But BX1 was only one of the people behind SpyEye. Today the US Attorney in the Northern District of Georgia announced Cyber Criminal Pleads Guilty to Developing and Distributing Notorious SpyEye Malware referring to Aleksandr Andreevich Panin, AKA Gribodemon AKA Harderman, who has confessed to conspiring with BX1 (Hamza Bendelladj) to advertise, sell, and distribute SpyEye to at least 150 people who paid between $1000 and $8500 for their copy of SpyEye. The indictment used is actually the EXACT SAME INDICTMENT as what I shared with the BX1 case, with the exception that this time, nothing is blacked out pending future charges. Interesting BX1, the "co-conspirator" has plead NOT GUILTY. According to US Attorney Sally Quillian Yates, SpyEye was used to infect more than 1.4 million computers in the US and abroad. Yates has a message for Cyber criminals: "You cannot hide in the shadows of the Internet. We will find you and bring you to justice." Panin suffered the same fate as BX1. He traveled and got picked up crossing borders. For Bx1 the arrest was in Thailand. Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These "border crossing" arrests have led the Russian government to issue a rather strange travel advisory: "If you are wanted for crimes in the United States, don't visit Extradition Friendly Countries!" (See Russia Issues Travel Warning
The case was made possible with yet another truly International show of cooperation, including the UK's National Crime Agency, the Royal Thai Police, the Dutch National High Tech Crime Unit, the Dominican Republi's Departmento Nacional de Investigaciones (DNI), the Cybercrime Department of the State Agency for the National Security in Bulgaria, and the Australian Federal Police. On the private sector side, Trend Micro's Forward-Looking Threat Research (FTR) Team, Microsoft's Digital Crimes Unit, Mandiant, SecureWorks, Trusteer, and Underworld.no (a Norwegian Security Research Team) all made valuable contributions to the research and information sharing behind this case as well.
(Panin pictured above)
As an example of the types of support provided by the public sector, Microsoft investigators, working with the help of the greater security research community, provided in their affidavit's example chats, logs, forum posts, and addresses for John Doe 3, who they called Harderman and Gribodemon. Those hints include "Exhibit 5" which shows Harderman and Gribodemon claiming to be the author of SpyEye, Exhibit 13, an interview with Gribodemon where he claims to be the author, and several email and messaging addresses for Gribodemon, including:
shwark.power.andrew@gmail.com, johnlecun@gmail.com, gribodemon@pochta.ru, glazgo-update-notifier@gajim.org, and gribo-demon@jabber.ru.
Also in the Microsoft Exhibits are the proof that there was a discussion about merging Zeus and SpyEye (see Exhibits 14, 15, 16, 17, and 18.
Several of those forum posts are from the forum "OpenSC.ws" which was well known as a place for buying and selling trojans.
Exhibit 5 is actually a post from the Krebs on Security website called SpyEye v. ZeuS Rivalry Ends in Quiet Merger and includes this post from Harderman:
Good day!I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore, he removed the source code from his [computer], he doesn’t sell [it], and has no relationship to it. He also doesn’t conduct any business on the Internet and in a few days his contact [information] will not be active.
He asked me to pass on that he was happy to work with everyone. If you have any unresolved issues remaining [there is a] request to get in touch with him as soon as possible.
All clients who bought the software from Slavik will be serviced from me on the same conditions as previously. [I] request that [you] come directly to me regarding all issues.
Thanks to everyone for [your] attention!
For a very approachable explanation of how Zeus and SpyEye work, I recommend the article The New Frontier for Zeus & SpyEye by Ryan Sherstobito (formerly with Panda Security) in the September 2011 issue of the ISSA Journal.
Panin (and Bendelladj) were charged with:
Conspiring to: (A) intentionally access a computer without authorization and exceeding authorization, and thereby obtain or attempt to obtain information from a protected computer, and the offense was committed for the purpose of private financial gain, in violation of Title 18, USC Sections 1030(a)(2)(C) and 1030 (C)(2)(B)(i);The indictment goes on to say that Panin joined a forum on the website www.darkode.com for the purpose of advertising the sale of SpyEye on January 10, 2010. On June 29, 2010, Panin advertised on that forum "SpyEye - this is a bank Trojan with form grabbing possibilities" (meaning it could steal the information from "web forms" such as what you enter data into when you interact with online banking. Beginning on July 6, 2010, Bendelladj, using the handle Bx1, commented that he was a client of Panin's and "vouched" for him. By September 16, 2010 Panin was advertising additional features, including the "cc grabber". Bendelladj began advertising SpyEye for sale in April 2011 on his YouTube account "danielhb1988. After selling the software to an undercover law enforcement officer for $8,500 and receiving payment, Panin uploaded the software on sendspace.com for the undercover agent to access.(B) knowingly and with intent to defraud access a protected computer without authorization and exceeding authorization, and by means of such conduct further the intended fraud and obtain things of value, in violation of Title 18, USC, Sections 1030(a)(4) and 1030(c)(3)(A); and
(C) knowingly cause the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally cause damage and attempt to cause damage without authorization to a protected computer, and the offense caused and would, if completed, have caused damage affecting 10 or more protected computers during a one-year period, in violation of Title 18, USC, Sections 1030(a)(5)(A) and 1030(c)(4)(B).
