October 17, 2011

Make enough friends in the Internet security community and it becomes clear that many of the folks involved in defending computers and networks against malicious hackers got started in security by engaging in online illegal activity of one sort or another. These gradual mindset shifts are sometimes motivated by ethical, karmic or personal safety reasons, but just as often grey- and black hat hackers gravitate toward the defensive side simply because it is more intellectually challenging.

I first encountered 20-year-old French hacker Steven K. a few months ago while working on a series about the fake antivirus industry. I spent several hours reading accounts of his efforts to frustrate and highlight cybercriminal activity, and took time to follow the many links on his blog, XyliBox, a variant of his hacker alias, “Xylitol.” It turns out that Xylitol, currently unemployed and living with his parents, is something of a major player in the software piracy or “warez” scene, which seeks to crack the copy protection technology built into many computer games and commercial software programs.

As a founding member of redcrew.astalavista.ms (this site may be flagged by some antivirus software as malicious), Xylitol spent several years devising and releasing “cracks,” software patches that allow people to use popular commercial software titles without paying for a license. Cracks are frequently bundled with backdoors, Trojans and other nasties, but Xylitol claims his group never tainted its releases; he says this malicious activity is most often carried out by those who re-purpose and redistribute the pristine patches for their own (commercial and criminal) uses.

But about a year ago, Xylitol began shifting his focus to reverse engineering malware creation kits being marketed and sold on underground cybercrime forums. In October 2010, he began releasing cracked copies of the the bot builder for the SpyEye Trojan, a crimeware kit that sells for several thousand dollars. Each time the SpyEye author released an update, Xylitol would crack it and re-release a free version. This continued for at least a dozen updates in the past year.

The cracked SpyEye releases have been met with a mix of praise and scorn from the security industry; the free releases no doubt frustrated the moneymaking capabilities of the SpyEye author, but they also led to the public distribution of a malware kit that had previously been much harder to come by.

In an instant message chat, Xylitol said he still cracks the occasional commercial software title, just for old time’s sake.

“Sometimes for the old memories, but I’m more into malware cracking now,” he wrote. “It’s more fun.”

Since Nov. 2010, Xylitol and some of his associates have been locked in a daily battle with Russian scareware and ransomware gangs. Scareware programs hijack PCs with incessant and misleading security warnings in a bid to frighten users into paying for the worthless software. Paying customers are given a license key eliminates the annoying security warnings. Ransomware is even more devious: It encrypts the victim’s personal files — pictures, documents, movies and music files — with a custom encryption key. Victims who want their files back usually have little recourse but to pay a fee via text message to receive a code that unlocks the encrypted files.

Xylitol and his pals have been busy over the past year cracking and publishing the license keys needed to free computers snared by scareware and ransomware. For months, these guys have been taking on a Russian ransomeware group called the WinAd gang, releasing the ransomware codes on a daily basis, often just hours after the WinAd gang began pushing out new ransomware variants.

In a chat conversation with KrebsOnSecurity.com, Xylitol said he’s lost track of the number of ransomware cracks he’s released, noting that at one point the WinAd gang switched to shipping a half-dozen updates daily in a bid to stay one step ahead.

“I lost count of how many of these I’ve cracked,” Xylitol said. “For a period that was daily and five or six per day, due to automatic ransomware update.”

Sometime around Sept. 14, 2011, the WinAd gang apparently decided it was losing the war, and called it quits. In closing a year-long discussion thread on the WinAd gang, Kernelmode.info moderator EP_XOFF wrote:

“Since September 11, their activity has decreased significantly. September 14 had died last known domain and redirector. However this may mean nothing. We continue to search.”

Another Kernelmode member, Nickvth2009, replied, “Let’s hope it will never come back.”

25 thoughts on “Software Pirate Cracks Cybercriminal Wares

  1. bt

    I often hear dramatic music when reading of such battles.

    About the pause, I believe there is retooling going on.

  2. na

    These sort of people do not just give up and run off. Considering the thousands of dollars that they could be making they would be more likely to be party to grand theft auto then give up. You should except to see these guys in the near future with a new name, new look, and of course a harder to crack encryption. Hopefully someone will be able to recognize what-ever they don’t change and realize it’s the same crew.

  3. Kafeine

    How a guy like @Xylit0l can be unemployed.
    I just can’t believe it.
    M. Filiol, you need this guy in your Virus labs ! He will make miracles ! cc @efiliol

    1. bt

      Xylit0l deserves a salary of some sort for how productive he has been.

    2. ExitProcess

      lulz he has already stolen from the cookie$ pot of most security vendors….oh to pay the thief..what karma for the pink panther hat 😛

  4. Scott

    One for the White Hats!

    It must be amazing to get such an inside veiw of this world Brian. You have the most up to date and relevant security blogs on the net.

    I certainly rely on your information.

    Is he doing any reverse engineering on Zeus?

  5. Heron

    How would I get into the Internet/database security field, if I don’t want to go through the back door? I’m interested in doing so, but everyone I’ve asked so far (and perhaps I haven’t been asking the right people) has only recommended following the path (s)he took, so I haven’t found their advice convincing.

    Anyone interested in offering me some unbiased feedback, or pointing me in the direction of some information that would get me started? Most of my computer knowledge is self-taught. I can often solve problems the tech experts can’t figure out, but I don’t have programming experience. BK’s blog is one of the reasons why I’m interested in the field of Internet security. My background is in librarianship, but I don’t want to work in libraries any longer.

    Thanks in advance, and if this is too off-topic, I apologize.

      1. Heron

        Thank you for the reply, p1n.

        This is the only time I’ll vary from the original topic this much, everyone. Thank you for your forbearance.

  6. Blue Hat


    A very informative, useful forum, but talk about a bunch of Gray Hats. I wouldn’t trust any of them.

  7. greyfoxx

    A very informative and interesting artcle… Thank you, Brian…!

  8. jt

    great post. as they say, the enemy of my enemy is my friend. Although I may share the same end-goal of Xylitol, I probably have very different motivations than him…

  9. Xylitol

    Like say on kernelmode, you made a praise on me but it’s not a victory of one man, many other hardworkers have taken part.
    Like MDL (SysAdMini), MysteryFCM, Gerhard from cleanmx, local CERT’s/ISP who did all takedowns, mc0blck who discovered all their network, GMax who posted a lot of codes too, EP_XOFF who coordinated all this shit along with posting unblock codes, mrbelyash, kmd who posted samples/unlock code, guys who flags at VirusTotal all repacks, those who take our codes for posting it on their sites.

    @Blue Hat: Fuck the hat sterotype and their classifications who mean nothing, most of people at kernelmode are respectable, after sure.. if you don’t know to who you speak…

    1. BrianKrebs Post author

      Thanks for commenting here, Xylitol. I mentioned several times in the story that you were not working alone, and that you were working in concert with many others on Kernelmode (I even mention two other Kernelmode members by their handles). Not sure what else I could have done to make that more clear, but it’s not like I said you were doing this all by yourself, as the comments here suggest.

  10. Orange Hat

    EP_XOFF said:
    “….and definitely not a guy who works against malware. He just a journalist. And main purpose of any journalists – perverting facts and spreading disinformation.”

    Gee Brian, I didn’t know your blog was “perverting facts and spreading disinformation”. Maybe this guy really does have two hats in his closet, one black and the other white. Looks like Blue Hat was right after all.

  11. Yellow Hat with Polka Dots

    Green Hat is bitter. Sysinternals forum banned him.

  12. crab hat

    crab hat is most honorable hat type on the Internet.

Comments are closed.