Wednesday, January 29, 2014

More SpyEye Guilty Pleas

Long-time readers of this blog may remember our post in May 2013 called SpyEye Botherder BX1 - Welcome to Georgia! where we shared a timeline of the case against BX1, including the indictment filed in 2011, the Microsoft, FS-ISAC, and NACHA law suits in 2012, and the report of BX1's arrest in January 2013, and his appearance in Atlanta, Georgia's North District of Georgia Federal court.

But BX1 was only one of the people behind SpyEye. Today the US Attorney in the Northern District of Georgia announced Cyber Criminal Pleads Guilty to Developing and Distributing Notorious SpyEye Malware referring to Aleksandr Andreevich Panin, AKA Gribodemon AKA Harderman, who has confessed to conspiring with BX1 (Hamza Bendelladj) to advertise, sell, and distribute SpyEye to at least 150 people who paid between $1000 and $8500 for their copy of SpyEye. The indictment used is actually the EXACT SAME INDICTMENT as what I shared with the BX1 case, with the exception that this time, nothing is blacked out pending future charges. Interesting BX1, the "co-conspirator" has plead NOT GUILTY. According to US Attorney Sally Quillian Yates, SpyEye was used to infect more than 1.4 million computers in the US and abroad. Yates has a message for Cyber criminals: "You cannot hide in the shadows of the Internet. We will find you and bring you to justice." Panin suffered the same fate as BX1. He traveled and got picked up crossing borders. For Bx1 the arrest was in Thailand. Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These "border crossing" arrests have led the Russian government to issue a rather strange travel advisory: "If you are wanted for crimes in the United States, don't visit Extradition Friendly Countries!" (See Russia Issues Travel Warning

The case was made possible with yet another truly International show of cooperation, including the UK's National Crime Agency, the Royal Thai Police, the Dutch National High Tech Crime Unit, the Dominican Republi's Departmento Nacional de Investigaciones (DNI), the Cybercrime Department of the State Agency for the National Security in Bulgaria, and the Australian Federal Police. On the private sector side, Trend Micro's Forward-Looking Threat Research (FTR) Team, Microsoft's Digital Crimes Unit, Mandiant, SecureWorks, Trusteer, and Underworld.no (a Norwegian Security Research Team) all made valuable contributions to the research and information sharing behind this case as well.

(Panin pictured above)

As an example of the types of support provided by the public sector, Microsoft investigators, working with the help of the greater security research community, provided in their affidavit's example chats, logs, forum posts, and addresses for John Doe 3, who they called Harderman and Gribodemon. Those hints include "Exhibit 5" which shows Harderman and Gribodemon claiming to be the author of SpyEye, Exhibit 13, an interview with Gribodemon where he claims to be the author, and several email and messaging addresses for Gribodemon, including:

shwark.power.andrew@gmail.com, johnlecun@gmail.com, gribodemon@pochta.ru, glazgo-update-notifier@gajim.org, and gribo-demon@jabber.ru.

Also in the Microsoft Exhibits are the proof that there was a discussion about merging Zeus and SpyEye (see Exhibits 14, 15, 16, 17, and 18.

Several of those forum posts are from the forum "OpenSC.ws" which was well known as a place for buying and selling trojans.

Exhibit 5 is actually a post from the Krebs on Security website called SpyEye v. ZeuS Rivalry Ends in Quiet Merger and includes this post from Harderman:

Good day!

I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore, he removed the source code from his [computer], he doesn’t sell [it], and has no relationship to it. He also doesn’t conduct any business on the Internet and in a few days his contact [information] will not be active.

He asked me to pass on that he was happy to work with everyone. If you have any unresolved issues remaining [there is a] request to get in touch with him as soon as possible.

All clients who bought the software from Slavik will be serviced from me on the same conditions as previously. [I] request that [you] come directly to me regarding all issues.

Thanks to everyone for [your] attention!

For a very approachable explanation of how Zeus and SpyEye work, I recommend the article The New Frontier for Zeus & SpyEye by Ryan Sherstobito (formerly with Panda Security) in the September 2011 issue of the ISSA Journal.