SpyEye has been stealing login credentials for bank accounts, credit cards, and FTP accounts since at least January of 2010, when one of the first mentions was listed in the NoVirusThanks Blog post "A new sophisticated botnamed SpyEye is on the market". An analysis of SpyEye performed on those very early samples by Jorge Mieres of Malware Intelligence (Sorry Jorge, the document link on your page is broken!) reveals a couple interesting details. For example, here is a network capture showing that the bot being analyzed is going to make a connection to SecureAntiBot.net.
Using DomainTools historical WHOIS information, we can see that the registrant for SecureAntiBot.net is Hilary Kneber! At about that time, Hilary Kneber was the most famous registrant of malware domains we knew of, and demonstrated the fact that a single criminal could CERTAINLY be using many bots. Check out the MalwareDomainList.com entries for Hilary Kneber:
| 2009/10/26 | subaruservice.cn | 59.125.229.78 | Zeus |
| 2009/11/01 | euoroliit.net | 202.39.17.50 | Zeus |
| 2009/11/17 | vkontalte.cn | 59.53.91.102 | exploit kit |
| 2009/11/01 | online-counter.cn | 115.100.250.113 | exploit kit panel |
| 2009/11/01 | ukliit.net | 210.51.166.42 | Zeus |
(A fuller list of 149 additional domains is available at the end of this article as Hilary Kneber Malware Domains)
One especially interesting Hilary Kneber attack was one that pretended to be a Christmas Card from the White House which was broadly disseminated to members of Government and the Military Intelligence apparatus. That version of Zeus, which this researcher also saw targeting government employees and exfiltrating stolen documents to Belarus, was so prominent that NetWitness dubbed the botnet "The Kneber Bot" and claimed that 75,000 computers in 2,500 companies had been used to exfiltrate out at least 75GB of data. (See Feb 2010 ComputerWorld article Over 75,000 systems compromised in cyberattack
S21 has a fantastic graphic on their blog that shows the Zeus Family Tree:
(Right-Click "view image" to see full graphic)
See the lavender line near the bottom that says "Source to Gribodemon?" Gribodemon is Panin. The origins of the SpyEye plugin are widely believed to have come from the original Zeus author announcing his retirement and passing all of the Zeus sourcecode to SpyEye and might have anticipated that the code would be used to improve SpyEye.
At that time, the biggest difference between Zeus and SpyEye was the price! While Zeus was being sold for $1000 per copy, SpyEye was only charging $500 and had all of the same features, including some nice features such as Root Kit features that prevented any usermode process from being able to see the file in Task Manager or being able to see any of the Registry Keys created by the bot.
The main feature that started the "battle of the bots" was the little check box below: "Kill Zeus"
If the "Kill Zeus" option was selected in the builder, the resulting exe file would search for an existing Zeus install on the newly infected SpyEye bot node and destroy it.
Brian Krebs documented the rising tensions between SpyEye and Zeus in his article SpyEye vs. Zeus Rivalry
Zeus, Gribodemon, and SpyEye
Zeus is widely acknowledged to have been produced by a hacker who calls himself "monstr".A screenshot of the Spy Eye control panel from November 8, 2011 is provided here, (Image from an analysis by Xylitol, who is credited with "cracking" SpyEye and thereby depriving Gribodemon of his revenue stream. Everyone thought that once SpyEye was cracked a "New & Improved" SpyEye would be released, but this really marked the fall of SpyEye.
IOActive also did a great analysis and reverse engineering report on SpyEye called Zeus SpyEye Banking Trojan Analysis that goes into great technical detail about how the malware injects itself into processes, avoids "API Hooking" traps and hides its own presence on the machine in a way that was much more advanced than Zeus.
On August 9, 2011, Xylitol released a report called Cracking SpyEye 1.3.x. Xylitol AKA Steven K. is/was a member of RED Team - the Reverse Engineer Dream Team. As a direct result of this crack, which allowed people to "unbrand" their purchased copy of SpyEye, the original creators and marketers of the tool were no longer necessary to establish an instance of SpyEye. While it briefly seemd that this would to a great surge in use, it actually killed the product.
