Members
Stats
  • Total Posts: 28531
  • Total Topics: 8240
  • Online Today: 920
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Latest SpyEye Botnet Active and Cheaper  (Read 2179 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Latest SpyEye Botnet Active and Cheaper
« on: 23. April 2012., 10:20:16 »

Latest SpyEye Botnet Active and Cheaper

On April 16, we found a Pastebin entry selling the latest version of the infamous SpyEye botnet (Version 1.3.48) for a much lower price than we’ve seen elsewhere. (This botnet is mainly used to steal banking information.) The quote was just US$150 including three months hosting, after that it’s $15 per month. This version was first seen in October 2011, according to the XyliBox blog. The Pastebin seller of this SpyEye release included all the information about the software, injection types, and plug-ins supported–along with the MSN ID “blackhatsale@live.com.” Here is the screenshot from Pastebin:


Larger Picture

Further research shows from multiple freelancing project websites shows price quotes of up to $1,500. Here are a couple of project entries found on those websites:


Larger Picture

The source code for SpyEye Version 1.3.45 had already been leaked, and a lot of technical information about this botnet is available on the web. Fortunately, we obtained a live sample (with an active control server) created by the latest release (the version ID is hard-coded in the build and sent to the control server along with other information). We proceeded to reverse engineer the latest version to look for any differences.

After unpacking and reversing the latest sample, we found it behaved similarly to the description in the Prevx blog (so we will skip the full details). The only difference we found is the XOR key used to decrypt the config.bin file from the resource section. For this binary, the XOR key used is 0x4C. Here is the snippet of the decryption algorithm to decrypt config.bin:


Larger Picture

Note the slight difference between the keys used by the sample we analyzed and the sample analyzed by the Prevx blog. (Was this intentional by the SpyEye author?) The decrypted config.bin file is nothing but a password-protected ZIP file whose password is stored in the C3 resource section in plain text. Here is the screenshot of the unzipped contents:


Larger Picture

The unpacking/decryption routine of the ZIP files and the infection method of this bot are the same as in the prior version. We next searched network activity to look for variations. The binary, as expected, sends an HTTP POST request with encrypted data shown below:


Larger Picture

As mentioned in a screenshot from the XyliBox blog, this version of SpyEye can be identified by the network capture. The packet can be decoded using a Base64-decoded string and the simple XOR key 0xDB. The sample PHP encoder/decoder created by XyliBox can be found here. Here is the converted sample Perl code to decode the traffic:

sub decode_spyeye

{

$encry_data = shift;

$decodeBase64 = decode_base64($encry_data);

$decodeBase64 =~ s/\+//g;

@charArray = split(“”, $decodeBase64);

$len = @charArray;

$decrypted = ”;

for($i = 0; $i < $len; $i++)

{

$num = ord($charArray[$i]);

if( $num != 219) #Key 0xDB = 219

{

$decrypted .= chr($num ^ 219);

}

}

return $decrypted;

}

$str = decode_spyeye($data);


The decoded string using the preceding routine is:

“guid=5.1.2600!XP-HOST01!D04EF662&ver=10348&ie=6.0.2900.2180&os=5.1.2600&ut=Admin

&ccrc=63B05A00&md5=25d37d161d0bc546429dc98185eca8c4&plg=ccgrabber;customconnecto

r;ffcertgrabber;ftpbc;Plugin_USBSpread;rdp;socks5&plgstat=0;0;0;0;0;0;0&wake=60&

stat=online”


The version information can be found in the preceding decoded string. The bot collects information about the infected machine and sends it to the control server. We have seen such traffic in plain HTTP GET requests in older versions of this botnet. The response is also decoded using the same routine, which was nothing but control commands to execute. Thus we find no major changes in encoding/decoding routines in the latest version.

SpyEye has definitely been buzzing on the Internet for the last few years and remains the top (in stealing money) banking botnet. Bad guys or script kiddies are willing to pay a lot of money for this popular botnet. With people selling this botnet for such low prices and with the availability of leaked code, we may see a rise in this botnet’s activities and control servers.

 
Orginal article: Friday, April 20, 2012 at 10:39am by Umesh Wanve 
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Latest SpyEye Botnet Active and Cheaper
« on: 23. April 2012., 10:20:16 »




Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Latest SpyEye Botnet Active and Cheaper
« Reply #1 on: 23. April 2012., 18:24:25 »
Quote
On April 16, we found a Pastebin entry selling the latest version of the infamous SpyEye botnet (Version 1.3.48) for a much lower price than we’ve seen elsewhere. (This botnet is mainly used to steal banking information.) The quote was just US$150 including three months hosting, after that it’s $15 per month. This version was first seen in October 2011, according to the XyliBox blog. The Pastebin seller of this SpyEye release included all the information about the software, injection types, and plug-ins supported–along with the MSN ID “blackhatsale@live.com.” Here is the screenshot from Pastebin:


First thing on my mind, for "low" price, is that they don't have enough interesting customers after FBI's, Microsoft's etc. campaigns:

- "FBI's "Operation Ghost Click" takedown biggest ever cyber-scam botnet": http://scforum.info/index.php/topic,7195.0.html

- "Microsoft destroyed ZeuS and SpyEye banking Trojan botnets": http://scforum.info/index.php/topic,7536.0.html


devnullius

  • SCF VIP Member
  • *****
  • Posts: 3507
  • KARMA: 152
  • Gender: Female
    • SCForum.info
Re: Latest SpyEye Botnet Active and Cheaper
« Reply #2 on: 23. April 2012., 18:55:42 »
Smart thinking Sam. I was also thinking: just dumping the old code to the last remaining willing-to-be-bad guys while they actively exploit with their new botnets...?

Just my 2 cents ; )

Peace!

Devvie

~~~ notemail@facebook.com ~~~

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-012 by DevNullius)
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising