Why the CrimeBoss Exploit Kit has sent greetings to this blog

Some security researchers have found a base64 encoded message addressed to this blog. It is embedded in malicious scripts related with java exploits, and, last week, it was found in CrimeBoss exploit kit.

However, earlier this year some friends had warned me about it. The first time this message became public was in April, when the blog ElegantCode got hacked. They analyzed the code injected in the page and found that message. You can read the detailed post here.

The original encoded message is this:

/*

msg = d_hex( d_b64( ?? ) );

NTM2MTc1NjQ2MWU3ZjU2NTczMjA2MTZmNzMyMDZkNjU3NTczMjA2MzZmNmM2NTY3NjE3MzIwNjQ2

NTIwNzQ3MjYxNjI2MTZjNjg2ZjIwNjQ2ZjIwNjI2YzZmNjcyMDYzNzI2OTZkNjU3MzYzNjk2MjY1

NzI2ZTY1NzQ2OTYzNmY3MzJlNjM2ZjZkMmUwZDBhNTM2MTYyNjU2ZTY0NmYyMDcxNzU2NTIwNmU2

MTY0NjEyMDczNjE2MjY1NmQ2ZjczMjA2NTczNzQ2MTZkNmY3MzIwNjE2Y2U5NmQyMDY0NmYyMDYy

NjU2ZDIwNjUyMDY0NmYyMDZkNjE2YzJjMjA2MTY2Njk2ZTYxNmMyMDYxMjBmYTZlNjk2MzYxMjA2

MzZmNjk3MzYxMjA2MTYyNzM2ZjZjNzU3NDYxMjBlOTIwNzE3NTY1MjA3NDc1NjQ2ZjIwZTkyMDcy

NjU2YzYxNzQ2OTc2NmYyZTBkMGE1NTZkMjA2MTYyNzI2MWU3NmYyYzIwNjQ2ZjIwNzM2NTc1MjA2

MTZkNjk2NzZmMjA1MDczNzk2MzY4NmM2ZjJlMGQwYTYyNzkyMDUwNzM3OTYzNjg2YzZmMjAyZDIw

MzEzMTJmMzEzMTJmMzEzMQ==

*/

After you convert the Base64 to Hex and Hex to ASCII with any tool like this one, you can obtain a message in Portuguese that in English is like that:

“Greetings to my fellow workers of the crimesciberneticos.com blog.

Knowing that we know nothing, we’re beyond good and evil, after all the only thing absolute is that everything is relative.

A hug, your friend Psychlo.

by Psychlo”

First of all, he is NOT my friend. :)

This blog is about cybercrime investigations, malware reverse engineering, intrusion analysis and so on. Thus, sometimes I find interesting stuff that allows me to track the Brazilian cyber criminals, and last year, I found out very interesting information about them.

Something went wrong

About one year ago, a reader sent me a message telling that he tried to access a website but the index page was presenting confusing information. See below.

Immediately I copied the source code and started the analysis. You can see the original code at Pastebin.

I took some of those strings, put on Google and got about 14,000 results with the same code. So, about 14K pages were defaced, most from Brazil.

The criminals used some kind of automated tool to deface and inject code in those pages, but it didn't work well. Consequently, it revealed a lot of information about them, how they act, their accounts, logins, passwords, databases, etc.

One of the most interesting things is this snippet:

------------

Porrinha

------------

Counter .HTTP: http://anfeso1201.dominiotempo... Total: 559

Date: 28/09/2011

Counter .HTTP: http://r7on.com.br/porraloka/clie... Total: 1671

31/08/2011

Counter .HTTP: http://netransportes.com.br/ama... Total: 2000

07/09/2011

TOTAL INFECTS: 00.000 x 0,50 = 000,00

----------

Psychlo

----------

Agreed Amount: 1000

Counter HTTP: http://64.186.158.114/tzu.php Total: 1000

I owe him: 250,00

Total: 2214,00 I will send: 3000,00 I owe him: 786,00 - 250 = 536

---------

Cavalo

---------

Counter .EXE : 2053

TOTAL INFECTS: 5.000 x 0,50 = 000,00

Counter HTTP: http://200.98.201.13/~rex/tom/rel/inf4/?url=c Total: 3758

I owe him: 600,00

We can see some information of the cybercrime’s accounting. We have three nicknames, the guy of the message (Psychlo) is one of them. Additionally, we have some counters of infected computers, how much is paid for each one (50 cents of Brazilian Real) and how much the “boss” owes for his “employees”.