In the RSA 2012 Cybercrime Trends Report the number one Trend predicted as 2012 began was "Trojan Wars Continue, but Zeus will Prevail as the Top Financial Malware". RSA reports that in Q1 of 2011 SpyEye accounted for 19% of all malware infections, but had dropped to 4% by Q3 of 2011. What happened? Refer back to the S21 Timeline. See the Black Line representing the theft of the Zeus Source Code? Now it didn't matter that SpyEye was cheaper than Zeus, because Zeus was suddenly FREE! Ice IX was the first Trojan that came out that took advantage of the leaked Zeus 2.0 code and began to show significant improvements. Free is good, but Free without a code innovator who knew how to make creative advances in his malware meant that the Free version of Zeus 2.0 was soon obsolete. Ice IX grew to 13% of the financial crimeware market by Q4 2011, according to RSA. It should be noted that the prices in the 2012 RSA report are much higher than the 2010 prices above. RSA says that the full version of SpyEye cost $4,000 compared to the Zeus cost of $10,000. The other big trend that RSA mentioned in this report was Trend #2: Cybercriminals will Find New Ways to Monetize Non-Financial Data -- including Access to victim computers, access to Utility bills, Medical Records, Email addresses, DOBs, and much more. Also worth noting that in the 2012 RSA Report, RSA was claiming that every MINUTE there were 232 computers somewhere in the world infected by malware. Norton's 2013 report puts that number at 18 per second or 1,080 per minute. If equivalent, that would mean an almost a 460% increase in malware infections from 2012 to 2013!
Soldier = a Major SpyEye Customer
SpyEye was sold, as we mentioned, to many hackers who each ran their own "instance" of the malware. Traffic Analysis was able to show via an embedded user agent string which malware samples were associated with which malware operators. There have been arrests in the past for people who were SpyEye OPERATORS, but until BX1 was arrested, no significant players were taken into custody.Perhaps the largest USER of SpyEye was a hacker named "Soldier" who was reported on by the Trend Micro team of Loucif Kharouni, Kevin Stevens, Nart Villeneuve, and Ivan Macalintal called "From Russia to Hollywood: Turning the Tables on a SpyEye Cybercrime Ring". Each SpyEye Builder has a GUID (Globally Unique Identifier) assigned to it at the time of the sale. In the Trend research paper, 23 Command & Control (C&C) Servers were identified as corresponding to SpyEye samples that had the GUID associated with Soldier. from April 19, 2011 to June 29, 2011, these C&C servers were visited from 82,999 unique IP addresses, and resulted in 25,394 systems being compromised. Of those, 23,739 were in the United States. The second most common country was the United Kingdom with only 86 compromised systems. Soldier's servers included credentials stolen from 1499 Chase customers, 770 Wells Fargo customers, and 1283 Bank of America customers. From the NON-Banking information, there were 21,819 Facebook accounts, 9,987 Yahoo! accounts, 8,078 Google accounts, and 4500 Live.com accounts.
Soldier also ran a significant Money Mule network, which recruited people through many fake job placements websites, including one called L&O. By identifying Mules and working through the Mule website, Trend researchers were able to determine the earnings per month laundered as part of the take by Soldier - more than $4.5 MILLION dollars in six months!
- November 2010 - $576,000
- December 2010 - $809,000
- January 2011 - $843,000
- February 2011 - $719,000
- March 2011 - $957,000
- April 2011 - $763,000
- May 2011 - $53,000
While it is not known if SOLDIER was brought to justice -- Bx1 may still turn out to BE "Soldier" -- that part is unclear at this time, other SpyEye operators were. One such group was arrested by the Metropolitan Police Central e-Crime Unit (PCeU). PCeU arrested Pavel Cyganok, from Lithuania, sentenced to five years for his role in stealing more than £100,000 and Ilja Zakrevski, his accomplice from Estonia who was sentenced to four years. The two worked with Aldis Krummins from Latvia who was only charged with Money Laundering and sentenced to two years. Charged under the UK's Computer Misuse Act, one of their servers hosted in the UK was shown to have been connected to and receiving data from at least 1,000 compromised computers around the world. In the PCeU's 2012 Report to Parliament this £100,000 figure for the SpyEye operators had to be compared to a single Organised Criminal Group that had been operating Zeus that had stolen more than $70 Million from the USA alone! But, just like in the US, crimes against victims in other countries aren't considered in the local jurisdiction. This loss volume was really hardly mentioned in the UK press. 285 UK Citizens were shown to have lost £2.66 million in just a single 90 day period from Zeus. (This was the case that was referred to by the FBI as "Operation Trident BreACH".) At that time, this researcher really was thinking of SpyEye in a similar way -- SpyEye £100,000 UK Pounds vs. Zeus at $70 Million US Dollars. But there were bigger SpyEye operators still to be identified.
So while we know have Aleksander Panin AKA Harderman AKA Gribodemon was the author of SpyEye, and we know that BX1 was the primary person in charge of marketing the malware to clients, much as "Magic" did for monstr on the Zeus side of the house. What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody. Beyond Soldier (still at large) and the Latvian/Estonian/Lithuanian trio above, we know that The claim is made that at least 150 different criminals bought a copy of SpyEye from BX1. Where are they, their botnets, and the money that they made from the victims they provided with Zeus and/or SpyEye by stealing banking information and selling personal information and documents to their clients?