Panin (and Bendelladj) were charged with:

Conspiring to: (A) intentionally access a computer without authorization and exceeding authorization, and thereby obtain or attempt to obtain information from a protected computer, and the offense was committed for the purpose of private financial gain, in violation of Title 18, USC Sections 1030(a)(2)(C) and 1030 (C)(2)(B)(i);

(B) knowingly and with intent to defraud access a protected computer without authorization and exceeding authorization, and by means of such conduct further the intended fraud and obtain things of value, in violation of Title 18, USC, Sections 1030(a)(4) and 1030(c)(3)(A); and

(C) knowingly cause the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally cause damage and attempt to cause damage without authorization to a protected computer, and the offense caused and would, if completed, have caused damage affecting 10 or more protected computers during a one-year period, in violation of Title 18, USC, Sections 1030(a)(5)(A) and 1030(c)(4)(B).

The indictment goes on to say that Panin joined a forum on the website www.darkode.com for the purpose of advertising the sale of SpyEye on January 10, 2010. On June 29, 2010, Panin advertised on that forum "SpyEye - this is a bank Trojan with form grabbing possibilities" (meaning it could steal the information from "web forms" such as what you enter data into when you interact with online banking. Beginning on July 6, 2010, Bendelladj, using the handle Bx1, commented that he was a client of Panin's and "vouched" for him. By September 16, 2010 Panin was advertising additional features, including the "cc grabber". Bendelladj began advertising SpyEye for sale in April 2011 on his YouTube account "danielhb1988. After selling the software to an undercover law enforcement officer for $8,500 and receiving payment, Panin uploaded the software on sendspace.com for the undercover agent to access.

SpyEye has been stealing login credentials for bank accounts, credit cards, and FTP accounts since at least January of 2010, when one of the first mentions was listed in the NoVirusThanks Blog post "A new sophisticated botnamed SpyEye is on the market". An analysis of SpyEye performed on those very early samples by Jorge Mieres of Malware Intelligence (Sorry Jorge, the document link on your page is broken!) reveals a couple interesting details. For example, here is a network capture showing that the bot being analyzed is going to make a connection to SecureAntiBot.net.

Using DomainTools historical WHOIS information, we can see that the registrant for SecureAntiBot.net is Hilary Kneber! At about that time, Hilary Kneber was the most famous registrant of malware domains we knew of, and demonstrated the fact that a single criminal could CERTAINLY be using many bots. Check out the MalwareDomainList.com entries for Hilary Kneber:

2009/10/26subaruservice.cn59.125.229.78Zeus
2009/11/01euoroliit.net202.39.17.50Zeus
2009/11/17vkontalte.cn59.53.91.102exploit kit
2009/11/01online-counter.cn115.100.250.113exploit kit panel
2009/11/01ukliit.net210.51.166.42Zeus

(A fuller list of 149 additional domains is available at the end of this article as Hilary Kneber Malware Domains)

One especially interesting Hilary Kneber attack was one that pretended to be a Christmas Card from the White House which was broadly disseminated to members of Government and the Military Intelligence apparatus. That version of Zeus, which this researcher also saw targeting government employees and exfiltrating stolen documents to Belarus, was so prominent that NetWitness dubbed the botnet "The Kneber Bot" and claimed that 75,000 computers in 2,500 companies had been used to exfiltrate out at least 75GB of data. (See Feb 2010 ComputerWorld article Over 75,000 systems compromised in cyberattack

S21 has a fantastic graphic on their blog that shows the Zeus Family Tree:


(Right-Click "view image" to see full graphic)

See the lavender line near the bottom that says "Source to Gribodemon?" Gribodemon is Panin. The origins of the SpyEye plugin are widely believed to have come from the original Zeus author announcing his retirement and passing all of the Zeus sourcecode to SpyEye and might have anticipated that the code would be used to improve SpyEye.

