The FetzHost Scandal - Hackers Hacking Hackers
FetzHost – A Service Tailored to Hackers
In September of 2016, a new service tailored for cyber criminals appeared on the internet by the name of FetzHost[.]net. FetzHost[.]net, owned and operated by one Noah Zittrouer A/K/A Fetz, was a website allowing cyber criminals to upload their malware and viruses, and obtain a direct link to the malicious files. Direct links are perfect for cyber criminals who wish to spread their malware to as many computers as possible, as a direct link allows them to easily load their malware into exploit kits, share it with other cyber criminals, and basically install it onto targeted computers in the fastest way possible.
Noah Zittrouer started advertising this service on a hacking community called HackForums[.]net on September 21, 2016 to individuals using RATs, or Remote Administration Tools. Remote Administration Tools are a especially malicious form of virus, allowing the controller of the RAT to invade the privacy of their victims to an incredible degree. This invasion of privacy ranges from spying on the victim through their web camera, to obtaining a list of all of the victims saved passwords with a single click, all the way to the hacker being able to control the mouse and keyboard of the victim’s computer. RATs also give the hacker the ability to install additional malicious files quickly and easily without the infected users knowing. Essentially, Noah Zittrouer was advertising his services to a very malicious group of people.
On Noah Zittrouer's advertisements, he boasted the fact that the files uploaded to his service were not scanned by Anti-Viruses and he would never distribute the files to Anti-Virus vendors for examination. He also claimed that anytime that Anti-Viruses flagged his server for distributing malicious files, that he would quickly change the IP of the server to avoid those flags. This shows the effort Noah Zittrouer was going through to ensure his client base, cyber criminals, had the most efficient platform possible to infect mass amounts of computers.
Noah Zittrouer – The Boy Behind “Fetz”
Noah Zittrouer left quite a trail of bread crumbs behind for us to be able to put a face to the online alias “Fetz.” Before we follow the bread crumbs, lets quickly look at Noah Zittrouer's online actions over the last 2 years.
Before Noah Zittrouer began hacking, distributing malware, and assisting other cyber criminals distribute their own malware, his online actions were quite reasonable. Noah Zittrouer simply seemed like your average online gamer who was interested in technology. He made many online posts regarding video games, music, and technology. He asked for assistance with his girlfriend, discussed family issues and his own health. He began researching web hosting and actually became quite involved in some specific hosting communities. Overall, he seemed like a decent kid using the internet the way it was intended to be used. However, there was a dark side that eventually developed with his posting patterns. Numerous discussions started by Noah Zittrouer regarding personal drug use started popping up and became more and more frequent. It appeared that he started experimenting very heavily with LSD, DXM, Marijuana and Prescription Drugs. Around this same time, his posts regarding malware started to increase as well.
Noah Zittrouer’s interest in malware was typical of someone his age. He saw a thrill in being able to do what others could not, to access information meant to be hidden, to be able to spy on people, all from the safety of his own home. However, where most people in his position draw the line, Noah Zittrouer did not. He dove deeper and deeper down the rabbit hole and into numerous underground hacking communities. It went from an interest to a job. Noah Zittrouer began purchasing and using expensive and sophisticated pieces of malware, such as Beta Bot and Hunter Exploit Kit. Beta Bot, which is sold in underground marketplaces for $800, is an extremely sophisticated piece of malware created to embed its self in a victim’s computer and never lose control. Hunter Exploit Kit is a malware delivery system that delivers malware onto a victim’s computer without them having to click or download anything. When used in conjunction, you have a very dangerous and professional malware operation on your hands. Additionally, Noah Zittrouer made a business of selling infected computers to other would be hackers. Using Beta Bot and Hunter Exploit Kit, Noah Zittrouer was able to infect tens of thousands of computers, in which he would then proceed to sell to other hackers to do as they wished with them.
All of that being said, it is clear that while Noah Zittrouer is a young individual, he is also quite smart. And when dealing with malware, he could also be incredibly dangerous. Using the information we discussed above, we have been able to map Noah Zittrouer’s actions over the last 2 years and ultimately follow quite a broad trail of bread crumbs that links his online persona with his actual identity.
I’m going to quickly recap on how we were able to put a face to the name:
- On one of the underground hacking communities Noah Zittrouer frequented, he posted an email publicly asking a member to contact him.
- Using that email, we were able to locate an older account on the website freevps.us by the name of fetzjr. On freevps.us, the account fetzjr was advertising the website upost4vps.com.
- Doing a historical whois lookup on the domain upost4vps.com, we were able to determine that the domain was registered in 2012 using the name Fetzer Zittrouer from Savannah Georgia. The registrant email was [email protected]
- Using the names Fetzer Zittrouer and Noah Fetzer, we began doing google searches with variations of the two names. We eventually came across an online obituary for a Richard Zittrouer (Noah’s grandfather) from 2015, which listed the family members of the Zittrouer family. Through this we were able to determine Noah Zittrouer did indeed exist, and he lived with his parents Richard and Kelly in Georgia.
- With that information, FaceBook accounts, additional email accounts, and other personal accounts were located an accounted for. Looking for a comment from Noah Zittrouer himself, I decided to text a number that appeared to belong to him. Sure enough Noah replied and spoke with me briefly. Through our brief talk, Noah Zittrouer confirmed his identity, confirmed his online alias is Fetz, and admitted to using malware, Beta Bot specifically, online. He also admitted to being the owner and operator of fetzhost[.]net.
Fetzhost – Going Rogue
In November of 2016, an urgent message was posted on a hacking community that something strange was going on with fetzhost[.]net. A user by the name of “aidenhera” posted stating that when uploading malware to Fetzhost, the download link you received in return was for a different file. Normally, when uploading a file to Fetzhost, upon a successful upload, you were then given a direct link to your file on the server. By using this direct link, you can quickly and easily link others to the download for this file. This can be useful when sharing files with friends, and is necessary when spreading malware to new victims. However, in the case of Fetzhost, something was wrong. The direct link being given to the cyber criminals making use of Noah Zittrouer’s services was not linking to their files, but instead was linking to Noah Zittrouer’s own malware. Noah Zittrouer made attempts of hiding this by configuring his server to rename his malware to the same name as the malware being uploaded by cyber criminals, but there were plenty of identifying factors that raised red flags right away. Very quickly, people in the hacking community started uploading safe and innocuous files to Fetzhost, only to get a very malicious file in return, using the same name as the original file.
As a final test, a user by the name of “ThatUnnamedWhiteDude” uploaded the application Putty to Fetzhost. Putty is a well-known and safe application used by web masters to manage their servers.
The file uploaded to Fetzhost:
* File size: 518kb
* SHA256: 9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91
* When scanned by numerous anti-viruses, 55 of 56 marked the file as safe (1 false positive).
The file returned by Fetzhost:
* File Size: 138kb
* SHA256: a189910ef5892ea53bb744637027ee449fba487d4bcdf7148b2d779585c18ee2
* When scanned by numerous anti-viruses, only 4 marked the file as safe, a whopping 52 anti-viruses flagged the file as malicious.
The detections across the board were variations of: Win32.Trojan.Neurevt.d, Win32:Neurevt-J [Cryp], Trojan.Win32.Neurevt.a (v), Trojan.Neurevt.AN4, etc…
As you can see, Neurevt is common throughout the detections. Neurevt is the name Anti-Virus vendors have assigned to the malware Beta Bot, the $800, highly destructive, piece of malware that we mentioned earlier in this article.
This wasn’t a one-time event either. Every single file uploaded to Fetzhost was returned with a link to a new file, always detected as Beta Bot A/K/A Neurevt. The hacking community started digging deeping into this and started analyzed the files being masqueraded as their own. Within a few hours, they had traced the rogue file back to a web based control panel, known as a C&C or a botnet control panel, which is used for managing infected computers. The control panels act as a command and control centers for hackers. From here they can collect their stolen data, deliver commands to the infected computers, among numerous other tasks. This panel is what delivered the final blow to Noah Zittrouer.
Up until now, Noah Zittrouer had been stating the server was having issues and that he would fix it. He told people not to worry. However, after analyzing the malicious files being distributed by Noah Zittrouer’s website to his clients, a shocking discovery was made. The malicious files were linking back directly to csgonature[.]com/fetz/order.php. Noah Zittrouer was using his own alias in his botnet’s control panel, immediately incriminating himself and putting himself in the crosshairs of the entire hacking community. Noah Zittrouer was using his website to steal infected computers from his client base. From time and time again, this was even being used to infect the other cyber criminals who were unfortunate enough to run files downloaded from Fetzhost on their own computers. Noah Zittrouer was literally a hacker, hacking other hackers, as well as stealing vast quantities of infected computers from other hackers. Suddenly it became clear to everyone where Noah Zittrouer was obtaining the infected computers he was selling to other criminals. He was simply siphoning them from people using his services.
Leaked screenshots from Noah's Skype show that he knew FetzHost was essentially backdooring client files. This also means all of his excuses that he didn't know why the files were being switched out were simply lies. He knowingly and deliberately subbed client files out for his own.
Additional leaked screenshots from Noah's Skype account shows additional malicious acts taking place.
It appears that after buying Beta Bot and XerxesHTTP, he was lying to the developer(s) of the bot to get rebuilds that he could later sell. The following screenshots show Noah attempting to sell malware to users for profit.
- Pictures documenting all above events have been taken and will be added to article when published.
- Back-ups of all relevant web pages have been made to avoid any attempts of a cover up.
- Family will be contacted shortly for comment and to notify them to their son’s actions so they can prevent further damage from taking place and monitor Noah.
- Noah became hostile when we mentioned that we would not speak with him further without parental consent. Prepare for him to try to intervene when we contact his household. We have what we believe to be personal numbers for Kelly and Richard as well as a work number for Richard.
- We have not contacted law enforcement due to Noah’s age. Hopefully parental intervention is enough. However, if we detect Noah continues his actions, the FBI will be notified and raw data and evidence will be forwarded to them.
- Noah mentioned being arrested somewhere between Nov 11, 2016 and Nov 12, 2016 for unrelated reasons. Is this true? Can we find out more about this?
- Update: It appears that Noah was indeed arrested for drug possession (LSD) after purchasing it on the deep web.