Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Kevin Stevens (Senior Threat Researcher)

    During a recent investigation into a server hosting SpyEye, we noticed that there were several open directories that led to other control panels. SpyEye was also the same malware family that recently targeted Polish users. One of the control panels is for URLZone/Bebloh. The other control panel, on the other hand, did not have any name or version so we named it after the server, “Spencerlor.” The investigation led to the discovery of what seems to be three botnets running on one server, which appears to be operated by at least two remote users, as the logs revealed.

    Three Botnets in One Server

    SpyEye and URLZone’s modules are both written in English while Spencerlor’s is written in Russian. All three of the botnets on this server are designed and/or configured to only steal German banking credentials. Both Spencerlor and URLZone are actually coded to work with the German banking system using the so-called BLZ. A BLZ is an equivalent of a bank routing number that identifies a user’s bank and branch location.

    Apart from collecting account names, contact numbers, PINs, and balances, the group responsible for this botnet also collects a user’s BLZ. The screenshot below shows Spencerlor’s login page, which is quite plain and does not have any identifying mark.

    Click for larger view

    After the login page, users will see the main account screen called “Admin.” This page shows the total number of bots and which ones are online.

    Click for larger view

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice