the name.”
The name of the program was changed to Blackshades NET, a title taken from an old forum Marjinz once ran.
With Marjinz and xVisceral working together on Blackshades NET 2.3, the price spiked to $100 and then, after sales slowed, quickly dropped to $50.
The release thread for Blackshades NET 2.6.1 explained how the company was paid by customers in 2010:
Payment is Simple: I accept these payment methods
- Liberty Reserve
- Western Union
The price is a light, one time fee which includes all updates of the program
For Question/Sales information contact:
- MSN – firstname.lastname@example.org
- E-Mail – email@example.com
xVisceral would eventually add Paypal and Plimus to the list of accepted payment methods. Both of those methods would prove inconsistent but not overly problematic for Blackshades over the years.
“I worked on features that I could handle,” said xVisceral, “things such as tool-tip notifications, flag icons, website visitor, etc. Marjinz worked on adding a webcam feature, as well as recoding the entire connection method of Blackshades. It allowed commands to be sent with a better packet header, which allowed things to be much easier and for all commands to be sent with one function.”
We started to gain a lot of momentum. People were buying the product and telling their friends. Every single day we would get many customers. And we loved it. It was summer [of 2010], and I remember this summer very vividly. I worked very, very hard with Marjinz that summer to make sure that we put the best product out there. Many things, like Torrent Seeding, Alerts, and whatever else was suggested at us was thrown in there. Marjinz had a lot of time, and I had a lot of time. We really put our everything into it.
xVisceral remained the public face of Blackshades. He solicited comments and suggestions from the community. “We are looking for more options to make it a better product for you. This thread doesn’t even have to be specifically about Blackshades NET. I am just interested: What do you look for in a RAT/Bot? What have you never seen in a bot that would be useful?”
New releases of Blackshades came out every couple of days. Customers were enthusiastic about Blackshades. For their part, xVisceral and Marjinz were happy about the money coming in.
In 2009, HackForums was put up for sale. One potential buyer going by the username m4v3r1ck offered to pay “a reasonable price for the site,” said HF owner Omniscient. The final sale didn’t go through because m4v3r1ck wanted to turn HF into a “black hat” carding forum on which credit card thieves could do business and talk shop. Omniscient turned down the deal because, he said, it would have been bad for the community.
Instead of an outright sale, a partnership emerged. Omniscient and m4v3r1ck (who paid Omniscient “good money in cash”) met in person to cement the partnership. In an effort to keep HackForums somewhat clean, Omniscient would direct illegal black hat activity to the new site. In June 2010, the new site, http://www.carderprofit.cc , came online. CarderProfit was, of course, a criminal carder’s forum. Top members on HackForums (known as ub3r and l33t level members) automatically received a VIP membership on CarderProfit. xVisceral was a top (ub3r) HF member and immediately became active on the new forum.
Michael registered on CarderProfit using his well-known xVisceral nickname and firstname.lastname@example.org as his account’s verified email address, thus irrevocably linking himself to the account.
On June 30, xVisceral contacted m4v3r1ck, the site’s administrator. Michael wanted to become an “approved vendor” on the site so he could sell the Blackshades RAT to other carders. Making contact on MSN Messenger (using the name “email@example.com”), Michael asked m4v3r1ck to review his RAT. This was the first time Michael made a serious attempt to advertise and sell Blackshades away from HackForums.net and his own Blackshades domains.
Later that day, Michael gave m4v3r1ck a copy of Blackshades to download for free. In order to show m4v3r1ck just how good the program was, Michael provided him with instructions on how to connect to computers that Michael had infected with the RAT. m4v3r1ck saw nine computers infected in Germany, the United States, Denmark, Poland, and Canada. To complete the test, m4v3r1ck successfully initiated keylogging on all the victims.
