The Redkit malware exploit gang has a message for security blogger Brian Krebs

Brian Krebs
Brian Krebs

Award-winning security blogger Brian Krebs is loved by everyone on the internet… apart from the criminals.

The fact that Krebs has shut down spam operations, helped dismantle botnets, given the notorious Russian Business Network more than the odd headache, has made him plenty of enemies in the internet underground.

Just last month, online crooks launched a DDoS (distributed denial-of-service) attack against Krebs’s blog, and sent an armed SWAT team around to his house.

So, I was interested to hear from SophosLabs researcher Fraser Howard what he had uncovered inside the latest version of the Redkit exploit kit what appeared to be a message for Brian Krebs.

Message for Brian Krebs

Crebs, its your fault

What’s that famous quote?

“Say anything you want about me as long as you spell my name right!”.

In this particular case, the Redkit gang were struck by a double attack of both poor spelling and lousy grammar – but I doubt tireless cybercrime reporter Krebs will lose much sleep over it.

Sophos products are proactively detecting the redirects which point to the exploit site as Troj/JSRedir-R and Troj/Iframe-JG.

The landing page of the exploit kit is detected as Troj/ExpJS-II, and Sophos proactively protects against the Java vulnerability (CVE=2012-4681) that this version of Redkit tries to exploit as Exp/20124681-C.

Thanks to SophosLabs Principal Researcher Fraser Howard for alerting me to this message.