When you’re lurking in the computer crime underground, it pays to watch your back and to keep your BS meter set to ‘maximum.’ But when you’ve gained access to an elite black market section of a closely guarded crime forum to which very few have access, it’s easy to let your guard down. That’s what I did earlier this year, and it caused me to chase a false story. This blog post aims to set the record straight on that front, and to offer a cautionary (and possibly entertaining) tale to other would-be cybersleuths.
On Jan. 16, 2013, I published a post titled, “New Java Exploit Fetches $5,000 Per Buyer.” The details in that story came from a sales thread posted to an exclusive subforum of Darkode.com, a secretive underground community that has long served as a bazaar for all manner of cybercriminal wares, including exploit kits, spam services, ransomware programs, and stealthy botnets. I’ve maintained a presence on this forum off and on (mostly on) for the past three years, in large part because Darkode has been a reliable place to find information about zero-days, or highly valuable threats that exploit previously unknown vulnerabilities in software — threats that are shared or used by attackers before the developer of the target software knows about the vulnerability.
I had previously broken several other stories about zero-day exploits for sale on Darkode that later showed up “in-the-wild” and confirmed by the affected vendors, and this sales thread was posted by one of the forum’s most trusted members. The sales thread also was created during a time in which Java’s maker Oracle Corp. was struggling with multiple zero-days in Java.
What I didn’t know at the time was that this particular sales thread was little more than a carefully laid trap by the Darkode administrators to discover which accounts I was using to lurk on their forum. Ironically, I recently learned of this snare after white/grey hat hackers compromised virtually all of the administrator accounts and private messages on Darkode.
“Looks like Krebs swallowed the bait, and i got an idea how to catch him now for the next thread,” wrote Darkode administrator “Mafi” in a Jan. 16 private message to a co-admin who uses the nickname “sp3cial1st”.
Following this post, the administrators compared notes as to which users had viewed the fake Java zero-day sales thread during the brief, two-day period it was live on a restricted portion of Darkode. “I have taken a careful examination of the logs related to the java 0day thread,” sp3cial1st wrote to a Darkode administrator who used the nick “187”.
A side note is probably in order here. This 187 user was apparently quite paranoid; he changed nicknames on the forum like so many pairs of underwear. In this screenshot of a private message between 187 and sp3cial1st, we can see 187 asking to have his forum name changed from his previous nick — “teardrop” — to 187. This is interesting because “teardrop” was the nickname used by the Darkode member who bragged to other admins about having his friend launch a distributed denial-of-service attack on my site on July 10, 2012, after I wrote about a zero-day exploit in Plesk that I’d discovered for sale on Darkode. By the way, 187 appears to be a Canadian citizen who likes to use the alias “Ryan Russels”; by his own admission, 187 is a 36-year-old male currently living with his wife in Dubai and wanted in Canada for unspecified criminal charges.
At any rate, leaked private forum messages indicate that the administration of Darkode came up with the fake Java 0day idea after determining that their clever watermarking scheme had been exposed. Forum admin Mafi devised a system for secretly tagging each Web page on the forum with unique markers that could help identify and then ban forum accounts that were being used by security researchers to take screen grabs.
Mafi’s watermarking system can extract the user ID used to take any screen grab as long as that image includes the information under the “Author” sidebar on the left edge of the forum page: As explained in the screen shot to the left, the watermarking system computes two qualities present in that area: the “rep” or reputation field, and the user’s number of posts.
I debated whether to run this post detailing how I got fooled by Darkode’s disinformation campaign/mole hunt, in part because I worried that explaining it all could entail “outing” some of my sources and methods. But I believe that one only grows by admitting one’s mistakes, and so to Oracle and to any readers I may have upset or misled by my previous story on this apparently bogus zero-day, I heartily apologize.
Incidentally, these screen shots are hardly the full story. Earlier this week, a security blogger that I’ve long included on my blogroll — Xylitol — leaked a huge archive of screen shots he’s taken from his own lurkings on Darkode. Those, combined with the dozen or so administrator account screen grabs in this post, offer hours of fun for any researcher interested in profiling the most active members of this forum.
For example, looking at the personal signature used by one of the Darkode admins — a user with the screen name “Parabola” — we can see that this user owns several shady businesses, including a service that helps users move money between virtual currencies such as WebMoney and Liberty Reserve. Looking closer at that service, one can discover that the same server also hosts spamming and keylogging services. According to his introductory post to Darkode when he joined in 2009, Parabola work(ed/s) in IT at a software company based in Texas.
Closer inspection of the screen grab of Parabola’s intro shows that he was invited to Darkode by a user named Iserdo, the former owner of the forum. This latter identity belonged to a hacker arrested in 2010 under suspicion of creating, selling and maintaining the “Mariposa” or “Butterfly” botnet, a crime machine that infected millions of PCs. Other active Darkode members that have been busted by authorities for botnet activity include BX1, a 24-year-old Algerian national who was recently arrested in Bangkok for allegedly earning millions of dollars by operating botnets powered by the ZeuS Trojan. Interestingly, BX1 himself warned other Darkode members in November 2012 that the FBI was investigating him. A portion of the Darkode community’s reaction to his arrest can be read here and here.