When the administrator asked if he had to manually turn on keylogging, Michael explained just how he was easily able to get credit cards using Blackshades:
it auto does, and you can download from all at once, or scan for keywords, or digits and if it detects a Credit Card is being entered it can send` screenshots to FTP and you can scan for digits that are 16 in a row :P
Blackshades was an extremely capable product. Michael was proud of it and confident in his ability to sell more. He readily explained the ins and outs of the program to the administrator.
m4v3r1ck : Ow many [infected computers do] you Currently have?
xVisceral : too much time spent with sales to ever attempt
to get any :P maybe 50-100 through
m4v3r1ck : ah ok. do other people have a lot?
xVisceral : yeah there are people with thousands.
One rumor on HackForums is that Michael had been stealing credit card information since before he was Blackshades.
xVisceral kept frequenting CarderProfit for two years.
Soon after the first version of Blackshades, a hacker named Hellb0y began cracking Blackshades and releasing the program and source code for free within 24 hours of each release.
“This meant that a lot of free BS NET versions were out there,” wrote Michael. “People used them and liked them. We eventually paid Hellb0y a lot of money, and he came onto our side, and even disabled some of his cracks. The users who could no longer RAT, or wanted an update, came to us to buy. It really marked the take off of Blackshades NET. Sales dramatically increased.”
This is one of the signature moments of xVisceral’s career: he was faced with a major problem that could be solved only with money. He happily and smartly spent the cash and got a great return on his investment.
xVisceral was a mediocre programmer. However, with MarijinZ on his team, he didn’t need to be the best. Aside from spending cash smartly, xVisceral retained two other signature characteristics that endeared him to the HackForums community: he was an ace marketer and provided great customer service. With that, he contributed a great deal to building a fantastic product.
“Well what can i say, this rat is great, and xvisceral keep updating it,” wrote customer Bloox. “We had a small bug, we posted in support forum, and it was fixed in less than 24 hours. Very stable, and great features. i will always vouch for this great software and for the coder.”
“I vouch for this, it’s a very effective, multi-function piece of kit,” wrote another customer named Blair. “I use a modded version myself and it is truly amazing. It has more functions than all other RATs and it’s VB6 (no dependencies). All the functions work great. But… is it designed for evil?”
Sales increased and Blackshades expanded into new products. Blackshades Recovery and Stealer (for recovering and stealing passwords), Booter, Scanner (an anti-virus tool), Bot and VPN (Virtual Private Network, used to obfuscate the location of the user) were all successes adding value to the Blackshades software and brand. Blackshades NET, the original RAT, remained the product at the center of the Blackshades universe. Today, Blackshades offers a dozen different products .
The design of the products improved in the 3.x versions, making them easier to use and lending them an increased air of professionalism. The design was purposefully reminiscent of highly regarded and highly expensive Adobe products as well as other successful Windows software suites.
“At this point, I had over 1,000 contacts on MSN, and would receive over 100 PMs per day,” wrote Michael. “It was ridiculous, and I was about to tear my hair out. I tried making a forum for the users to get support on, but all my free time had to be spent monitoring the servers, answering PMs or helping people out over MSN. The forum failed because I wasn’t active enough — the members were actually too active that I took it down not to waste their time. After a little bit, I did need some help.”
In October 2010, Blackshades allowed users to control bots from an “iPhone, iPod touch, linux, mac, or anything with internet and cookies.” xVisceral called it “hands down, our most unique feature.”
Blackshades made its 600th sale on October 15, 2010. At $50 per license, that meant Blackshades had earned its two co-founders at least $30,000 in half a year.
By January 2011, the situation had escalated further. Michael hired a user named Orgy to build bshades.com . “On the website, users would be able to get their downloads, update their account, compile their binaries — many things. But most of all, submit support tickets, where appointed staff could help them out.” The site went live in April 2011.
By this point, Blackshades was extremely popular. It was considered by many to be the best RAT on the market.
Blackshades calls its program “professional computer surveillance.” The promotional video calls the software “the perfect tool you’ve been looking for.”
Amazing features & easy to use
You’ll gain complete control over any computer with Blackshades.
Spy on cheating boyfriend/girlfriend. Why not kids?
You don’t have to be an expert to get started. It’s designed for beginners and experts.