At that time, the biggest difference between Zeus and SpyEye was the price! While Zeus was being sold for $1000 per copy, SpyEye was only charging $500 and had all of the same features, including some nice features such as Root Kit features that prevented any usermode process from being able to see the file in Task Manager or being able to see any of the Registry Keys created by the bot.

The main feature that started the "battle of the bots" was the little check box below: "Kill Zeus"

If the "Kill Zeus" option was selected in the builder, the resulting exe file would search for an existing Zeus install on the newly infected SpyEye bot node and destroy it.

Brian Krebs documented the rising tensions between SpyEye and Zeus in his article SpyEye vs. Zeus Rivalry

Zeus, Gribodemon, and SpyEye

Zeus is widely acknowledged to have been produced by a hacker who calls himself "monstr".

A screenshot of the Spy Eye control panel from November 8, 2011 is provided here, (Image from an analysis by Xylitol, who is credited with "cracking" SpyEye and thereby depriving Gribodemon of his revenue stream. Everyone thought that once SpyEye was cracked a "New & Improved" SpyEye would be released, but this really marked the fall of SpyEye.

IOActive also did a great analysis and reverse engineering report on SpyEye called Zeus SpyEye Banking Trojan Analysis that goes into great technical detail about how the malware injects itself into processes, avoids "API Hooking" traps and hides its own presence on the machine in a way that was much more advanced than Zeus.

On August 9, 2011, Xylitol released a report called Cracking SpyEye 1.3.x. Xylitol AKA Steven K. is/was a member of RED Team - the Reverse Engineer Dream Team. As a direct result of this crack, which allowed people to "unbrand" their purchased copy of SpyEye, the original creators and marketers of the tool were no longer necessary to establish an instance of SpyEye. While it briefly seemd that this would to a great surge in use, it actually killed the product.

In the RSA 2012 Cybercrime Trends Report the number one Trend predicted as 2012 began was "Trojan Wars Continue, but Zeus will Prevail as the Top Financial Malware". RSA reports that in Q1 of 2011 SpyEye accounted for 19% of all malware infections, but had dropped to 4% by Q3 of 2011. What happened? Refer back to the S21 Timeline. See the Black Line representing the theft of the Zeus Source Code? Now it didn't matter that SpyEye was cheaper than Zeus, because Zeus was suddenly FREE! Ice IX was the first Trojan that came out that took advantage of the leaked Zeus 2.0 code and began to show significant improvements. Free is good, but Free without a code innovator who knew how to make creative advances in his malware meant that the Free version of Zeus 2.0 was soon obsolete. Ice IX grew to 13% of the financial crimeware market by Q4 2011, according to RSA. It should be noted that the prices in the 2012 RSA report are much higher than the 2010 prices above. RSA says that the full version of SpyEye cost $4,000 compared to the Zeus cost of $10,000. The other big trend that RSA mentioned in this report was Trend #2: Cybercriminals will Find New Ways to Monetize Non-Financial Data -- including Access to victim computers, access to Utility bills, Medical Records, Email addresses, DOBs, and much more. Also worth noting that in the 2012 RSA Report, RSA was claiming that every MINUTE there were 232 computers somewhere in the world infected by malware. Norton's 2013 report puts that number at 18 per second or 1,080 per minute. If equivalent, that would mean an almost a 460% increase in malware infections from 2012 to 2013!

Soldier = a Major SpyEye Customer

SpyEye was sold, as we mentioned, to many hackers who each ran their own "instance" of the malware. Traffic Analysis was able to show via an embedded user agent string which malware samples were associated with which malware operators. There have been arrests in the past for people who were SpyEye OPERATORS, but until BX1 was arrested, no significant players were taken into custody.