Perhaps more of those individuals will be found among the John Does 1-39 listed in the Microsoft Lawsuits against Zeus actors. In the Zeus Lawsuit papers, including the Declaration of Mark Debenham (179 page PDF) Some of the named John Does include Monstr (the original Zeus author), Harderman and Gribodemon (both now known to be Panin, who Microsoft referred to as "John Doe 3") and 36 other individuals, many as yet unnamed, who may turn out to be Soldier or other SpyEye customers.
Great work! But we need to do the ADDITIONAL work of identifying and removing those underlings as well.
An aside on CyberCrime Reporting
The UK Parliament Science & Technology Committee report on Malware and Cyber Crime referenced above had many excellent parts, including some written by our friends at SOCA and Richard Clayton from Cambridge who argued for Parliament to implement a robust measuring system for gathering accurate statistics about cyber crime incidents. We suffer a similar fault in the US Justice System, where we rely on surveys and anecdotes about Cyber Crime rather than implementing Cyber Crime categories into the Unified Crime Report which implements a nation-wide set of definitions and reporting mechanisms for gathering stats on Criminal homicide, Forcible rape, Robbery, Aggravated assault, Burglary, Larceny-theft, Motor vehicle theft, and Arson, but does nothing to help us learn about White Collar and Cyber Crimes. This fault leaves us with the ability to very accurately state the improvements in dealing with certain types of crimes, for example showing a steady decline in murder from 9.5 murders per 100,000 citizens in 1993 to 4.7 murders per 100,000 citizens in 2012, or 41.1 rapes per 100,000 citizens in 1993 steadily declining to 26.9 rapes per 100,000 citizens in 2012. Yet we are left guessing that the the cost of Cyber Crime in the US is somewhere between $21 Billion per year and $1 Trillion per year.Quite a range, both in estimates and in methodologies. For example:
- the Ponemon Institute's Cost of Cyber Crime 2013 study estimated the cost of cybercrime in 60 benchmarked companies as being $11.6 million per year per company, with malware attacks being most prevalent, followed by DDOS. Ponemon also points out that the category of security spending with the greatest ROI is "Security Intelligence" and really offers a very interesting view of how to properly measure costs, consequences, and opportunities in cybercrime mitigation efforts.
- The 2012 Norton Cybercrime Report put the global cost of Cybercrime at $110 Billion per year, with $21 Billion of that cost being in the United States.
- I've previously blogged about another great report estimating Cyber Crime costs by the UK Government -- a study conducted by Detica for the Office of Cyber Security and Information Assurance. In my blog post, UK Government counts the Cost of Cybercrime I project that if the US Economy experienced cybercrime in the same ratio as the UK Economy, our cost would be $275 Billion per year.
- More details about the "Trillion Dollar Cost" of CyberCrime, a totally bogus number that is easy to find in the Congressional Record, can be found in another blog post where I once more praised the UK on their efforts to assign costs to Cybercrime, Sir Paul Speaks the Truth: Cyber Law Enforcement is a Good Investment in which Metropolitan Police chief Sir Paul Stephenson tells us "It has been estimated that for every £1 spent on the Virtual Task Force, it has prevented £21 in theft" which is a remarkable return on investment that I would hope to see us emulate in the United States!
