During a recent investigation into a server hosting SpyEye, we noticed that there were several open directories that led to other control panels. SpyEye was also the same malware family that recently targeted Polish users. One of the control panels is for URLZone/Bebloh. The other control panel, on the other hand, did not have any name or version so we named it after the server, “Spencerlor.” The investigation led to the discovery of what seems to be three botnets running on one server, which appears to be operated by at least two remote users, as the logs revealed.
Three Botnets in One Server
SpyEye and URLZone’s modules are both written in English while Spencerlor’s is written in Russian. All three of the botnets on this server are designed and/or configured to only steal German banking credentials. Both Spencerlor and URLZone are actually coded to work with the German banking system using the so-called BLZ. A BLZ is an equivalent of a bank routing number that identifies a user’s bank and branch location.
Apart from collecting account names, contact numbers, PINs, and balances, the group responsible for this botnet also collects a user’s BLZ. The screenshot below shows Spencerlor’s login page, which is quite plain and does not have any identifying mark.
After the login page, users will see the main account screen called “Admin.” This page shows the total number of bots and which ones are online.
On the left side of the screen are four links. Clicking the first opens the Transfer Settings page, which allows money transfer from one account to other accounts. The second link leads to a page that shows the logs for all of the transfers that have been done. The last link leads to a page that shows all of the accounts in the database. The information includes the bank name, account number, user, BLZ, IP address, and balance of the account. All of these are collected in an SQL database but are pulled out and sorted to make it easier for the application to steal money.
The URLZone Botnet
URLZone functions a little differently. Instead of collecting and storing bot information into an SQL database, this is stored in .TXT files. The PHP scripts then pull out information from the .TXT files and display these to the bot administrators. Below is the screenshot of the main admin page.
At the bottom of the screen are various tools that the herder can use to manage the botnet. Among these is a tool that bans certain bots from phoning home via IP addresses. On the left side is a list of German banks where rules for transfers using the Add/Edit button can be created. The Add/Edit page allows a malicious user to set up the bot to transfer money through different browsers.
The following screenshot shows the Extend Logs view. Normally, you would see money being transferred from one of the accounts to a mule drop account. What we saw instead was a sort of transaction that just lists the account balances but no drop accounts set.
These screenshots clearly show the constant improvements that bot control panels undergo. As shown here, cybercriminals are finding newer means to automate money transfer.
We will post updates on the Malware Blog as we obtain more information.