Here we see the value of maintain a counter of infections. It is quite common find malware that calls home and sends data to inform new installations. They earn money with that.

We have other interesting snippets, such this one:

miroslav.stampar@gmail.com Wordpress guy

8276 0241 Oi julimar

An email address, probably a programmer, and a cell number.

http://beta.statcounter.com/p7142950/entry_page/pageload/?url=http://www.cc.com/d.php

flashgame_co_cc

b470killer

Here, they are using the statcounter.com to count their infections, but they left the username and password exposed too. With these credentials I logged into the account and gathered more information. Probably the real name and email address of one member (maybe the boss) of the gang.

In the original post I did further analysis and tried to put the pieces together. I've found malicious scripts used in Drive-by download attacks; FTP servers where they stored their files; web shells; PHP mailers to send phishing, etc.

The post was well accessed and commented in Brazil, today it has about 70 comments. However, it is interesting to note that it attracted attention from the bad guys too. Apparently even the authors of the malicious code read the post and left comments.

Take a look at the comments below to better understand the case. There are two guys, c0d3c4sh and Psychlo, talking about their criminal lives and their impressions about the post. On the other hand there are also the regular blog readers confronting their ideas (not shown in these comments).

c0d3c4sh wrote in 11/09/2011:

“I finally managed to find out who was the UNOCCUPIED that disabled my auto infect! What anger, but no problem, it is already infecting everything and online again...

Another thing, I noticed that you didn’t understand why the applet writes a file in the system...

I just put on Google and I find all I want, if someone copies my applet, I can figure out where it goes or where it is being used by some bastard banker friend.

...

Let me steal in peace, thank you.”

Psychlo wrote in 11/09/2011:

“I like it! Great job.

I confess to being happy with my "few minutes of fame" while I've read my name in the post.

The internet is really a fantastic place where I can appreciate the work of those who looks at mine. ;)

I am available on email above for talks. Although I did not paint myself as a good boy I certainly like to talk to interesting people.

...

I personally work in specific periods of the year and I say that in the coming months we will increase the “Christmas sales”. After all, everyone wants to be well on Christmas.

I can leak some information for you to do some cool posts but I want more "fame". Put me in a most important blog. Put me on TV.

Hahahaha ... I liked the post.

I hope to come back here ;)”

Psychlo wrote in 11/09/2011:

"Ahhh, c0d3c4sh. You're complaining for nothing. I'm aware that you're full of money hahaha ...

Let the guys play CSI... After all, would you say that you do not like recognition!?

But the life of cyber criminals is not easy... not...

The system was born corrupt, who insists on defending it and accept it is nothing more than a simple servant of the owners of the money. The idea of this system is so absurd that it works!

I don't do that only for the money. I'd do it even if I earned nothing.

Why do I do that?

Just for fun. And what else would it be?!?

Well... I'll sleep... This post gave me an UP (motivation)... In the following tools I will develop, that are on the "front line" and that you will have access, I'll post greetings for your support. You motivated me to create better tools.

Thank you”

c0d3c4sh wrote in 11/15/2011:

"Look at me here again, crazier than ever and I wasn't caught yet hahahahaha!

;) ...

Should I open my eyes? uhauhauhauha idiot, you make me laugh, you should open your eyes before accessing your Internet Banking.

This makes more money than drug trafficking, bro!

News soon”

Conclusion

It seems that last year they were using their malicious scripts to perform Drive-by download attacks. However, this year they improved a bit and packed the code in an Exploit Kit.

Although the use of Exploits Kits is quite spread worldwide, in Brazil it has been different, only this year they started to use it to automate their attacks. As they said in the comments, they are trying to innovate, and, of course, increase their profits.