The more recent marketing material lists many of the possible legal uses of the tool:
Blackshades never openly acknowledges that its software is used to co-opt credit card numbers and commit other crimes. It is, by their calculations, the fault of the user, not the product.
Soon after launching, the Blackshades website attracted hundreds of users seeking support every day. Michael became overwhelmed when receiving several hundred messages per day. He attempted to hire support help with salaries starting at $26,000 and potentially rising to $52,000 per year. However, he couldn’t find the right fit.
“I tried hiring support many times, but to be honest, they all couldn’t cut it. Nobody could provide support as well as I could. I’m not trying to be mean, but I knew Blackshades in and out. I knew every issue everyone ever spoke of. It just didn’t make sense to let others do my work for me. However, I had to. I had a new job, that was a real job, and time wasn’t really on my side. I let it continue on for another month, with the support clearly providing bad support. I didn’t really know what to do about it. I tried training the support, but they just simply couldn’t provide the same level of service. I didn’t know what to do. I was tired of the same thing every day for the past two years. I needed out.”
In March 2011, as part of the one year birthday celebration, the price of Blackshades was permanently reduced to $40.
In July 2011, xVisceral resigned from Blackshades. He was burned out, he said, and had lost interest in the product and the entire hacking scene. Marjinz tried to persuade him to stay. Marjinz “to a point, begged me to stay,” said Michael. “He knew it would be hard to replace me because for the past two years, I had been the one supporting Blackshades and building up the customer base.” Michael couldn’t be convinced. He soon left.
Blackshades continued to take on paying customers (hitting over 4,000 customers by March 2012 according to the company plus an uncountable number of users who pirated the program). However, they took a hit elsewhere.
“Since I left, the level of respect for Blackshades is nowhere near as high as it was when I was first here.” wrote xVisceral.
Several of xVisceral’s replacements were widely criticized as disappointments for their poor attitude, rudeness, ineptitude and lack of commitment.
By May 2012 [check his posts, see activity level btwn sept 2011 and may 2012 to see when he came back], Michael had returned. The reasons were simple: he was looking for a new place to live and wanted extra money. He was bored and wanted a new project.
“I emailed marjinz, and he was interested in talking again, but made it very clear that there was no reason for him to bring me back if he was going to make less money,” wrote xVisceral. “We talked on Skype, and I learned a lot about what had happened over the seven months that I was gone. Even so, I was still interested, and on March 23 , I was officially back with Blackshades, but on a much lesser role.”
With the decreased workload and a bigger team working at Blackshades, Michael made less than a fifth of his previous pay. The “lesser role” he was taking on began to resemble his old role in major ways. Even though he credited the overwhelming number of Blackshades-related messages he used to receive at his old MSN Messenger account, he created a new Messenger account days after his 2012 return. Michael ran a promotional contes and began attempts to reform and expand the Blackshades community,
By May 2012, he had made over $40,000 from his work on Blackshades alone.
By June 2012, Blackshades had long been one of the most popular RATs available to the public (along with the less capable Darkcomet RAT ). Of course, it wasn’t just the public that was using Blackshades. In the wake of the Arab Spring, Blackshades had found its way into the Syrian civil war. The RAT was being used as a weapon by the Assad government against opposition forces.
The latest attack covertly installs a new remote access tool, Blackshades Remote Controller , whose capabilities include keystroke logging and remote screenshots. [The new campaign] has been discovered via a message sent from a compromised Skype account to an individual working with the Syrian opposition. Roughly translated, the message reads: “There is a person who hates you, and keeps talking about you. I took a screenshot of the conversation. Please beware of this person, as he knows you personally. This is a screenshot of the conversation.”
When the user clicked the link, a .zip file was downloaded to the computer. Unzipped, a .pif file claims to be an “important new video.” In fact, the file contains a keylogger along with several other dropped programs. The user is effectively infected with Blackshades, losing control and privacy to the invader. EFF has a basic guide to the attack and Citizen Lab goes deeper on the technical side .
