Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    We came across the latest SpyEye control panels, CN1 and SYN1. The main control panel CN1 looks a bit different from previous versions. Some of the buttons’ names changed. In addition, a Logs button was included so the bot master can view or clear logs (e.g., debug.log, error.log, and tasks.log) created using the SpyEye toolkit.

    Click for larger view

    Accessing the Create Task panel, we can clearly see the modifications the SpyEye author made. This time, users can create a task by selecting a file and choosing three different types of action, depending on the file type they want to use:

    • Update bot body: Used to update the SpyEye binary itself.
    • Update bot config: Used to update the config file (if users want to change how their bots are configured)
    • Load exe: Used to spread other malware (e.g., ZeuS, TDSS, FAKEAV, etc.).
    Click for larger view

    For the Files option, we also noticed certain noteworthy changes. In this version, users can only upload an .EXE file or a .BIN file and no other file types as in previous SpyEye versions. This modification was made to prevent a known security hole in the panel, which allows anyone with access to upload any kind of file. However, this security check is only applicable for file extension names and does not extend to file types.

    Another modification was made to ensure that once users upload a file, it gets stored in a MySQL Database as a binary large object (blob). In previous versions, files were stored in a folder located inbinupload.

    Click for larger view

    This version’s (version 1.3.4.x) folder structure also differed from those of SpyEye In SpyEye, .PHP files are found in the main folder. In SpyEye 1.3.4.x’s folder structure, meanwhile, .PHP files have been renamed and are found in the mod folder. In ZeuS, .PHP files are found in the system folder.

    In the MySQL view of SpyEye 1.3.4.x, a new table named users_t has been added. This corresponds to the table cp_users in the MySQL view of ZeuS

    With these modifications, we can safely conclude that the SpyEye author is taking a more security-conscious direction, probably as a means to employ more stringent security against researchers and trackers. The version’s ability to move the gate.php file to another location has made the SpyEye command-and-control (C&C) server more secure compared with previous versions.

    In sum, the following improvements have been made to SpyEye 1.3.4.x:

    • The SpyEye binary and config files have also been added to the MySQL database as a blob and are no longer found in the file system. In previous versions, we can easily find the binary and config files in the /bin or /bin/upload folder.
    • The upload function has been modified to only accept .EXE and .BIN files.

    The improvements cited above will surely have an impact on the security industry as security researchers and analysts will need to exert more effort to block the different C&C URLs/IP addresses. Sample gathering may become a bit more difficult as well, as the binaries will no longer be available on the server’s file system.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice