Hardly a week goes by when I don’t hear from some malware researcher or reader who’s discovered what appears to be a new sample of malicious software or nasty link that invokes this author’s name or the name of this blog. I’ve compiled this post to document a few of these examples, some of which are quite funny.
Take, for example, the login panel for “Betabot“: Attempt to log in to this malware control panel with credentials that don’t work and you’ll be greeted with a picture of this author, accompanied by the following warning: “Enter the correct password or I will write a 3-part article on this failed login attempt.”
The coders behind Betabot evidently have several versions of this login panel warning: According to a threat intelligence report being released tomorrow by RSA, the latest iteration of this kit uses the mugshot from my accounts at Twtter (follow me!) and Facebook (like it!).
As first detailed by Sophos’s award-winning Naked Security blog, the code inside recent versions of the Redkit exploit kit includes what appears to be a message blaming me for…well, something. The message reads: “Crebs, its [sic] your fault.”
The one I probably hear about most from researchers is a text string that is built into Citadel (PDF), an offshoot of the ZeuS banking trojan botnet kit that includes the following reference: “Coded by BRIAN KREBS for personal use only. I love my job and my wife.”
Those are just the most visible examples. More commonly, if Yours Truly is invoked in the name of cybercrime, it tends to show up in malicious links that lead to malware. Here are a few just from the past couple of weeks:
hxxp://hecked-by-brain-krebs.biz/.h/.t/.t/.p/install, a sanitized version of a site that is foisting malware, according to link checkers from 7 out of 39 antivirus vendors at Virustotal. The malware foisted by this link is detected as nasty by malware scans from 33 out of 47 vendors at Virustotal.
Security blogger Kafeine has been chronicling the emergence of an exploit kit variously named “Stamp EK” and “SofosFO” which has apparently added my surname to a URL generator for new malware links. Here’s a screenshot of what that looks like (avoid visiting the IP addresses or URLs shown in the image below unless you know what you’re doing).
Kafeine also shared some information about Citadel botnet controllers recently found invoking my name, including this one (“mudak” is transliterated Russian for “fuc*er).
While not strictly malware-related, the references to this blog and author that have been reported most frequently by readers over the past few weeks come from an Internet meme that someone started about a month ago, using Memegenerator.net. Some of these are a bit crude, but a few of them made me laugh out loud. I’m sure the act of just blogging about this meme will cause more entries to be added (there are currently four pages worth).
To some extent, this silliness has been going on for several years now. In June 2011, someone hacked a news site and planted a story falsely claiming that F-Secure researcher Mikko Hypponen and I had been arrested for selling stolen credit cards. That same month, a Trojan downloader which peddled adult Web sites included a reference that I had somehow gotten married to security blogger Dancho Danchev.
In 2010, Fortinet found a variant of the spam botnet installer Pushdo that was controlled by a domain name called “fuckbriankrebs.com.” In 2009, Sophos wrote about a new email malware campaign disguised as an alert about a wayward DHL package: The message included a “tracking number” that was essentially the same sentiment, only spelled backwards.
Update, 1:31 p.m. ET: Updated the screen shot used in Kafeine’s example.
Tags: Betabot, Citadel, Coded by BRIAN KREBS for personal use only. I love my job and my wife, Crebs, Dancho Danchev, DHL, f-secure, Facebook, Fortinet, its your fault, Kafeine, Krebsonsecurity, mikko hypponen, Naked Security Blog, Pushdo, Redkit, RSA, SofosFO, sophos, Stamp EK, twitter, zeus