Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Loucif Kharouni (Senior Threat Researcher)

    We came across the latest SpyEye control panels, CN1 and SYN1. The main control panel CN1 looks a bit different from previous versions. Some of the buttons’ names changed. In addition, a Logs button was included so the bot master can view or clear logs (e.g., debug.log, error.log, and tasks.log) created using the SpyEye toolkit.

    Click for larger view

    Accessing the Create Task panel, we can clearly see the modifications the SpyEye author made. This time, users can create a task by selecting a file and choosing three different types of action, depending on the file type they want to use:

    • Update bot body: Used to update the SpyEye binary itself.
    • Update bot config: Used to update the config file (if users want to change how their bots are configured)
    • Load exe: Used to spread other malware (e.g., ZeuS, TDSS, FAKEAV, etc.).
    Click for larger view

    Read the rest of this entry »


    Since our previous blog post, we continued to investigate whether or not SpyEye 1.3.x is indeed the result of the ZeuS-SpyEye merger. So far, we realized that the included documentation doesn’t say much about ZeuS. It only compared the behaviors of several options/configurations of the two malware families.

    At present, we have only been able to identify three different versions in the wild:

    • 1.3.04
    • 1.3.05
    • 1.3.09

    As you can see, these versions are minor releases. Our underground research tells us that some minor bug fixes have been made in these versions though these are typically the same. If you are wondering if the SpyEye Toolkit comes with three control panels (two SpyEye control panels [CN1 and SYN1] and one ZeuS control panel), I can confirm that it does not do so. It only comes with the regular two SpyEye control panels. The database structures of SpyEye and ZeuS were different prior to 1.3.x and are still so. As such, a modification of the ZeuS panel is needed so both can share a single database. ZeuS and SpyEye malware are thus not registering themselves to the same control-and-command (C&C) server in the same way.

    Read the rest of this entry »


    Ever since ZeuS’ author, Slavik/Monstr, left the cybercrime scene and handed over ZeuS’ source code to Gribodemon/Harderman, the author of SpyEye, everybody has been waiting for the resulting merger of the two toolkits. We’ve acquired a sample of version 1.3.05 of the SpyEye builder, which appears to be the result of the said merger.

    Click for larger view

    Here are the settings and commands that the builder supports:

    • Encryption key: Specifies the encryption key, which encrypts config.bin.
    • Clear cookies every startup: If enabled, the bot will constantly delete the cookies of Internet Explorer (IE) and Mozilla Firefox.
    • Delete nonexportable certificates
    • Dont send http-reports: HTTP request headers comprise a lot of garbage. It thus makes sense to those protected with HTTPS.
    • Compress build by UPX: If enabled, the resulting file will be compressed.
    • Make build without ZLIB support
    • Make LITE-config: Specifies whether or not to include some features specified in config.bin, including Web injects, screenshot captures, and the use of other plug-ins.
    • EXE name
    • Mutex name
    • Anti-Rapport: A built-in option to evade Rapport Trusteer software.
    • FF webinjects: Determines whether or not Web injects work in Mozilla Firefox.
    • timestamp: Time and date when the builder was created, as measured by the number of seconds from January 1, 1970.

    Here is the list of available plug-ins:

    • webfakes: The webfakes plug-in can be used to spoof the contents of HTTP and HTTPS page resources without connecting to the original Web server in both IE and Mozilla Firefox.
    • ccgrabber: The plug-in collects credit card numbers by analyzing the POST requests made by the user and checking these against the Luhn algorithm.
    • ffcertgrabber: The basic SpyEye package only steals certificates from the cryptographic storage of Windows. However, Firefox uses its own certificate storage folder, from which this plug-in grabs certificates.
    • SOCKS5 backdoor
    • FTP backdoor
    • RDP backdoor
    • bugreport: This plug-in allows the bot to send back technical information if it crashes.

    Analyzing how this version has been written compared to previous versions, it seems like Gribodemon has received help from other criminals to polishing this version, particularly with the addition of the CC grabber plug-ins and anti-rapport option.

    There are actually 2 live servers using this new version:

    Click for larger view Click for larger view

    We will continue to monitor this threat and protect our customers as necessary. We have previously talked about SpyEye in the following posts:


    Who said that Cutwail/Pushdo botnet is dead? The recent Cutwail/Pushdo takedown was a great help in stopping this huge botnet in sending out spammed messages all over the world.

    Yesterday, however, a new wave of approximately 5,000 fake Facebook messages was sent through some Cutwail zombies for about 30 minutes.

    Click for larger view

    The spammed message informs users that they received a private message and contains a bogus Facebook link, which actually points to {BLOCKED}, a Canadian pharmacy website hosted in China. As of this writing, however, the said site is no longer online.

    This recent Pushdo/Cutwail update shows us that the spammers behind this botnet are on the move and are rebuilding their servers, domains, and the rest of their infrastructure in order to restore their botnet.

    Posted in Botnets | 1 TrackBack »

    All of us have heard about SpyEye, a malware family comprising information/data stealers like ZeuS/ZBOT. This malware is sometimes known as a “ZeuS killer,” as it stops ZeuS malware from running on affected systems, assuming that the latter is already present. This topic was discussed before in the blog post, “Keeping an Eye on the EYEBOT and a Possible Bot War.”

    We were able to further investigate a command-and-control (C&C) server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.

    This particular SpyEye C&C server is located in the Ukraine:

    IP address: {BLOCKED}.{BLOCKED}.159.29
    Org: Tavria Host Network
    ISP: PAN-SAM Ltd.
    ASN: AS196814

    We were able to access different Control Panel tabs on this SpyEye server and saw some interesting bits of information such as its number of bots and their locations:

    Click for larger view

    A statistical breakdown of the bots by OS, Internet Explorer version, and whether they run as administrators or not was also found:
    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice