3:17 am (UTC-7) | by Loucif Kharouni (Senior Threat Researcher)
We came across the latest SpyEye control panels, CN1 and SYN1. The main control panel CN1 looks a bit different from previous versions. Some of the buttons’ names changed. In addition, a Logs button was included so the bot master can view or clear logs (e.g., debug.log, error.log, and tasks.log) created using the SpyEye toolkit.
Accessing the Create Task panel, we can clearly see the modifications the SpyEye author made. This time, users can create a task by selecting a file and choosing three different types of action, depending on the file type they want to use:
- Update bot body: Used to update the SpyEye binary itself.
- Update bot config: Used to update the config file (if users want to change how their bots are configured)
- Load exe: Used to spread other malware (e.g., ZeuS, TDSS, FAKEAV, etc.).
For the Files option, we also noticed certain noteworthy changes. In this version, users can only upload an .EXE file or a .BIN file and no other file types as in previous SpyEye versions. This modification was made to prevent a known security hole in the panel, which allows anyone with access to upload any kind of file. However, this security check is only applicable for file extension names and does not extend to file types.
Another modification was made to ensure that once users upload a file, it gets stored in a MySQL Database as a binary large object (blob). In previous versions, files were stored in a folder located inbinupload.
This version’s (version 1.3.4.x) folder structure also differed from those of SpyEye 126.96.36.199. In SpyEye 188.8.131.52, .PHP files are found in the main folder. In SpyEye 1.3.4.x’s folder structure, meanwhile, .PHP files have been renamed and are found in the mod folder. In ZeuS 184.108.40.206, .PHP files are found in the system folder.
In the MySQL view of SpyEye 1.3.4.x, a new table named users_t has been added. This corresponds to the table cp_users in the MySQL view of ZeuS 220.127.116.11.
With these modifications, we can safely conclude that the SpyEye author is taking a more security-conscious direction, probably as a means to employ more stringent security against researchers and trackers. The version’s ability to move the gate.php file to another location has made the SpyEye command-and-control (C&C) server more secure compared with previous versions.
In sum, the following improvements have been made to SpyEye 1.3.4.x:
- The SpyEye binary and config files have also been added to the MySQL database as a blob and are no longer found in the file system. In previous versions, we can easily find the binary and config files in the /bin or /bin/upload folder.
- The upload function has been modified to only accept .EXE and .BIN files.
The improvements cited above will surely have an impact on the security industry as security researchers and analysts will need to exert more effort to block the different C&C URLs/IP addresses. Sample gathering may become a bit more difficult as well, as the binaries will no longer be available on the server’s file system.
Share this article