Recent Posts
- Export Address Table Filtering (EMET v2)
- Time of check, time of use
- MalwareDomains.com Serving Malware
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- Vuln: maildrop Group Permission Dropping Privilege ..
-
maildrop Group Permission Dropping Privilege Escalation ..
- Vuln: Quagga bgpd Null Pointer Deference Denial Of ..
-
Quagga bgpd Null Pointer Deference Denial Of Service Vul..
- Vuln: Quagga bgpd Route-Refresh Message Stack Buffe..
-
Quagga bgpd Route-Refresh Message Stack Buffer Overflow ..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
PornoSecurity: sexy vulns, porno sploits and the like
Scary monsters (and super creeps)
Posted on 2010-03-03 11:44:53 in PornoSecurity
Hey there, I bet you tought I was dead, don't you? Truth is, again, I'm alive and kicking :>Since I've been monitoring the SpyEye for a while now, I wanna tell you and show you something.
The toolkit, ready to be bought by cybercriminals all over the world, was discovered in obscure underground forums(it's the black scary market, baby!) early last month by Symantec and Others(tm) taking advantage of their worldwide intellingence gathering systems, of some covert operations..... you know, stuff like that:
SpyEye is actually very similar to Zeus: they share the majority of the functionalities, expose pretty much the same behaviour, and take advantage of the same mechanisms(http for communication, encrypted configuration, kewl web panel etc). SpyEye has some missing features like a ring0 rootkit for example(but you bet it will be added if the toolkit is gonna be popular) and some minor problems.. it still looks pretty young. One of the low-level distinctive signs I found of the spyEye droppers is the following schema used for api calls as well as the use(and hooking) of the LoadrDllLoad function.
The bootstrap configuration file of SpyEye is often brought you by the dropper itself, it is embedded as a PE resource and it is actually an encrypted zip. Just like with Zeus the decryption key can be found within the code but since the code is not obfuscated there's no need to let the dropper run(that is, infect a VM) to extract the plain-text. In the last days I have been monitoring a couple of SpyEye C&C and looking at the number of zombies starting from near-to-zero and increasing day by day. The image below shows the geographic distribution of a growing botnet I am monitoring:
What's the sexy thing in here? Well, look at the picture: blue points are SpyEye infected zombies, red points instead are sandboxes all over the world trying to analyze SpyEye samples ;)