Wednesday, May 08, 2013

SpyEye Botherder BX1 - welcome to Georgia!


The BX1 Indictment

(Click to download the Bx1 Indictment) North District of Georgia (Atlanta)

Criminal Docket for Case#: 1:11-cr-00557-UNA-1 (filed 12/20/2011)


(1) 18:1349 Attempt and Conspiracy to Commit Mail Fraud
(2-11) 18:1343 & 2 – Fraud by Wire, Radio, or Television
(13) 18:1030(a)(5)(A), 1030(c)(4)(B) – Fraud Activity Connected with Computers
(14-23) 18:1030(a)(2)(C), 1030(c)(2)(B)(i) – Fraud Activity Connected with Computers

From December 2009 to September 2011 [Redacted] and Hamza Bendelladj, AKA Bx1 conspired to … defraud financial institutions and individuals and obtain money and property from them by means of materially false and fraudulent pretenses, representations and promises, as well as omission of material facts, including moneys, funds, credits, assets, and other properties.

Botnets were defined and described, and SpyEye was described as having the capabilities to “facilitate the theft of confidential personal and financial information by numerous examples including a data grabber or keystroke logger, and at times by presenting a fake bank web page or portions of a bank web page to trick a user into entering personal information.

(The principal author of SpyEye is redacted in the published Indictment). Bx1 is listed as a co-conspirator who helped develop SpyEye components. The behavior of SpyEye is described in great detail, including the creation and deployment of particular Web Injects and how they behave.

Bx1 communicated through email, instant messaging programs, and web forums to discuss purchasing, updating, customizing, developing components for, and pricing SpyEye, as well as aspects of operating SpyEye components.

From at least February 21, 2011 through February 24, 2011 at least one of Bx1’s C&C servers were located in Atlanta, Georgia, distributing configs that targeted 253 unique financial institutions.

Counts 2 through 11 of the indictment trace particular infections that could be documented through the logs of the Atlanta-based server and which lead to confirmed financial losses of particular victims in California, North Carolina, New York, and Virginia.

Count 12 names particular websites used by Bx1 for his advertising, including the website where particular messages in January, June, July, and September 2010 are cited. The June issue discussed “Form Grabbing” while an update in September introduced the ability to scan all controlled bots for Credit Card credentials. In April 2011, the YouTube user “danielhb1988” called himself Bx1 and claimed to be selling SpyEye in a video advertised on that site. In July 2011, an undercover law enforcement officer purchased SpyEye from Bx1 for $8,500, receiving his purchased code from

Counts 14 through 23 document particular examples of the SpyEye server at, communicating with protected computers

The Atlanta Server

During the time period stated in the indictment, the IP address indicated was known to be distributing malware from the hostile URL (spaces added for safety):

www . 100myr . com / cp / bin / exe . exe

www . 100myr . com / cp / gate . php ? guid = (infected machine configuration report stuff here)

That server was hosted at Global Network Access ( in Atlanta.

The domain was registered January 20, 2011 on by

That same email address was used to register the domain ""