Why the CrimeBoss Exploit Kit has sent greetings to this blog

Some security researchers have found a base64 encoded message addressed to this blog. It is embedded in malicious scripts related with java exploits, and, last week, it was found in CrimeBoss exploit kit.


However, earlier this year some friends had warned me about it. The first time this message became public was in April, when the blog ElegantCode got hacked. They analyzed the code injected in the page and found that message. You can read the detailed post here.

The original encoded message is this:

/*
msg = d_hex( d_b64( ?? ) );
NTM2MTc1NjQ2MWU3ZjU2NTczMjA2MTZmNzMyMDZkNjU3NTczMjA2MzZmNmM2NTY3NjE3MzIwNjQ2
NTIwNzQ3MjYxNjI2MTZjNjg2ZjIwNjQ2ZjIwNjI2YzZmNjcyMDYzNzI2OTZkNjU3MzYzNjk2MjY1
NzI2ZTY1NzQ2OTYzNmY3MzJlNjM2ZjZkMmUwZDBhNTM2MTYyNjU2ZTY0NmYyMDcxNzU2NTIwNmU2
MTY0NjEyMDczNjE2MjY1NmQ2ZjczMjA2NTczNzQ2MTZkNmY3MzIwNjE2Y2U5NmQyMDY0NmYyMDYy
NjU2ZDIwNjUyMDY0NmYyMDZkNjE2YzJjMjA2MTY2Njk2ZTYxNmMyMDYxMjBmYTZlNjk2MzYxMjA2
MzZmNjk3MzYxMjA2MTYyNzM2ZjZjNzU3NDYxMjBlOTIwNzE3NTY1MjA3NDc1NjQ2ZjIwZTkyMDcy
NjU2YzYxNzQ2OTc2NmYyZTBkMGE1NTZkMjA2MTYyNzI2MWU3NmYyYzIwNjQ2ZjIwNzM2NTc1MjA2
MTZkNjk2NzZmMjA1MDczNzk2MzY4NmM2ZjJlMGQwYTYyNzkyMDUwNzM3OTYzNjg2YzZmMjAyZDIw
MzEzMTJmMzEzMTJmMzEzMQ==
*/

After you convert the Base64 to Hex and Hex to ASCII with any tool like this one, you can obtain a message in Portuguese that in English is like that:

“Greetings to my fellow workers of the crimesciberneticos.com blog.
Knowing that we know nothing, we’re beyond good and evil, after all the only thing absolute is that everything is relative.
A hug, your friend Psychlo.
by Psychlo”

First of all, he is NOT my friend. :)

This blog is about cybercrime investigations, malware reverse engineering, intrusion analysis and so on. Thus, sometimes I find interesting stuff that allows me to track the Brazilian cyber criminals, and last year, I found out very interesting information about them.

Something went wrong

About one year ago, a reader sent me a message telling that he tried to access a website but the index page was presenting confusing information. See below.


Immediately I copied the source code and started the analysis. You can see the original code at Pastebin.

I took some of those strings, put on Google and got about 14,000 results with the same code. So, about 14K pages were defaced, most from Brazil.

The criminals used some kind of automated tool to deface and inject code in those pages, but it didn't work well. Consequently, it revealed a lot of information about them, how they act, their accounts, logins, passwords, databases, etc.

One of the most interesting things is this snippet:

------------
Porrinha
------------
Counter .HTTP: http://anfeso1201.dominiotempo... Total: 559
Date: 28/09/2011
Counter .HTTP: http://r7on.com.br/porraloka/clie... Total: 1671
31/08/2011
Counter .HTTP: http://netransportes.com.br/ama... Total: 2000
07/09/2011
TOTAL INFECTS: 00.000 x 0,50 = 000,00
----------
Psychlo
----------
Agreed Amount: 1000
Counter HTTP: http://64.186.158.114/tzu.php Total: 1000
I owe him: 250,00
Total: 2214,00 I will send: 3000,00 I owe him: 786,00 - 250 = 536
---------
Cavalo
---------
Counter .EXE : 2053
TOTAL INFECTS: 5.000 x 0,50 = 000,00
Counter HTTP: http://200.98.201.13/~rex/tom/rel/inf4/?url=c Total: 3758
I owe him: 600,00

We can see some information of the cybercrime’s accounting. We have three nicknames, the guy of the message (Psychlo) is one of them. Additionally, we have some counters of infected computers, how much is paid for each one (50 cents of Brazilian Real) and how much the “boss” owes for his “employees”.

Here we see the value of maintain a counter of infections. It is quite common find malware that calls home and sends data to inform new installations. They earn money with that.

We have other interesting snippets, such this one:

miroslav.stampar@gmail.com Wordpress guy
8276 0241 Oi julimar

An email address, probably a programmer, and a cell number.

http://beta.statcounter.com/p7142950/entry_page/pageload/?url=http://www.cc.com/d.php
flashgame_co_cc
b470killer

Here, they are using the statcounter.com to count their infections, but they left the username and password exposed too. With these credentials I logged into the account and gathered more information. Probably the real name and email address of one member (maybe the boss) of the gang.


In the original post I did further analysis and tried to put the pieces together. I've found malicious scripts used in Drive-by download attacks; FTP servers where they stored their files; web shells; PHP mailers to send phishing, etc.

The post was well accessed and commented in Brazil, today it has about 70 comments. However, it is interesting to note that it attracted attention from the bad guys too. Apparently even the authors of the malicious code read the post and left comments.