Perhaps the largest USER of SpyEye was a hacker named "Soldier" who was reported on by the Trend Micro team of Loucif Kharouni, Kevin Stevens, Nart Villeneuve, and Ivan Macalintal called "From Russia to Hollywood: Turning the Tables on a SpyEye Cybercrime Ring". Each SpyEye Builder has a GUID (Globally Unique Identifier) assigned to it at the time of the sale. In the Trend research paper, 23 Command & Control (C&C) Servers were identified as corresponding to SpyEye samples that had the GUID associated with Soldier. from April 19, 2011 to June 29, 2011, these C&C servers were visited from 82,999 unique IP addresses, and resulted in 25,394 systems being compromised. Of those, 23,739 were in the United States. The second most common country was the United Kingdom with only 86 compromised systems. Soldier's servers included credentials stolen from 1499 Chase customers, 770 Wells Fargo customers, and 1283 Bank of America customers. From the NON-Banking information, there were 21,819 Facebook accounts, 9,987 Yahoo! accounts, 8,078 Google accounts, and 4500 Live.com accounts.

Soldier also ran a significant Money Mule network, which recruited people through many fake job placements websites, including one called L&O. By identifying Mules and working through the Mule website, Trend researchers were able to determine the earnings per month laundered as part of the take by Soldier - more than $4.5 MILLION dollars in six months!

  • November 2010 - $576,000
  • December 2010 - $809,000
  • January 2011 - $843,000
  • February 2011 - $719,000
  • March 2011 - $957,000
  • April 2011 - $763,000
  • May 2011 - $53,000
According to the Trend report, Soldier worked with two other cut outs, Viatcheslav, who lived in West Hollywood, California (or at least banked there) and Gabriella, who banked in Los Angeles.

While it is not known if SOLDIER was brought to justice -- Bx1 may still turn out to BE "Soldier" -- that part is unclear at this time, other SpyEye operators were. One such group was arrested by the Metropolitan Police Central e-Crime Unit (PCeU). PCeU arrested Pavel Cyganok, from Lithuania, sentenced to five years for his role in stealing more than £100,000 and Ilja Zakrevski, his accomplice from Estonia who was sentenced to four years. The two worked with Aldis Krummins from Latvia who was only charged with Money Laundering and sentenced to two years. Charged under the UK's Computer Misuse Act, one of their servers hosted in the UK was shown to have been connected to and receiving data from at least 1,000 compromised computers around the world. In the PCeU's 2012 Report to Parliament this £100,000 figure for the SpyEye operators had to be compared to a single Organised Criminal Group that had been operating Zeus that had stolen more than $70 Million from the USA alone! But, just like in the US, crimes against victims in other countries aren't considered in the local jurisdiction. This loss volume was really hardly mentioned in the UK press. 285 UK Citizens were shown to have lost £2.66 million in just a single 90 day period from Zeus. (This was the case that was referred to by the FBI as "Operation Trident BreACH".) At that time, this researcher really was thinking of SpyEye in a similar way -- SpyEye £100,000 UK Pounds vs. Zeus at $70 Million US Dollars. But there were bigger SpyEye operators still to be identified.

So while we know have Aleksander Panin AKA Harderman AKA Gribodemon was the author of SpyEye, and we know that BX1 was the primary person in charge of marketing the malware to clients, much as "Magic" did for monstr on the Zeus side of the house. What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody. Beyond Soldier (still at large) and the Latvian/Estonian/Lithuanian trio above, we know that The claim is made that at least 150 different criminals bought a copy of SpyEye from BX1. Where are they, their botnets, and the money that they made from the victims they provided with Zeus and/or SpyEye by stealing banking information and selling personal information and documents to their clients?

Perhaps more of those individuals will be found among the John Does 1-39 listed in the Microsoft Lawsuits against Zeus actors. In the Zeus Lawsuit papers, including the Declaration of Mark Debenham (179 page PDF) Some of the named John Does include Monstr (the original Zeus author), Harderman and Gribodemon (both now known to be Panin, who Microsoft referred to as "John Doe 3") and 36 other individuals, many as yet unnamed, who may turn out to be Soldier or other SpyEye customers.

Great work! But we need to do the ADDITIONAL work of identifying and removing those underlings as well.