Hilary Kneber Malware Domains
| 2009/10/30_08:22 | subaruservice.cn/75/svchost.exe | 59.125.229.79 | zeus v1 trojan, |
| 2009/11/01_15:15 | euroliit.net/zs/bot.exe | 202.39.17.50 | zeus v1 trojan, |
| 2009/11/17_13:33 | vkontalte.cn/y.exe | 59.53.91.102 | trojan LdPinch, |
| 2009/11/19_22:27 | online-counter.cn/stats/211/loadshow.php | 115.100.250.113 | trojan, |
| 2009/11/21_10:32 | ukliit.net/zs/cfg.bin | 210.51.166.42 | zeus v1 config file, |
| 2009/11/29_17:42 | indigozeus1.net/zs12/cfg.bin | 210.51.166.42 | zeus v1 config file, |
| 2009/12/03_09:25 | hsbc-trial.cn/zend/bot.exe | 210.51.166.42 | zeus v1 trojan, |
| 2009/12/06_14:58 | bizuklux.cn/img/baners/config.bin | 193.104.34.98 | zeus v1 config file, |
| 2009/12/15_16:19 | www.liagand.cn/img/la.gif | 61.235.117.71 | trojan, |
| 2009/12/16_12:26 | fakeroom.net/files/saw.avi | 91.213.126.112 | zeus v1 config file, |
| 2009/12/23_14:59 | realbossa.net/go-home.php | 115.100.250.113 | zeus v1 drop zone, |
| 2009/12/26_17:38 | www.simplyukjob.net/rty/ijkl/jb/lochos.exe | 125.46.60.222 | zeus v1 trojan, |
| 2009/12/27_16:57 | www.morsayniketamere.cn/baners/config.bin | 193.104.34.98 | zeus v1 config file, |
| 2009/12/28_10:04 | mydailymail.cn/dm763v/12/cfg.bin | 222.122.60.186 | zeus v1 config file, |
| 2009/12/29_19:44 | grizzli-counter.com/id120/index.php | 115.100.250.73 | redirects to exploits, |
| 2009/12/29_19:44 | tds-info.net/in.cgi?2 | 115.100.250.73 | redirects to exploits, |
| 2009/12/31_18:31 | kolordat482.com/sw0dn1W/j1h2kjh98bf2f6.bin | 200.63.46.134 | zeus v1 config file, |
| 2010/01/06_22:35 | yespacknet.org/yes/ | 91.206.201.14 | YES exploit kit, |
| 2010/01/10_18:52 | www.scriptwb.com/ysys/ | 217.23.10.19 | YES exploit kit, |
| 2010/01/16_07:02 | www.zevakaru1.com/dropper.exe | 91.212.198.137 | trojan dropper, |
| 2010/01/18_13:14 | morsayniketamere.cn/baners/config.bin | 193.104.34.98 | zeus v1 config file, |
| 2010/01/21_11:04 | qbxq16.com/~admin/cp/gate.php | 200.106.149.171 | zeus v1 drop zone, |
| 2010/01/23_11:33 | mega-counter.com/1tr.exe | 115.100.250.73 | trojan Chksyn, |
| 2010/01/26_19:38 | silence7.cn/777/ldx.exe | 95.169.186.103 | zeus v1 trojan, |
| 2010/01/27_10:26 | iuylqb.cn/nrl/bin/hsbc.bin | 124.109.3.135 | zeus v1 config file, |
| 2010/02/02_15:15 | klaikius.com/news/ | 222.122.60.186 | Liberty exploit kit, |
| 2010/02/04_09:22 | secureantibot.net/svc/Upload/index.php?b=b | 60.12.117.147 | YES exploit kit, |
| 2010/02/04_09:22 | www.secureantibot.net/bload/bt_version_checker.php?guid=MICHAEL%20ROACH!MICHAEL-F156CF7!1CD55C69&ver=10065&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=50&ccrc=97306034 | 60.12.117.147 | SpyEye C&C, |
| 2010/02/05_10:24 | winxpupdate.org/login/bb.php?v=200&id=554905388&b=7144277146&tm=3 | 200.63.44.192 | Oficla C&C, |
| 2010/02/05_18:04 | adobe-config-s3.net/win4/view.php | 85.17.144.78 | zeus v1 drop zone, |
| 2010/02/06_20:01 | shashacn.cn/setup.exe | 91.213.174.50 | trojan Chyup, |
| 2010/02/06_20:33 | geewong.org/xxx.exe | 193.104.34.98 | trojan, |
| 2010/02/07_09:50 | pidersii.net/zboard/config.bin | 122.225.117.147 | zeus v1 config file, |
| 2010/02/08_18:21 | adobe-login-s4.net/picks1/view.php | 85.17.144.78 | zeus v1 drop zone, |
| 2010/02/12_15:13 | navigate777.net/images999/con79.bin | 95.169.186.103 | zeus v1 config file, |
| 2010/02/12_15:13 | navigate777.net/images999/gtx79.php | 84.19.188.22 | zeus v1 drop zone, |
| 2010/02/19_18:04 | gogle-analiz.com/usa/index.php | 61.4.82.249 | Eleonore Exploits pack v1.3.2, |
| 2010/02/21_09:05 | steggba.com/geoip/geoip.html | 188.120.228.170 | zeus v1 config file, |
| 2010/02/21_09:05 | ikbalvockal.net/baners/akbar.bin | 193.104.34.98 | zeus v1 config file, |
| 2010/02/21_09:39 | nospamnet.com/zs/cfg.bin | 222.122.60.186 | zeus v1 config file, |
| 2010/02/21_13:07 | bayinsurance.cn/lodiri/gate.php?id=d0ea82ee | 193.104.34.98 | malware calls home, |
| 2010/02/21_15:42 | amzinas.com/news/index.php | 222.122.60.186 | Liberty exploit kit, |
| 2010/02/26_21:16 | bsttest.org/td/go.php?sid=3 | 193.104.34.98 | redirects to exploit kit, |
| 2010/02/26_21:16 | hmcompany.org/eli/index.php?s=fa4d607f6b0d4537e2f0de546fe9a48d | 193.104.34.98 | Eleonore Exploits pack v1.3.1, |
| 2010/02/28_20:29 | royalityfull.net/saq/gadaa.bin | 193.104.34.98 | zeus v1 config file, |
| 2010/03/03_10:59 | lipesnaskom.com/cgi-binn/kisme.bin | 95.143.192.245 | zeus v1 config file, |
| 2010/03/06_10:54 | www.greatuk.org/tt/cfg/config.bin | 193.104.22.100 | zeus v1 config file, |
| 2010/03/07_09:53 | greatuk.org/tt/cfg/config.bin | 193.104.22.100 | zeus v1 config file, |
| 2010/03/07_17:00 | fhjslk21.org/b/cfg275.bin | 61.61.20.134 | zeus v1 config file, |
| 2010/03/12_10:52 | www.securedz.com/files/cfg.ccc | 61.61.20.134 | zeus v1 config file, |
| 2010/03/14_00:01 | nudlkasnuls.com/gizgiz/kuds.bin | 69.50.217.210 | zeus v1 config file, |
| 2010/03/14_09:45 | securedz.com/files/cfg.bin | 61.61.20.134 | zeus v1 config file, |
| 2010/03/15_20:05 | www.gogle-analiz.com/de/ | 61.4.82.249 | Eleonore Exploits pack v1.3.2, |
| 2010/03/16_19:38 | klaipedetis.com/news/show.php | 222.122.60.186 | Liberty exploit kit, |
| 2010/03/17_07:23 | nudlkasnuls.com/gizgiz/ue.exe | 76.76.101.78 | zeus v1 trojan, |
| 2010/03/19_11:41 | xbasex.com/microsoft/updateold.php?upd=7&i=0628 | 109.196.134.53 | malware calls home, |
| 2010/03/21_10:32 | www.azzssdd935.com/zs/cofag56.bin | 61.61.20.134 | zeus v1 config file, |
| 2010/03/21_10:37 | napiwis54353.com/zs/cofag56.bin | 109.196.143.56 | zeus v1 config file, |
| 2010/03/21_11:35 | zedexstore.com | 61.61.20.133 | money mule recruitment, |
| 2010/04/10_10:35 | enoraup.com/index.php | 91.209.238.4 | Eleonore Exploits pack v1.3.2, |
| 2010/04/12_12:03 | bananajuice21.net/b/cfg375.bin | 109.196.143.56 | zeus v1 config file, |
| 2010/04/15_21:27 | cruelstar.com/pic727/movie.bin | 84.19.188.22 | zeus v1 config file, |
| 2010/04/16_10:45 | zalipuka.com/gogo/man.bin | 61.4.82.247 | zeus v1 config file, |
| 2010/04/16_16:03 | yahoo-statistic.com/js/default.html | 109.196.143.56 | redirects to exploits, |
| 2010/04/27_07:24 | nuaoezum.com.tw/rewrite/index.php | 95.143.192.142 | Phoenix exploit kit, |
| 2010/04/27_07:24 | besysupu.com.tw/lea/add.php | 178.17.162.230 | trojan Bebloh calls home, |
| 2010/04/27_07:24 | ryxehaty.com/lea/add.php | 178.17.162.230 | trojan Bebloh calls home, |
| 2010/04/28_22:48 | controbass.org/el/ | 194.54.158.52 | Eleonore Exploits pack, |
| 2010/05/07_16:32 | bubendockader.com/gd/aa.exe | 69.50.217.91 | zeus v1 trojan, |
| 2010/05/07_16:49 | indesignstudioinfo.com/ls.php | 109.196.143.56 | directs to fake av, |
| 2010/05/08_08:27 | easytest4us.com.tw/tbn2566/confag56.bin | 61.61.20.133 | zeus v1 config file, |
| 2010/05/09_10:06 | pnp2biz.com.tw/tbn2566/confag56.bin | 109.196.143.60 | zeus v1 config file, |
| 2010/05/11_20:06 | karissmikksa.com/index.php | 109.196.134.38 | Phoenix exploit kit, |
| 2010/05/12_08:17 | fhjslk21.com.tw/75/e.php | 195.5.161.208 | zeus v1 drop zone, |
| 2010/05/12_12:27 | holasionweb.com/oo.php | 188.165.200.96 | directs to fake av, |
| 2010/05/27_19:44 | 0101010101010101010101010101crypt01script.com/23/ | 188.40.232.252 | exploit pack (new Eleonore ?), |
| 2010/05/29_19:46 | registr3red.com/priv/index.php | 193.105.207.108 | Phoenix exploit kit, |
| 2010/06/03_21:16 | wfrtube.net/fff/z2.nrg | 195.78.109.210 | zeus v2 config file, |
| 2010/06/20_17:55 | volgo-marun.cn/pek/index.php | 91.212.226.133 | Phoenix exploit kit, |
| 2010/06/23_06:29 | hikmesanbukais.com/hdsr/dst/lob.php | 76.76.101.70 | malware calls home, |
| 2010/06/27_08:33 | google-diric.com/web/file.php | 202.190.179.9 | zeus v1 drop zone, |
| 2010/06/28_08:59 | caravelavelaja.com/nice/vive/server.php | 210.90.91.124 | zeus v1 drop zone, |
| 2010/07/08_20:27 | update-java.com/src/ie82.chm | 195.206.246.250 | zeus v2 config file, |
| 2010/07/10_12:14 | lyuboidomen.net/src/footer.jpg | 61.61.20.136 | zeus v2 config file, |
| 2010/07/13_18:03 | baragas-budd3.com/pek/index.php | 59.53.91.187 | Phoenix exploit kit, |
| 2010/07/18_11:20 | www.barabudd333.com/pek/index.php | 195.158.244.53 | Phoenix exploit kit, |
| 2010/07/25_08:55 | werrrcorp.com:81/hhhjj/biin/ju.exe | 122.225.37.88 | zeus v1 trojan, |
| 2010/07/27_15:03 | adobeactivation.net/confx/cgi.bin | 109.196.134.43 | zeus v1 config file, |
| 2010/07/28_07:03 | update-java3.com/src/update2.set | 195.206.246.250 | zeus v2 config file, |
| 2010/07/28_07:59 | joystream.com.tw/stable/gate.php?id=a3816d8b | 124.228.10.22 | malware calls homr, |
| 2010/08/03_14:27 | intercullertdi50.net/pek/index.php | 194.79.250.38 | Phoenix exploit kit, |
| 2010/08/06_18:30 | update-java4.com/src/update2.set | 195.206.246.250 | zeus v2 config file, |
| 2010/08/14_21:12 | allgoogl.com/googleall/files/bobbystellar.jar | 91.212.198.216 | java exploit, belongs to SEO Sploit pack, |
| 2010/08/15_17:19 | suffolkworksuk.org/e7a9cc67e5c82e07031c8413bef78431/gameup.exe | 194.79.250.24 | zeus v1 trojan, |
| 2010/08/17_18:21 | heskdo44se.com/hel/index.php | 81.176.236.148 | Phoenix exploit kit, |
| 2010/08/20_15:05 | olandik.net/update-config.bin | 41.140.165.19 | zeus v1 config file, |
| 2010/08/20_15:05 | olandik.net/load.exe | 84.110.117.84 | zeus v1 trojan, |
| 2010/08/20_15:05 | olandik.net/update-gate.php | 221.10.252.223 | zeus v1 config file, |
| 2010/08/24_06:30 | sippa.dottasink.net/music/indi.php | 193.186.9.43 | redirects to fake av, |
| 2010/08/28_09:16 | dsgfopllllc.com/tinkerminilo/ilonim.bin | 193.104.34.69 | zeus v1 config file, |
| 2010/08/28_09:16 | www.opllllc.com/zebradance/mpj.bin | 193.104.34.69 | zeus v1 config file, |
| 2010/08/28_09:38 | kosmoukmanages.org/dcc/secure.bin | 194.79.250.24 | zeus v1 config file, |
| 2010/09/02_11:29 | freehost21.tw/b/cfg375.bin | 109.196.143.60 | zeus v1 config file, |
| 2010/09/05_18:36 | busderaskon.com/nek/index.php | 81.176.236.148 | Phoenix exploit kit, |
| 2010/09/07_13:51 | nocireho.com/nepm/index.php | 69.50.197.115 | Phoenix exploit kit, |
| 2010/09/08_19:14 | husderma3.com/ds/index.php | 81.176.236.148 | Phoenix exploit kit, |
| 2010/09/09_19:49 | kiselmadku.com/hd/index.php | 81.176.236.148 | Phoenix exploit kit, |
| 2010/09/12_13:21 | pnp2biztracker.com.tw/bin/allis.js | 194.79.250.57 | zeus v2 config file, |
| 2010/09/13_07:58 | alabayss.com:81/hhhjj/biin/uj.bin | 122.225.37.88 | zeus v1 config file, |
| 2010/09/15_20:11 | popunder777.com/pek/index.php | 194.79.250.38 | Phoenix exploit kit, |
| 2010/09/17_16:36 | elecaedu777.com/pek/index.php | 194.79.250.38 | Phoenix exploit kit, |
| 2010/09/18_09:03 | myblindstudioinfoonline.com/ll.php | 77.78.239.53 | redirects to fake av, |
| 2010/09/22_19:26 | postbbnk.com/puk/index.php | 81.176.236.109 | Phoenix exploit kit, |
| 2010/09/23_09:06 | wearechampions2010.com/facka/index.php | 193.105.207.124 | Phoenix exploit kit, |
