Some blogs, stories, and white papers that covered SpyEye have been released but none of them really talked about the interface and how criminals may be using it.
The actual interface is broken down into two components. The first component is the front-end interface called “CN 1” or “Main Access Panel.” This interface is where the bot master can interact with the bots. It shows statistics in relation to infected machines.
The second interface is more like the back end and is called “SYN 1” or “Formgrabber Access Panel.” This interface actually collects and logs data. Moreover, it also allows the bot master to make queries against the collected data and to view the stolen data through the interface. In this post, the first one in a two-post series, we will first look at CN 1 and how it may be used.
In the screenshot above, you can see the main interface that everyone recognizes now. It has the “Hack the Planet!” logo and it currently displays how many bots are online and how many bots are currently part of the botnet. In this screenshot, you can see that there are 2,392 bots online and a little over 18,000 in total. In the example, you can see that the botnet is pretty large. In addition, you can also see the server date and time on the left-hand side.
The first button on the top left is labeled “Create task for billing.” This button, along with the billinghammer plug-in (which is under the Plug-ins button), allows the bot master to charge the credit cards collected to certain sites. This way, a bot master can obtain direct financial gain from the stolen data without as much risk as buying stuff online through Amazon then using a drop to ship the stuff to. Brian Krebs goes into more detail with regard to the billinghammer plug-in in his blog.
Next is the Bots Monitoring button. Under this button, you will see a list of how many bots have been infected in each country, along with how many bots are running what version of SpyEye and how many bots are added per day. In the screenshot above, there are no countries listed due to errors in updating the geographic IP information. Most of the botnets are running SpyEye version 10244 and are being updated to version 10265, the latest version as of this writing. The bot master behind this is able to infect around 1,500 users per day on average and adds them to his/her botnet.
The screenshot above is shown when the Full Statistic button is clicked. As you can see, most of the infected machines run Windows XP. Note, however, that Windows 7 is also included in this graph. It also shows that around 80 percent of the total number of infected users were logged in with administrator privileges.
The next button on the control panel is the Create Task for Loader button. This button is used to instruct the bot to go to a specific site (to generate clicks for possible ad revenue) or to possibly download more malware.
The Update Bot button does exactly what its name suggests. It is used by a cybercriminal to upload configuration files and updated SpyEye binary files for the bots to download. If the bot master needs to change where the bots connect to or to update the bot version, this button is used.
The Virtest button is very unique and is pretty interesting in my opinion. Virtest is a website in Eastern Europe that allows logged-in users to scan binary files and exploit packs to test if they are being detected by antivirus engines. This is a pay service and users usually pay for each scan.
SpyEye has incorporated the use of this site into the kit. Once a user uploads his/her updated binary file through the Update Bot button, the link for that file is displayed here. All the bot master needs to do is click Submit and the updated file is sent to Virtest to let him/her know if it is actively being detected.
This is the screenshot for the Settings button. Here, you can see most of the settings for things that are run under the CN 1 control panel. Notice that at the bottom is a section for the Virtest login for the Virtest button. There are also places here for FTP backconnect and Socks 5 backconnet. These allow the bot master to create reverse connections to the bot to perform many different tasks.
The sophistication of different bots is growing and SpyEye is no exception. We will be soon posting part 2 of this series that will show how SYN 1 works and screenshots showing what kind of information is being stolen besides credit card and bank account credentials.