An aside on CyberCrime Reporting

The UK Parliament Science & Technology Committee report on Malware and Cyber Crime referenced above had many excellent parts, including some written by our friends at SOCA and Richard Clayton from Cambridge who argued for Parliament to implement a robust measuring system for gathering accurate statistics about cyber crime incidents. We suffer a similar fault in the US Justice System, where we rely on surveys and anecdotes about Cyber Crime rather than implementing Cyber Crime categories into the Unified Crime Report which implements a nation-wide set of definitions and reporting mechanisms for gathering stats on Criminal homicide, Forcible rape, Robbery, Aggravated assault, Burglary, Larceny-theft, Motor vehicle theft, and Arson, but does nothing to help us learn about White Collar and Cyber Crimes. This fault leaves us with the ability to very accurately state the improvements in dealing with certain types of crimes, for example showing a steady decline in murder from 9.5 murders per 100,000 citizens in 1993 to 4.7 murders per 100,000 citizens in 2012, or 41.1 rapes per 100,000 citizens in 1993 steadily declining to 26.9 rapes per 100,000 citizens in 2012. Yet we are left guessing that the the cost of Cyber Crime in the US is somewhere between $21 Billion per year and $1 Trillion per year.

Quite a range, both in estimates and in methodologies. For example:

  • the Ponemon Institute's Cost of Cyber Crime 2013 study estimated the cost of cybercrime in 60 benchmarked companies as being $11.6 million per year per company, with malware attacks being most prevalent, followed by DDOS. Ponemon also points out that the category of security spending with the greatest ROI is "Security Intelligence" and really offers a very interesting view of how to properly measure costs, consequences, and opportunities in cybercrime mitigation efforts.
  • The 2012 Norton Cybercrime Report put the global cost of Cybercrime at $110 Billion per year, with $21 Billion of that cost being in the United States.
  • I've previously blogged about another great report estimating Cyber Crime costs by the UK Government -- a study conducted by Detica for the Office of Cyber Security and Information Assurance. In my blog post, UK Government counts the Cost of Cybercrime I project that if the US Economy experienced cybercrime in the same ratio as the UK Economy, our cost would be $275 Billion per year.
  • More details about the "Trillion Dollar Cost" of CyberCrime, a totally bogus number that is easy to find in the Congressional Record, can be found in another blog post where I once more praised the UK on their efforts to assign costs to Cybercrime, Sir Paul Speaks the Truth: Cyber Law Enforcement is a Good Investment in which Metropolitan Police chief Sir Paul Stephenson tells us "It has been estimated that for every £1 spent on the Virtual Task Force, it has prevented £21 in theft" which is a remarkable return on investment that I would hope to see us emulate in the United States!
Quite a range of estimates, but worth noting that most of the estimates do NOT include the value of stolen personal information, beyond the immediate ability to monetize accounts. We know that SpyEye was used to sell Medical Records, Government documents, and other information. Where should that be worked into the equation for "cost" estimates?

Hilary Kneber Malware Domains

2009/10/30_08:22subaruservice.cn/75/svchost.exe59.125.229.79zeus v1 trojan,
2009/11/01_15:15euroliit.net/zs/bot.exe202.39.17.50zeus v1 trojan,
2009/11/17_13:33vkontalte.cn/y.exe59.53.91.102trojan LdPinch,
2009/11/19_22:27online-counter.cn/stats/211/loadshow.php115.100.250.113trojan,
2009/11/21_10:32ukliit.net/zs/cfg.bin210.51.166.42zeus v1 config file,
2009/11/29_17:42indigozeus1.net/zs12/cfg.bin210.51.166.42zeus v1 config file,
2009/12/03_09:25hsbc-trial.cn/zend/bot.exe210.51.166.42zeus v1 trojan,
2009/12/06_14:58bizuklux.cn/img/baners/config.bin193.104.34.98zeus v1 config file,
2009/12/15_16:19www.liagand.cn/img/la.gif61.235.117.71trojan,
2009/12/16_12:26fakeroom.net/files/saw.avi91.213.126.112zeus v1 config file,
2009/12/23_14:59realbossa.net/go-home.php115.100.250.113zeus v1 drop zone,
2009/12/26_17:38www.simplyukjob.net/rty/ijkl/jb/lochos.exe125.46.60.222zeus v1 trojan,
2009/12/27_16:57www.morsayniketamere.cn/baners/config.bin193.104.34.98zeus v1 config file,
2009/12/28_10:04mydailymail.cn/dm763v/12/cfg.bin222.122.60.186zeus v1 config file,
2009/12/29_19:44grizzli-counter.com/id120/index.php115.100.250.73redirects to exploits,
2009/12/29_19:44tds-info.net/in.cgi?2115.100.250.73redirects to exploits,
2009/12/31_18:31kolordat482.com/sw0dn1W/j1h2kjh98bf2f6.bin200.63.46.134zeus v1 config file,
2010/01/06_22:35yespacknet.org/yes/91.206.201.14YES exploit kit,
2010/01/10_18:52www.scriptwb.com/ysys/217.23.10.19YES exploit kit,
2010/01/16_07:02www.zevakaru1.com/dropper.exe91.212.198.137trojan dropper,
2010/01/18_13:14morsayniketamere.cn/baners/config.bin193.104.34.98zeus v1 config file,
2010/01/21_11:04qbxq16.com/~admin/cp/gate.php200.106.149.171zeus v1 drop zone,
2010/01/23_11:33mega-counter.com/1tr.exe115.100.250.73trojan Chksyn,
2010/01/26_19:38silence7.cn/777/ldx.exe95.169.186.103zeus v1 trojan,
2010/01/27_10:26iuylqb.cn/nrl/bin/hsbc.bin124.109.3.135zeus v1 config file,
2010/02/02_15:15klaikius.com/news/222.122.60.186Liberty exploit kit,
2010/02/04_09:22secureantibot.net/svc/Upload/index.php?b=b60.12.117.147YES exploit kit,
2010/02/04_09:22www.secureantibot.net/bload/bt_version_checker.php?guid=MICHAEL%20ROACH!MICHAEL-F156CF7!1CD55C69&ver=10065&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=50&ccrc=9730603460.12.117.147SpyEye C&C,
2010/02/05_10:24winxpupdate.org/login/bb.php?v=200&id=554905388&b=7144277146&tm=3200.63.44.192Oficla C&C,
2010/02/05_18:04adobe-config-s3.net/win4/view.php85.17.144.78zeus v1 drop zone,
2010/02/06_20:01shashacn.cn/setup.exe91.213.174.50trojan Chyup,
2010/02/06_20:33geewong.org/xxx.exe193.104.34.98trojan,
2010/02/07_09:50pidersii.net/zboard/config.bin122.225.117.147zeus v1 config file,
2010/02/08_18:21adobe-login-s4.net/picks1/view.php85.17.144.78zeus v1 drop zone,
2010/02/12_15:13navigate777.net/images999/con79.bin95.169.186.103zeus v1 config file,
2010/02/12_15:13navigate777.net/images999/gtx79.php84.19.188.22zeus v1 drop zone,
2010/02/19_18:04gogle-analiz.com/usa/index.php61.4.82.249Eleonore Exploits pack v1.3.2,
2010/02/21_09:05steggba.com/geoip/geoip.html188.120.228.170zeus v1 config file,
2010/02/21_09:05ikbalvockal.net/baners/akbar.bin193.104.34.98zeus v1 config file,
2010/02/21_09:39nospamnet.com/zs/cfg.bin222.122.60.186zeus v1 config file,
2010/02/21_13:07bayinsurance.cn/lodiri/gate.php?id=d0ea82ee193.104.34.98malware calls home,
2010/02/21_15:42amzinas.com/news/index.php222.122.60.186Liberty exploit kit,
2010/02/26_21:16bsttest.org/td/go.php?sid=3193.104.34.98redirects to exploit kit,
2010/02/26_21:16hmcompany.org/eli/index.php?s=fa4d607f6b0d4537e2f0de546fe9a48d193.104.34.98Eleonore Exploits pack v1.3.1,
2010/02/28_20:29royalityfull.net/saq/gadaa.bin193.104.34.98zeus v1 config file,
2010/03/03_10:59lipesnaskom.com/cgi-binn/kisme.bin95.143.192.245zeus v1 config file,
2010/03/06_10:54www.greatuk.org/tt/cfg/config.bin193.104.22.100zeus v1 config file,
2010/03/07_09:53greatuk.org/tt/cfg/config.bin193.104.22.100zeus v1 config file,
2010/03/07_17:00fhjslk21.org/b/cfg275.bin61.61.20.134zeus v1 config file,
2010/03/12_10:52www.securedz.com/files/cfg.ccc61.61.20.134zeus v1 config file,
2010/03/14_00:01nudlkasnuls.com/gizgiz/kuds.bin69.50.217.210zeus v1 config file,
2010/03/14_09:45securedz.com/files/cfg.bin61.61.20.134zeus v1 config file,
2010/03/15_20:05www.gogle-analiz.com/de/61.4.82.249Eleonore Exploits pack v1.3.2,
2010/03/16_19:38klaipedetis.com/news/show.php222.122.60.186Liberty exploit kit,
2010/03/17_07:23nudlkasnuls.com/gizgiz/ue.exe76.76.101.78zeus v1 trojan,
2010/03/19_11:41xbasex.com/microsoft/updateold.php?upd=7&i=0628109.196.134.53malware calls home,
2010/03/21_10:32www.azzssdd935.com/zs/cofag56.bin61.61.20.134zeus v1 config file,
2010/03/21_10:37napiwis54353.com/zs/cofag56.bin109.196.143.56zeus v1 config file,
2010/03/21_11:35zedexstore.com61.61.20.133money mule recruitment,
2010/04/10_10:35enoraup.com/index.php91.209.238.4Eleonore Exploits pack v1.3.2,
2010/04/12_12:03bananajuice21.net/b/cfg375.bin109.196.143.56zeus v1 config file,
2010/04/15_21:27cruelstar.com/pic727/movie.bin84.19.188.22zeus v1 config file,
2010/04/16_10:45zalipuka.com/gogo/man.bin61.4.82.247zeus v1 config file,
2010/04/16_16:03yahoo-statistic.com/js/default.html109.196.143.56redirects to exploits,
2010/04/27_07:24nuaoezum.com.tw/rewrite/index.php95.143.192.142Phoenix exploit kit,
2010/04/27_07:24besysupu.com.tw/lea/add.php178.17.162.230trojan Bebloh calls home,
2010/04/27_07:24ryxehaty.com/lea/add.php178.17.162.230trojan Bebloh calls home,
2010/04/28_22:48controbass.org/el/194.54.158.52Eleonore Exploits pack,
2010/05/07_16:32bubendockader.com/gd/aa.exe69.50.217.91zeus v1 trojan,
2010/05/07_16:49indesignstudioinfo.com/ls.php109.196.143.56directs to fake av,
2010/05/08_08:27easytest4us.com.tw/tbn2566/confag56.bin61.61.20.133zeus v1 config file,
2010/05/09_10:06pnp2biz.com.tw/tbn2566/confag56.bin109.196.143.60zeus v1 config file,
2010/05/11_20:06karissmikksa.com/index.php109.196.134.38Phoenix exploit kit,
2010/05/12_08:17fhjslk21.com.tw/75/e.php195.5.161.208zeus v1 drop zone,
2010/05/12_12:27holasionweb.com/oo.php188.165.200.96directs to fake av,
2010/05/27_19:440101010101010101010101010101crypt01script.com/23/188.40.232.252exploit pack (new Eleonore ?),
2010/05/29_19:46registr3red.com/priv/index.php193.105.207.108Phoenix exploit kit,
2010/06/03_21:16wfrtube.net/fff/z2.nrg195.78.109.210zeus v2 config file,
