LulzSec recently decided to end its string of attacks with a message saying that these have all been part of a planned “50 Days of Lulz.” Some of its members also threw their support behind a separate effort called AntiSec, short for Anti-Security. This call was sent out to encourage all kinds of hacker and hacker groups to expose governments and big corporations.

We don’t believe that the people behind LulzSec have stopped their activities. Instead, they disbanded due to the attention they were getting from law enforcement and other hackers less approving of their activities. From British authorities’ arrest of Ryan Cleary and recent searches conducted in the United States, law enforcement agencies are clearly hot on the group’s trail.

If you log in to any of the Internet Relay Chat (IRC) servers that Anonymous uses, you can see that the members of LulzSec are still active and online. We are also seeing several groups naming themselves by region such as AnonNL or LulzSec Brazil that have splintered off to attack the governments of the countries they reside in. In addition, Anonymous is still engaging in usual activities such as launching distributed denial-of-service (DDoS) attacks against websites when there is something in the news that they do not approve of. For example, the leader of a group feeding homeless people in a public park in Orlando, Florida, was arrested.

Read the rest of this entry »

For about two weeks now, the ZeuS source code has been making its way around to different people. Many people have been offering it up for sale on multiple forums, but lots of times it is only pieces of the code and not everything. There are also conflicting reports about important pieces of the code missing, not allowing it to work, or that everything is there except the modules that can be added in.

This has taken a recent turn however, due to the fact that source code was reportedly uploaded to a file sharing site and then the link was posted to a malware forum.

The catch is that the uploaded file is a .RAR file, and is password protected. You can look through the .RAR file and check that everything is there for the source code but you can’t actually look at the contents of the files due to the password protection. Multiple people are taking a crack at trying to bruteforce the password for the .RAR file, but so far no one that I know of has been able to crack it. There are even reports that some people in law enforcement are looking at it.

Read the rest of this entry »

In late October of this year, it was reported that the “rivalry” between the ZeuS and SpyEye malware families was ending with a merger of the two families. It was reported that ZeuS author Slavik or Monstr has gone underground and has given his toolkit’s source code to SpyEye author Gribodemon or Harderman.

This has prompted a lot of speculation about what will come next. Many researchers are waiting for a new malware family that will combine the features of SpyEye and ZeuS.

Based on our underground research, we discovered that SpyEye’s development ground to a halt. One feature of SpyEye will be included in future versions of ZeuS to add features that are not part of the latter’s “core” functionality (e.g., more sophisticated information theft routines). SpyEye uses plug-ins that can be added after the main toolkit has been purchased. In contrast, ZeuS previously used modules that had to be included when the toolkit was sold. Newer ZeuS versions will use plug-ins, much like SpyEye currently does. If a cybercriminal wants to add a new feature to his existing SpyEye toolkit, all he has to do for SpyEye and future ZeuS versions is to purchase a new plug-in. This previously required ZeuS users to purchase a new version.

For now, however, SpyEye and ZeuS remain separate malware families. Whether the merger pushes through or not, however, SpyEye is still growing as a threat. According to the information gathered by the Trend Micro™ Smart Protection Network™, the number of SpyEye infections has grown since July of this year to as much as 20 times to date.

What about ZeuS’ author? We have heard rumors that he is not really retiring. He will instead create new malware (either ZeuS or entirely new families) that he will then primarily sell to high-value clients. When we do see these variants, will they be more targeted in terms of infection routine? And what are the chances that we will be able to determine that they actually came from the ZeuS author? Only time will tell.

Since news of this “merger” first came out, many security analysts rushed to gather intelligence on SpyEye. In anticipation, Gribodemon went through many underground forums and deleted his posts to cover up what he has been doing.

Trend Micro and the rest of the security industry are ready to respond to this threat. One of the more public signs of this is Roman Hüssy, the administrator of the respected ZeuS Tracker, who has opened the SpyEye Tracker, which fulfills the same function for SpyEye. This will aid both law enforcement agencies and security companies in taking down and investigating SpyEye command-and-control (C&C) servers. We at Trend Micro are also proactively monitoring the SpyEye threat and will continuously work hard to protect our product users.

This is part 2 of a two-part blog covering the SpyEye interface. In the first part, we looked into CN 1 aka the Main Access Panel and how it is used. In this part, we are going to talk about SYN 1 or the Formgrabber Access Panel. We will examine what the cybercriminals steal and how they use the SpyEye interface to profit from innocent users.

In the screenshot above, you can see the layout of the SYN 1 interface. It has the date on the left and the amount of data being collected on the right. Just like CN 1, there are various buttons that guide the bot master to what he/she is looking to do.

Read the rest of this entry »

Some blogs, stories, and white papers that covered SpyEye have been released but none of them really talked about the interface and how criminals may be using it.

The actual interface is broken down into two components. The first component is the front-end interface called “CN 1” or “Main Access Panel.” This interface is where the bot master can interact with the bots. It shows statistics in relation to infected machines.

The second interface is more like the back end and is called “SYN 1” or “Formgrabber Access Panel.” This interface actually collects and logs data. Moreover, it also allows the bot master to make queries against the collected data and to view the stolen data through the interface. In this post, the first one in a two-post series, we will first look at CN 1 and how it may be used.

In the screenshot above, you can see the main interface that everyone recognizes now. It has the “Hack the Planet!” logo and it currently displays how many bots are online and how many bots are currently part of the botnet. In this screenshot, you can see that there are 2,392 bots online and a little over 18,000 in total. In the example, you can see that the botnet is pretty large. In addition, you can also see the server date and time on the left-hand side.

Read the rest of this entry »