Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Loucif Kharouni (Senior Threat Researcher)

    Since our previous blog post, we continued to investigate whether or not SpyEye 1.3.x is indeed the result of the ZeuS-SpyEye merger. So far, we realized that the included documentation doesn’t say much about ZeuS. It only compared the behaviors of several options/configurations of the two malware families.

    At present, we have only been able to identify three different versions in the wild:

    • 1.3.04
    • 1.3.05
    • 1.3.09

    As you can see, these versions are minor releases. Our underground research tells us that some minor bug fixes have been made in these versions though these are typically the same. If you are wondering if the SpyEye Toolkit comes with three control panels (two SpyEye control panels [CN1 and SYN1] and one ZeuS control panel), I can confirm that it does not do so. It only comes with the regular two SpyEye control panels. The database structures of SpyEye and ZeuS were different prior to 1.3.x and are still so. As such, a modification of the ZeuS panel is needed so both can share a single database. ZeuS and SpyEye malware are thus not registering themselves to the same control-and-command (C&C) server in the same way.

    Read the rest of this entry »


    Ever since ZeuS’ author, Slavik/Monstr, left the cybercrime scene and handed over ZeuS’ source code to Gribodemon/Harderman, the author of SpyEye, everybody has been waiting for the resulting merger of the two toolkits. We’ve acquired a sample of version 1.3.05 of the SpyEye builder, which appears to be the result of the said merger.

    Click for larger view

    Here are the settings and commands that the builder supports:

    • Encryption key: Specifies the encryption key, which encrypts config.bin.
    • Clear cookies every startup: If enabled, the bot will constantly delete the cookies of Internet Explorer (IE) and Mozilla Firefox.
    • Delete nonexportable certificates
    • Dont send http-reports: HTTP request headers comprise a lot of garbage. It thus makes sense to those protected with HTTPS.
    • Compress build by UPX: If enabled, the resulting file will be compressed.
    • Make build without ZLIB support
    • Make LITE-config: Specifies whether or not to include some features specified in config.bin, including Web injects, screenshot captures, and the use of other plug-ins.
    • EXE name
    • Mutex name
    • Anti-Rapport: A built-in option to evade Rapport Trusteer software.
    • FF webinjects: Determines whether or not Web injects work in Mozilla Firefox.
    • timestamp: Time and date when the builder was created, as measured by the number of seconds from January 1, 1970.

    Here is the list of available plug-ins:

    • webfakes: The webfakes plug-in can be used to spoof the contents of HTTP and HTTPS page resources without connecting to the original Web server in both IE and Mozilla Firefox.
    • ccgrabber: The plug-in collects credit card numbers by analyzing the POST requests made by the user and checking these against the Luhn algorithm.
    • ffcertgrabber: The basic SpyEye package only steals certificates from the cryptographic storage of Windows. However, Firefox uses its own certificate storage folder, from which this plug-in grabs certificates.
    • SOCKS5 backdoor
    • FTP backdoor
    • RDP backdoor
    • bugreport: This plug-in allows the bot to send back technical information if it crashes.

    Analyzing how this version has been written compared to previous versions, it seems like Gribodemon has received help from other criminals to polishing this version, particularly with the addition of the CC grabber plug-ins and anti-rapport option.

    There are actually 2 live servers using this new version:

    Click for larger view Click for larger view

    We will continue to monitor this threat and protect our customers as necessary. We have previously talked about SpyEye in the following posts:


    Who said that Cutwail/Pushdo botnet is dead? The recent Cutwail/Pushdo takedown was a great help in stopping this huge botnet in sending out spammed messages all over the world.

    Yesterday, however, a new wave of approximately 5,000 fake Facebook messages was sent through some Cutwail zombies for about 30 minutes.

    Click for larger view

    The spammed message informs users that they received a private message and contains a bogus Facebook link, which actually points to {BLOCKED}, a Canadian pharmacy website hosted in China. As of this writing, however, the said site is no longer online.

    This recent Pushdo/Cutwail update shows us that the spammers behind this botnet are on the move and are rebuilding their servers, domains, and the rest of their infrastructure in order to restore their botnet.

    Posted in Botnets | 1 TrackBack »

    All of us have heard about SpyEye, a malware family comprising information/data stealers like ZeuS/ZBOT. This malware is sometimes known as a “ZeuS killer,” as it stops ZeuS malware from running on affected systems, assuming that the latter is already present. This topic was discussed before in the blog post, “Keeping an Eye on the EYEBOT and a Possible Bot War.”

    We were able to further investigate a command-and-control (C&C) server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.

    This particular SpyEye C&C server is located in the Ukraine:

    IP address: {BLOCKED}.{BLOCKED}.159.29
    Org: Tavria Host Network
    ISP: PAN-SAM Ltd.
    ASN: AS196814

    We were able to access different Control Panel tabs on this SpyEye server and saw some interesting bits of information such as its number of bots and their locations:

    Click for larger view

    A statistical breakdown of the bots by OS, Internet Explorer version, and whether they run as administrators or not was also found:
    Read the rest of this entry »


    Last week it was reported that the Pushdo botnet, used to send spam using the Cutwail spamming module, was taken down, thanks to the efforts of several security researchers. Thirty command-and-control (C&C) servers of the Pushdo/Cutwail botnet were identified, almost 20 of which were taken down after their Internet hosting providers were notified.

    So far, the takedown appears to have been effective. Our monitoring indicates that the volume of spam sent using the Cutwail bots has significantly decreased. Our monitoring of the C&C servers Pushdo used indicates that the botnet has fallen silent since the takedown.

    It’s too early to see if this particular takedown will have real long-term effects. There have been many takedowns before such as that of McColo in late 2008. However, in many of these cases, the affected botnets were able to recover and resume their operation within weeks.

    Taking down botnets is a good thing but is not enough to stop the spam pandemic. The issue here is that while this botnet may have been crippled, the Spammers behind it are still at large – and can continue to create botnets in the future. Spammers like this must be arrested and should spend time in jail if we are to have any real chance of winning this war on Cybercrime. Trend Micro will continue to work closely with law enforcement to ensure that criminals like these are put behind bars

    Last year, our researchers looked into the activities of the Pushdo/Cutwail botnet and released their findings in the paper “A Study of the Pushdo/Cutwail Botnet.”

    The issue here is that while this botnet may have been crippled, the Spammers behind it are still at large – and can continue to create botnets in the future. Spammers like this must be arrested and should spend time in jail if we are to have any real chance of winning this war on Cybercrime.
    Posted in Botnets, Spam | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice