Since our previous blog post, we continued to investigate whether or not SpyEye 1.3.x is indeed the result of the ZeuS-SpyEye merger. So far, we realized that the included documentation doesn’t say much about ZeuS. It only compared the behaviors of several options/configurations of the two malware families.
At present, we have only been able to identify three different versions in the wild:
As you can see, these versions are minor releases. Our underground research tells us that some minor bug fixes have been made in these versions though these are typically the same. If you are wondering if the SpyEye Toolkit comes with three control panels (two SpyEye control panels [CN1 and SYN1] and one ZeuS control panel), I can confirm that it does not do so. It only comes with the regular two SpyEye control panels. The database structures of SpyEye and ZeuS were different prior to 1.3.x and are still so. As such, a modification of the ZeuS panel is needed so both can share a single database. ZeuS and SpyEye malware are thus not registering themselves to the same control-and-command (C&C) server in the same way.
The SpyEye 1.3.x binary still behaves like previous SpyEye versions. The call-home request remains the same, except for the communication mode shown below.
The customconnector plug-in tells the bot which C&C server to communicate with. This plug-in was likely offered so cybercriminals can have several C&C servers listed for backup. In previous versions, this was not included in a plug-in but was part of a file named maincps.txt, which was part of the config file.
Obtaining the new version of SpyEye also differs from getting previous versions. You first get an email with a set of instructions. This is a form of two-factor authentication from the author. The email requires the interested party to send the nickname and email address he used to purchase SpyEye via Jabber. After sending this information, the SpyEye creator then sends the buyer a message that contains download links.
Several links are sent from which the buyer can download the different components of the toolkit. The following components have been uploaded to a free hosting site, each of which has been protected with a very strong password:
- !default pack.7z: Contains the main control panel (CN1), the builder, three plug-ins (bugreport, customconnector, and webfakes), and the documentation in Russian.
- Sedeb.7z: A .vdi file (VirtualBox). This is a Linux Debian system that has the formgrabber panel (SYN 1) installed for testing.
- !socks pack.7z: Contains a SOCKS 5 plug-in.
- !ftp pack.7z: Contains an FTP plug-in.
- !ffcertgrabber pack.7z: Contains a Firefox certificate grabber plug-in.
- !ccgrabber pack.7z: Contains a CC grabber plug-in.
While the SpyEye changes may be minor, the way Gribodemon communicates with his clients has drastically changed. He no longer communicates much through ICQ and prefers Jabber. He also talks less and has become more secretive. The changes in his behavior are probably due to how much press SpyEye is now getting. SpyEye has changed and evolved to adapt to the security industry, along with its author’s behavior.
With added text from senior threat researcher Kevin Stevens.
Update as of February 22, 2010 11:40 PM PST
I’ve discovered today that SpyEye 1.3.10 is already in the wild and being used on a couple of C&C servers. This version came as usual with the following plugin/webinject:
- ftp back connect
Including also a Webinjects file containing the following targeted websites:
After checking the binary and the config file closely, I noticed an interesting plugin which I’ve never seen before: spySpread.dll. This plugin has also a configuration files as the others do so too. The configuration file contains 3 sections:
msg=publicare esta foto tuya en face ejeje http://[domain_name]/[folder_name]/IMGSCAM##1.jpg
As we can see here, this seems to be an IM and USB spreader plugin. The IM message reminds me of SDBOT/BUZUS which were spreading via MSN asking to download a picture. SpyEye is now going one step further with this new plugin. As we’ve said Gribodemon has become more secretive on his work I believe that we will probably see more plugins release with new SpyEye release.