booter.xyz and Proginter
After VDOS booter shut down in early September 2016, other similar services also stopped working. That was the first obvious evidence that several other services might be using the same VDOS backends, the “engine” powering the attacks.
A quick review of the operative status of other “Stress Testing Services” during the 10-11th of September showed that the following booters stopped working.
booter.xyz inboot-s.com cstress.net youboot.net stresser.poodlecorp.org delta-stresser.yxz denialstresser.pw
The “XYZ” booter
We were already aware that the domains booter.xyz, booter2.xyz and inboot-s.com were closely connected to the Hackforums’ users Rainbow and Poni Walker.
These services were frequently endorsed by Apple J4ck, owner of VDOS. So why Apple J4ck (Yarden Bidani) was endorsing other stress testers?
Data released by DDOS investigations, the person that leaked data from VDOS servers, confirms that booter.xyz was in fact using VDOS as the backend engine.
In the leak, API requests from booter.xyz were recorded from IP address 220.127.116.11 that resolves as 18.104.22.168.germany.proginter.com and proginter-proxy.com
22.214.171.124 - - [22/Sep/2015:14:04:26 +0200] "GET /?host=109.X.X.97&port=80&time=10&method=ntp&serverid=0&1337 HTTP/1.1" 200 - "-" "xyz"
Notice the string xyz in all the log entries. Booter.xyz ordered 180.000 attacks using the VDOS API from September 2015 to May 2016.
It is not the first time that PONI Walker is interested in purchasing booter APIs from other suppliers.
A remote access to a booter service allows re-sellers to build their own booter presence without the need of operating the backend infrastructure.
Who is PROG INTER?
Proginter.com is the hosting provider
run promoted by “Poni Walker” aka as Naftali. Naftali does web development projects and as many other actors in the stress testing scene provides both attack and defense services.
Archived documents from the site booter-xyz.blogspot.com run by “Proginter Eden” include technical a set of descriptions of how DNS amplification works.
Naftali “Eden Hen” also works as public relations and promoter of local musicians helping them increasing the “Internet visibility”.
What is going on with all those Ponis?
The actors in this case seem to be part of an informal group known as the “Poni Squad”. Members of the group have used the names Rainbow, Spai3n (now GoldSpiderr).
Who are some of the members of “My Little Pony”? Rainbox, Applejack…
Poni Walker, Proginter and social media
In his FB social media profile Poni Walker presents himself as a “מני קיצוני” right-wing extremist.
Internet resources allocated to PROGINTER in RIPE can be found here
Update 15th October 2016
New information received points to the same actor supporting the stress testing service instress.club and using the ID, 1Kodak.