Ever since ZeuS’ author, Slavik/Monstr, left the cybercrime scene and handed over ZeuS’ source code to Gribodemon/Harderman, the author of SpyEye, everybody has been waiting for the resulting merger of the two toolkits. We’ve acquired a sample of version 1.3.05 of the SpyEye builder, which appears to be the result of the said merger.
Here are the settings and commands that the builder supports:
- Encryption key: Specifies the encryption key, which encrypts config.bin.
- Clear cookies every startup: If enabled, the bot will constantly delete the cookies of Internet Explorer (IE) and Mozilla Firefox.
- Delete nonexportable certificates
- Dont send http-reports: HTTP request headers comprise a lot of garbage. It thus makes sense to those protected with HTTPS.
- Compress build by UPX: If enabled, the resulting file will be compressed.
- Make build without ZLIB support
- Make LITE-config: Specifies whether or not to include some features specified in config.bin, including Web injects, screenshot captures, and the use of other plug-ins.
- EXE name
- Mutex name
- Anti-Rapport: A built-in option to evade Rapport Trusteer software.
- FF webinjects: Determines whether or not Web injects work in Mozilla Firefox.
- timestamp: Time and date when the builder was created, as measured by the number of seconds from January 1, 1970.
Here is the list of available plug-ins:
- webfakes: The webfakes plug-in can be used to spoof the contents of HTTP and HTTPS page resources without connecting to the original Web server in both IE and Mozilla Firefox.
- ccgrabber: The plug-in collects credit card numbers by analyzing the POST requests made by the user and checking these against the Luhn algorithm.
- ffcertgrabber: The basic SpyEye package only steals certificates from the cryptographic storage of Windows. However, Firefox uses its own certificate storage folder, from which this plug-in grabs certificates.
- SOCKS5 backdoor
- FTP backdoor
- RDP backdoor
- bugreport: This plug-in allows the bot to send back technical information if it crashes.
Analyzing how this version has been written compared to previous versions, it seems like Gribodemon has received help from other criminals to polishing this version, particularly with the addition of the CC grabber plug-ins and anti-rapport option.
There are actually 2 live servers using this new version:
We will continue to monitor this threat and protect our customers as necessary. We have previously talked about SpyEye in the following posts:
- The SpyEye Interface, Part 1: CN 1
- The SpyEye Interface Part 2: SYN 1
- ZeuS-SpyEye Merger in Progress?