| 2010/09/23_18:15 | zambiatodes.com/pek/index.php | 194.79.250.38 | Phoenix exploit kit, |
| 2010/09/27_09:06 | miraxgroupmirax.com/random3/gate.php | 195.206.246.85 | zeus v2 drop zone, |
| 2010/09/29_10:25 | www.lipezkusjka.com/g/index.php | 81.176.236.109 | Phoenix exploit kit, |
| 2010/10/03_09:44 | miraxgroupmirax.com/random4/tornado.jpg | 193.201.192.83 | zeus v2 config file, |
| 2010/10/04_12:01 | biztracker24.com.tw/biz2zs/ttss.exe | 194.79.250.54 | zeus v2 trojan, |
| 2010/10/05_20:33 | meqashopperinfo.com/js.php | 193.186.9.43 | redirects to fake av, |
| 2010/10/06_07:08 | khdjkuj783623.net/vww/bzjpdlhnimxmin7.pdf | 193.23.126.4 | pdf exploit, |
| 2010/10/11_06:25 | supergoldbiz.net/c | 195.3.145.42 | zeus v1 config file, |
| 2010/10/11_15:50 | ztxspace.com/zmb/index.php | 85.234.190.22 | Zombie exploitation kit, |
| 2010/10/17_20:41 | wireks.org/NUrovj48Gd/1iF645ji/ks.exe | 193.27.232.65 | zeus v1 trojan, |
| 2010/10/18_17:49 | lernundsnej.com/a/k.exe | 81.176.236.109 | zeus v2 trojan, |
| 2010/10/18_17:49 | wekemenal.com/b/n.exe | 81.176.236.109 | zeus v2 trojan, |
| 2010/10/24_13:05 | muskelmirna.com/nb/azkvxnau.php | 77.78.240.81 | Phoenix exploit kit, |
| 2010/11/02_14:17 | vwbombatry.com/sp/gate.php?guid=User!SANDBOX0!D06F0742&ver=10292&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=0&ccrc=2FF9BCEC&md5=43be8f760d464ed805e32a86dc1f21de | 91.204.48.98 | SpyEye C&C, |
| 2010/11/09_09:32 | wekemenal.com/g/g.exe | 77.78.240.81 | zeus v2 trojan, |
| 2010/11/10_19:05 | stylebite22.com/pek/kudlhpdzcl.php | 91.207.182.64 | Phoenix exploit kit, |
| 2010/11/12_18:17 | tuwubino.com/test.php?tp=b9ec113ef7347bd8 | 204.12.228.234 | exploit kit, |
| 2010/11/15_08:33 | noski5.com/zus/bot.exe | 91.212.124.35 | zeus v1 trojan, |
| 2010/11/15_18:18 | rightdeal77.net/pek/brfvjmkqemcobojoask.php | 109.196.134.41 | Phoenix exploit kit, |
| 2010/11/20_07:03 | bbdeals22.net/pek/xuiqdwcweljsfoamdmcr.php | 91.207.182.64 | Phoenix exploit kit, |
| 2010/11/26_18:46 | bbdeals33.com/pek/aqjlisyzepyocmd.php | 91.207.182.64 | Phoenix exploit kit, |
| 2010/12/03_17:17 | onlinediller22.net/pek/fzdpxpfqfvaqisxrysf9.php | 91.207.182.64 | Phoenix exploit kit, |
| 2010/12/23_11:10 | dfi-university.com/images/gif/3/_tmp/003/tmp/gate7489.php | 193.178.172.88 | zeus v2 drop zone, |
| 2010/12/25_12:36 | bombino777.com/1/hrftxsbsftyv.php | 91.207.182.64 | Phoenix exploit kit, |
| 2010/12/25_12:36 | bizzproffi.com/adm/controller.php?action=bot&entity_list=&first=1&rnd=916762&uid=1&guid=4723841 | 91.207.182.64 | Bredolab C&C, |
| 2010/12/27_13:21 | geopozitiv.com/mell/ctjnbti.php | 204.12.228.238 | Phoenix exploit kit, |
| 2010/12/27_13:21 | botevabe.com/mell/auy.php?i=2 | 204.12.228.235 | trojan, |
| 2011/01/06_19:59 | www.ergvb433s.com/asdewq/biiin/uj.bin | 194.63.144.98 | zeus v2 config file, |
| 2011/01/10_20:46 | stayfreeatall.com/TrustedWithSign/ownresponse.dat | 194.63.144.56 | zeus v2 config file, |
| 2011/01/13_18:56 | www.automauto.com/thfhc/biiin/uj.bin | 91.200.188.99 | zeus v2 config file, |
| 2011/01/14_18:02 | mb53juu347d.com/durnr/hee3.bin | 173.208.154.30 | zeus v2 config file, |
| 2011/01/15_17:06 | niancene.com/images/ghj.php?i=2 | 62.122.73.53 | fake av, |
| 2011/01/15_20:06 | fullenergyfilled.com/StillMovingOn/keepGoingForward.php | 91.200.188.55 | zeus v2 drop zone, |
| 2011/01/16_16:29 | bigthiscase.net/ara/gate.php | 91.204.48.98 | SpyEye C&C, |
| 2011/02/20_15:25 | security-force.net/asd/cgi.bin | 222.88.205.209 | zeus v2 config file, |
Posts
Great blog post! I like your take on the cracked version of SpyEye actually speeding up its demise.
ReplyDelete