During a recent investigation into a server hosting SpyEye, we noticed that there were several open directories that led to other control panels. SpyEye was also the same malware family that recently targeted Polish users. One of the control panels is for URLZone/Bebloh. The other control panel, on the other hand, did not have any name or version so we named it after the server, “Spencerlor.” The investigation led to the discovery of what seems to be three botnets running on one server, which appears to be operated by at least two remote users, as the logs revealed.
Three Botnets in One Server
SpyEye and URLZone’s modules are both written in English while Spencerlor’s is written in Russian. All three of the botnets on this server are designed and/or configured to only steal German banking credentials. Both Spencerlor and URLZone are actually coded to work with the German banking system using the so-called BLZ. A BLZ is an equivalent of a bank routing number that identifies a user’s bank and branch location.
Apart from collecting account names, contact numbers, PINs, and balances, the group responsible for this botnet also collects a user’s BLZ. The screenshot below shows Spencerlor’s login page, which is quite plain and does not have any identifying mark.
After the login page, users will see the main account screen called “Admin.” This page shows the total number of bots and which ones are online.