Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Loucif Kharouni (Senior Threat Researcher)

    This entry is a follow-up to my blog post last week in which I noted some significant changes that have been made to SpyEye 1.3.4.x. Further observation revealed other modifications that made me think we are getting closer to the merger of the SpyEye and ZeuS botnets.

    This SpyEye version comes with a Gate, a CN1 and a SYN1 installer.

    Read the rest of this entry »


    We came across the latest SpyEye control panels, CN1 and SYN1. The main control panel CN1 looks a bit different from previous versions. Some of the buttons’ names changed. In addition, a Logs button was included so the bot master can view or clear logs (e.g., debug.log, error.log, and tasks.log) created using the SpyEye toolkit.

    Click for larger view

    Accessing the Create Task panel, we can clearly see the modifications the SpyEye author made. This time, users can create a task by selecting a file and choosing three different types of action, depending on the file type they want to use:

    • Update bot body: Used to update the SpyEye binary itself.
    • Update bot config: Used to update the config file (if users want to change how their bots are configured)
    • Load exe: Used to spread other malware (e.g., ZeuS, TDSS, FAKEAV, etc.).
    Click for larger view

    Read the rest of this entry »


    Since our previous blog post, we continued to investigate whether or not SpyEye 1.3.x is indeed the result of the ZeuS-SpyEye merger. So far, we realized that the included documentation doesn’t say much about ZeuS. It only compared the behaviors of several options/configurations of the two malware families.

    At present, we have only been able to identify three different versions in the wild:

    • 1.3.04
    • 1.3.05
    • 1.3.09

    As you can see, these versions are minor releases. Our underground research tells us that some minor bug fixes have been made in these versions though these are typically the same. If you are wondering if the SpyEye Toolkit comes with three control panels (two SpyEye control panels [CN1 and SYN1] and one ZeuS control panel), I can confirm that it does not do so. It only comes with the regular two SpyEye control panels. The database structures of SpyEye and ZeuS were different prior to 1.3.x and are still so. As such, a modification of the ZeuS panel is needed so both can share a single database. ZeuS and SpyEye malware are thus not registering themselves to the same control-and-command (C&C) server in the same way.

    Read the rest of this entry »


    Ever since ZeuS’ author, Slavik/Monstr, left the cybercrime scene and handed over ZeuS’ source code to Gribodemon/Harderman, the author of SpyEye, everybody has been waiting for the resulting merger of the two toolkits. We’ve acquired a sample of version 1.3.05 of the SpyEye builder, which appears to be the result of the said merger.

    Click for larger view

    Here are the settings and commands that the builder supports:

    • Encryption key: Specifies the encryption key, which encrypts config.bin.
    • Clear cookies every startup: If enabled, the bot will constantly delete the cookies of Internet Explorer (IE) and Mozilla Firefox.
    • Delete nonexportable certificates
    • Dont send http-reports: HTTP request headers comprise a lot of garbage. It thus makes sense to those protected with HTTPS.
    • Compress build by UPX: If enabled, the resulting file will be compressed.
    • Make build without ZLIB support
    • Make LITE-config: Specifies whether or not to include some features specified in config.bin, including Web injects, screenshot captures, and the use of other plug-ins.
    • EXE name
    • Mutex name
    • Anti-Rapport: A built-in option to evade Rapport Trusteer software.
    • FF webinjects: Determines whether or not Web injects work in Mozilla Firefox.
    • timestamp: Time and date when the builder was created, as measured by the number of seconds from January 1, 1970.

    Here is the list of available plug-ins:

    • webfakes: The webfakes plug-in can be used to spoof the contents of HTTP and HTTPS page resources without connecting to the original Web server in both IE and Mozilla Firefox.
    • ccgrabber: The plug-in collects credit card numbers by analyzing the POST requests made by the user and checking these against the Luhn algorithm.
    • ffcertgrabber: The basic SpyEye package only steals certificates from the cryptographic storage of Windows. However, Firefox uses its own certificate storage folder, from which this plug-in grabs certificates.
    • SOCKS5 backdoor
    • FTP backdoor
    • RDP backdoor
    • bugreport: This plug-in allows the bot to send back technical information if it crashes.

    Analyzing how this version has been written compared to previous versions, it seems like Gribodemon has received help from other criminals to polishing this version, particularly with the addition of the CC grabber plug-ins and anti-rapport option.

    There are actually 2 live servers using this new version:

    Click for larger view Click for larger view

    We will continue to monitor this threat and protect our customers as necessary. We have previously talked about SpyEye in the following posts:


    Who said that Cutwail/Pushdo botnet is dead? The recent Cutwail/Pushdo takedown was a great help in stopping this huge botnet in sending out spammed messages all over the world.

    Yesterday, however, a new wave of approximately 5,000 fake Facebook messages was sent through some Cutwail zombies for about 30 minutes.

    Click for larger view

    The spammed message informs users that they received a private message and contains a bogus Facebook link, which actually points to {BLOCKED}, a Canadian pharmacy website hosted in China. As of this writing, however, the said site is no longer online.

    This recent Pushdo/Cutwail update shows us that the spammers behind this botnet are on the move and are rebuilding their servers, domains, and the rest of their infrastructure in order to restore their botnet.

    Posted in Botnets | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice