Mass attack by “Soldier” ensnares major U.S. corporations in its net, steals US$3.2 million in six months, causes organizations and individuals to be vulnerable to future attacks; 90+ other countries hit by shrapnel.

For some time now, we’ve been investigating the operation of a certain cybercriminal—a young man in his early 20s who resides in Russia. During our investigation, we discovered that the attacker uses various criminal toolkits, including SpyEye and ZeuS for crimeware, as well as exploit kits such as those for driving blackhat SEO to propagate his SpyEye/ZeuS binaries.

Using the SpyEye criminal toolkit, money mules, and an accomplice believed to reside in Hollywood, U.S.A., “Soldier,” as he’s known in the criminal underground, stole over US$3.2 million in six months starting January 2011, which equates to approximately US$533,000 per month, or US$17,000 dollars a day!

“Soldier” mainly targeted U.S. users and to increase the number of successful infections achieved in the country, he even bought U.S. traffic from other cybercriminals. Besides using malware to steal money from compromised accounts, he also steals users’ security credentials.

Noteworthy Compromises

Using the IP addresses of the victims that were recorded by the SpyEye command-and-control server, we were able to determine the network to which the IP address was assigned. We found that a wide variety of large organizations and U.S. multinational corporations in a variety of sectors were represented in the victim population.

We do not believe these large organizations and U.S. multinational corporations were originally the intended target, we instead believe that they were impacted following end-user compromise. Bots (infected victims’ systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.

The victims’ IP addresses that were identified in the compromise included those belonging to the following types of organizations:

• U.S. government (local, state federal)
• U.S. military
• Educational and research institutions
• Banks
• Airports
• Other companies (automobile, media, technology)

Read the rest of this entry »

This entry is a follow-up to my blog post last week in which I noted some significant changes that have been made to SpyEye 1.3.4.x. Further observation revealed other modifications that made me think we are getting closer to the merger of the SpyEye and ZeuS botnets.

This SpyEye version comes with a Gate, a CN1 and a SYN1 installer.

Read the rest of this entry »

We came across the latest SpyEye control panels, CN1 and SYN1. The main control panel CN1 looks a bit different from previous versions. Some of the buttons’ names changed. In addition, a Logs button was included so the bot master can view or clear logs (e.g., debug.log, error.log, and tasks.log) created using the SpyEye toolkit.

Accessing the Create Task panel, we can clearly see the modifications the SpyEye author made. This time, users can create a task by selecting a file and choosing three different types of action, depending on the file type they want to use:

• Update bot body: Used to update the SpyEye binary itself.
• Update bot config: Used to update the config file (if users want to change how their bots are configured)
• Load exe: Used to spread other malware (e.g., ZeuS, TDSS, FAKEAV, etc.).

Read the rest of this entry »

Since our previous blog post, we continued to investigate whether or not SpyEye 1.3.x is indeed the result of the ZeuS-SpyEye merger. So far, we realized that the included documentation doesn’t say much about ZeuS. It only compared the behaviors of several options/configurations of the two malware families.

At present, we have only been able to identify three different versions in the wild:

• 1.3.04
• 1.3.05
• 1.3.09

As you can see, these versions are minor releases. Our underground research tells us that some minor bug fixes have been made in these versions though these are typically the same. If you are wondering if the SpyEye Toolkit comes with three control panels (two SpyEye control panels [CN1 and SYN1] and one ZeuS control panel), I can confirm that it does not do so. It only comes with the regular two SpyEye control panels. The database structures of SpyEye and ZeuS were different prior to 1.3.x and are still so. As such, a modification of the ZeuS panel is needed so both can share a single database. ZeuS and SpyEye malware are thus not registering themselves to the same control-and-command (C&C) server in the same way.

Read the rest of this entry »

Ever since ZeuS’ author, Slavik/Monstr, left the cybercrime scene and handed over ZeuS’ source code to Gribodemon/Harderman, the author of SpyEye, everybody has been waiting for the resulting merger of the two toolkits. We’ve acquired a sample of version 1.3.05 of the SpyEye builder, which appears to be the result of the said merger.

Here are the settings and commands that the builder supports:

• Encryption key: Specifies the encryption key, which encrypts config.bin.
• Clear cookies every startup: If enabled, the bot will constantly delete the cookies of Internet Explorer (IE) and Mozilla Firefox.
• Delete nonexportable certificates
• Dont send http-reports: HTTP request headers comprise a lot of garbage. It thus makes sense to those protected with HTTPS.
• Compress build by UPX: If enabled, the resulting file will be compressed.
• Make build without ZLIB support
• Make LITE-config: Specifies whether or not to include some features specified in config.bin, including Web injects, screenshot captures, and the use of other plug-ins.
• EXE name
• Mutex name
• Anti-Rapport: A built-in option to evade Rapport Trusteer software.
• FF webinjects: Determines whether or not Web injects work in Mozilla Firefox.
• timestamp: Time and date when the builder was created, as measured by the number of seconds from January 1, 1970.

Here is the list of available plug-ins:

• webfakes: The webfakes plug-in can be used to spoof the contents of HTTP and HTTPS page resources without connecting to the original Web server in both IE and Mozilla Firefox.
• ccgrabber: The plug-in collects credit card numbers by analyzing the POST requests made by the user and checking these against the Luhn algorithm.
• ffcertgrabber: The basic SpyEye package only steals certificates from the cryptographic storage of Windows. However, Firefox uses its own certificate storage folder, from which this plug-in grabs certificates.
• SOCKS5 backdoor
• FTP backdoor
• RDP backdoor
• bugreport: This plug-in allows the bot to send back technical information if it crashes.

Analyzing how this version has been written compared to previous versions, it seems like Gribodemon has received help from other criminals to polishing this version, particularly with the addition of the CC grabber plug-ins and anti-rapport option.

There are actually 2 live servers using this new version:

We will continue to monitor this threat and protect our customers as necessary. We have previously talked about SpyEye in the following posts:

• The SpyEye Interface, Part 1: CN 1
• The SpyEye Interface Part 2: SYN 1
• ZeuS-SpyEye Merger in Progress?