Take a look at the comments below to better understand the case. There are two guys, c0d3c4sh and Psychlo, talking about their criminal lives and their impressions about the post. On the other hand there are also the regular blog readers confronting their ideas (not shown in these comments).

c0d3c4sh wrote in 11/09/2011:

“I finally managed to find out who was the UNOCCUPIED that disabled my auto infect! What anger, but no problem, it is already infecting everything and online again...
Another thing, I noticed that you didn’t understand why the applet writes a file in the system...
I just put on Google and I find all I want, if someone copies my applet, I can figure out where it goes or where it is being used by some bastard banker friend.
...
Let me steal in peace, thank you.”

Psychlo wrote in 11/09/2011:

“I like it! Great job.
I confess to being happy with my "few minutes of fame" while I've read my name in the post.
The internet is really a fantastic place where I can appreciate the work of those who looks at mine. ;)
I am available on email above for talks. Although I did not paint myself as a good boy I certainly like to talk to interesting people.
...
I personally work in specific periods of the year and I say that in the coming months we will increase the “Christmas sales”. After all, everyone wants to be well on Christmas.
I can leak some information for you to do some cool posts but I want more "fame". Put me in a most important blog. Put me on TV.
Hahahaha ... I liked the post.
I hope to come back here ;)”

Psychlo wrote in 11/09/2011:

"Ahhh, c0d3c4sh. You're complaining for nothing. I'm aware that you're full of money hahaha ...
Let the guys play CSI... After all, would you say that you do not like recognition!?
But the life of cyber criminals is not easy... not...
The system was born corrupt, who insists on defending it and accept it is nothing more than a simple servant of the owners of the money. The idea of this system is so absurd that it works!
I don't do that only for the money. I'd do it even if I earned nothing.
Why do I do that?
Just for fun. And what else would it be?!?
Well... I'll sleep... This post gave me an UP (motivation)... In the following tools I will develop, that are on the "front line" and that you will have access, I'll post greetings for your support. You motivated me to create better tools.
Thank you”

c0d3c4sh wrote in 11/15/2011:

"Look at me here again, crazier than ever and I wasn't caught yet hahahahaha!
;) ...
Should I open my eyes? uhauhauhauha idiot, you make me laugh, you should open your eyes before accessing your Internet Banking.
This makes more money than drug trafficking, bro!
News soon”

Conclusion

It seems that last year they were using their malicious scripts to perform Drive-by download attacks. However, this year they improved a bit and packed the code in an Exploit Kit.

Although the use of Exploits Kits is quite spread worldwide, in Brazil it has been different, only this year they started to use it to automate their attacks. As they said in the comments, they are trying to innovate, and, of course, increase their profits.

6 comentários:

  1. E mais um ano que se passa, hein pessoal!?

    Minha ferramenta, feita em 11/11 de 2011 chegou finalmente aos olhos do tão querido blog.

    São tantos dias, tantas coisas que se passam. Coisas que vêm e vão.

    Eu trabalhei tanto esse ano de 2012 que estou até exausto. Cheguei em setembro/outubro e me esgotei. Já fazem várias semanas que não programo nada. Só consigo ficar alguns minutos no computador e quando vejo estou fazendo outra coisa.

    Esse ano eu passei da cota e fui além do meu limite. Espero descansar e voltar renovado para este fantástico ano de 2013 que deverá começar (se o mundo não acabar).

    Entraremos na gloriosa Era de Aquarius. E que seu balde cheio de água leve embora os peixes, lave nossas almas e nos prepare para uma nova Era.

    Há, cá entre nós, esse negócio de astrologia não é muito minha praia.

    Mas parece que toda vez que eu estou cansado, vocês aparecem para renovar minhas forças e me mostrar que eu tenho feito alguma diferença nesse pálido ponto azul.

    Boa, má... Tanto faz, daqui alguns anos o que é mau vira bom e o que é bom vira mau. É tudo uma questão de opinião. Queimar pessoas em público ora é bom, ora é ruim. Odiar negros e judeus ora é bom, ora é ruim.

    Nos damos importância demais. Mas se não temos importância, então de que importa viver? É curioso como o cérebro funciona. Ele precisa de um propósito, mesmo que seja um propósito falso. A mentira é o que move o mundo. Se todos soubéssemos das verdades, nada faríamos. Porque afinal, nada podemos fazer.

    Espero voltar a aparecer aqui. E que mesmo não querendo, estamos trabalhando juntos.

    Vocês me motivam quando estou desmotivado. E eu gero acesso e tento fazer meu papel em colocá-los em evidência enquanto vocês também me colocam.

    Vivemos em uma espécie de simbiose (acho que seria mais para uma protocooperação). Mesmo que não queiramos.

    Talvez não sejamos tão bons quanto pensamos que somos. Mas definitivamente nos divertimos fazendo o que fazemos.

    Um abraço a todos. Tenham um bom final de ano.
    Nos vemos novamente. Talvez ano que vem ou sabe se lá quando. Não deixarei de continuar mencionando vocês nas ferramentas de "linha de frente".

    Seu amigo, Psychlo.

    ResponderExcluir
  2. Quanta besteira digitada! O que importa realmente são os números de infecções e phishing que estão sendo barrados com mais eficiência, o motivo? Um verdadeira tropa resolveu acabar com esse bando de vermes chamados "bankers". Não importa se você desenvolve ferramentas, faz phishings ou infecta computadores, o cerco está se fechando, e uma hora a casa desaba, a sua vez de pagar os "pecados" vai chegar.

    andre@defesadigital.com

    ResponderExcluir
  3. Parabéns pelo blog! Esse blog é muito show!

    ResponderExcluir
  4. Obrigado pela preocupação, André. Tomarei mais cuidado então.

    ResponderExcluir
  5. muito bom o blog, obrigado por compartilhar seu vasto conhecimento sobre o assunto ronaldo!

    ResponderExcluir
  6. Ronaldo,

    Você não fará mais análises de malwares?
    O blog está parado fazem meses

    ResponderExcluir

Related Posts Plugin for WordPress, Blogger...