By June of 2012, Blackshades had long been a worldwide phenomenon used as a weapon by criminals and, now, in at least one civil war. Blackshades dismissed the new Syria reports and has barely acknowledged the criminal reports about its software.
What’s that old saying? Highly profitable and potent RAT malware doesn’t kill people — people kill people!
On June 26, exactly one week after the Syria reports, there was a knock on Michael Hogue’s door in Tucson, Arizona. He was arrested and charged with conspiracy to commit computer hacking (carrying a penalty of 10 years in prison) and distribution of malware (also 10 years in prison).
The hammer had fallen on xVisceral. m4v3r1ck was an FBI agent. CarderProfit.cc was an elaborate FBI sting part of Operation Card Shop , a two year operation spanning 13 countries on three continents and resulting in 24 arrests. The FBI called it “the largest coordinated international law enforcement action in history directed at ‘carding’ crimes. Over 400,000 cards were “protected” as a result of the action according to the FBI.
The details are in the warrant for Michael’s arrest:
Since individuals engaged in these unlawful activities on one of many other carding websites on the Internet, the FBI established CarderProfit in an effort to identify these cybercriminals, investigate their crimes, and prevent harm to innocent victims. CarderProfit was configured to allow the FBI to monitor and to record the discussion threads posted to the site, as well as private messages sent through the site between registered users. CarderProfit also allowed the FBI to record the Internet protocol (IP) addresses of users’ computers when they accessed the site.
HackForums members were immediately conspiratorial and on edge. Some of their most prominent members, including xVisceral, had been active on CarderProfit. Omniscient, HackForums’ founder and owner, partnered with the site and directed members of all kinds towards it. Members wondered if was Omniscient complicit. Did he help set up the sting?
Omniscient responded :
Seems some shit hit the fan today and a popular carding forum was actually an FBI undercover website. As such a couple prominent members here who were active there have been arrested.
I was notified this morning by members. I had no idea of this shit storm before today.
“My gut aches at the news,” he wrote. “It’s very unfortunate that I somehow got involved. That being said HackForums is not a BH [black hat] site and I don’t pity people who take chances the way those who were arrested have. I’ve never wanted that type of activity here and now you know why. It’s very dangerous. HF is an open forum where posts are not hidden and anyone can join. You’re a real dumb ass to admit to anything here.”
When m4v3r1ck was going to buy HF he said he was going to delete the site and start over with a BH Carding site. I told him that was a terrible idea but he gave the excuse he wanted a more exclusive site. Eventually his idea to start a new site with my help was formed. Makes me wonder if there wasn’t some legal reason like entrapment to delete the existing site.
Omniscient defended himself, saying he hadn’t spoken to m4v3r1ck in over 18 months and hadn’t mentioned or advertised CarderProfit in two years.
ZDNet reported on the rest of Operation Carder Profit:
Yet another cybercrime-friendly community was targeted in the operation, although the press release is not discussing the matter. The community in question, Fraud.su, which currently returns an index page placed there by U.S law enforcement agencies.
The operation appears to be widespread, as the web site of the UGNazi group (UGNAZI.com) is also defaced by U.S law enforcement agencies.
xVisceral’s arrest made worldwide news largely because of his association with the famous Blackshades. Despite the sense of justice or outright schadenfreude expressed at Michael’s situation, there was little cause for celebration from “white hats” about a future demise of Blackshades. After all, Michael was merely the demoted co-creator, a marketer instead of the chief coder. By this point, he was replaceable — in fact, he’d already been replaced. The team had grown into a worldwide company with thousands of customers.
Even if Blackshades itself was shut down (it wasn’t and won’t be), early source code exists in the wild courtesy of Hellb0y’s 2010 cracks. That’s enough for other talented hackers to build their own customized RATs. In fact, that’s what several hackers have done. In the same way that the DarkComet RAT and the Poison Ivy RAT lasted and infected well beyond their official support ended, Blackshades is guaranteed a bright future with many users no matter what.
Marjinz has refused to shut down. Blackshades continues to this day.