2010/06/20_17:55volgo-marun.cn/pek/index.php91.212.226.133Phoenix exploit kit,
2010/06/23_06:29hikmesanbukais.com/hdsr/dst/lob.php76.76.101.70malware calls home,
2010/06/27_08:33google-diric.com/web/file.php202.190.179.9zeus v1 drop zone,
2010/06/28_08:59caravelavelaja.com/nice/vive/server.php210.90.91.124zeus v1 drop zone,
2010/07/08_20:27update-java.com/src/ie82.chm195.206.246.250zeus v2 config file,
2010/07/10_12:14lyuboidomen.net/src/footer.jpg61.61.20.136zeus v2 config file,
2010/07/13_18:03baragas-budd3.com/pek/index.php59.53.91.187Phoenix exploit kit,
2010/07/18_11:20www.barabudd333.com/pek/index.php195.158.244.53Phoenix exploit kit,
2010/07/25_08:55werrrcorp.com:81/hhhjj/biin/ju.exe122.225.37.88zeus v1 trojan,
2010/07/27_15:03adobeactivation.net/confx/cgi.bin109.196.134.43zeus v1 config file,
2010/07/28_07:03update-java3.com/src/update2.set195.206.246.250zeus v2 config file,
2010/07/28_07:59joystream.com.tw/stable/gate.php?id=a3816d8b124.228.10.22malware calls homr,
2010/08/03_14:27intercullertdi50.net/pek/index.php194.79.250.38Phoenix exploit kit,
2010/08/06_18:30update-java4.com/src/update2.set195.206.246.250zeus v2 config file,
2010/08/14_21:12allgoogl.com/googleall/files/bobbystellar.jar91.212.198.216java exploit, belongs to SEO Sploit pack,
2010/08/15_17:19suffolkworksuk.org/e7a9cc67e5c82e07031c8413bef78431/gameup.exe194.79.250.24zeus v1 trojan,
2010/08/17_18:21heskdo44se.com/hel/index.php81.176.236.148Phoenix exploit kit,
2010/08/20_15:05olandik.net/update-config.bin41.140.165.19zeus v1 config file,
2010/08/20_15:05olandik.net/load.exe84.110.117.84zeus v1 trojan,
2010/08/20_15:05olandik.net/update-gate.php221.10.252.223zeus v1 config file,
2010/08/24_06:30sippa.dottasink.net/music/indi.php193.186.9.43redirects to fake av,
2010/08/28_09:16dsgfopllllc.com/tinkerminilo/ilonim.bin193.104.34.69zeus v1 config file,
2010/08/28_09:16www.opllllc.com/zebradance/mpj.bin193.104.34.69zeus v1 config file,
2010/08/28_09:38kosmoukmanages.org/dcc/secure.bin194.79.250.24zeus v1 config file,
2010/09/02_11:29freehost21.tw/b/cfg375.bin109.196.143.60zeus v1 config file,
2010/09/05_18:36busderaskon.com/nek/index.php81.176.236.148Phoenix exploit kit,
2010/09/07_13:51nocireho.com/nepm/index.php69.50.197.115Phoenix exploit kit,
2010/09/08_19:14husderma3.com/ds/index.php81.176.236.148Phoenix exploit kit,
2010/09/09_19:49kiselmadku.com/hd/index.php81.176.236.148Phoenix exploit kit,
2010/09/12_13:21pnp2biztracker.com.tw/bin/allis.js194.79.250.57zeus v2 config file,
2010/09/13_07:58alabayss.com:81/hhhjj/biin/uj.bin122.225.37.88zeus v1 config file,
2010/09/15_20:11popunder777.com/pek/index.php194.79.250.38Phoenix exploit kit,
2010/09/17_16:36elecaedu777.com/pek/index.php194.79.250.38Phoenix exploit kit,
2010/09/18_09:03myblindstudioinfoonline.com/ll.php77.78.239.53redirects to fake av,
2010/09/22_19:26postbbnk.com/puk/index.php81.176.236.109Phoenix exploit kit,
2010/09/23_09:06wearechampions2010.com/facka/index.php193.105.207.124Phoenix exploit kit,
2010/09/23_18:15zambiatodes.com/pek/index.php194.79.250.38Phoenix exploit kit,
2010/09/27_09:06miraxgroupmirax.com/random3/gate.php195.206.246.85zeus v2 drop zone,
2010/09/29_10:25www.lipezkusjka.com/g/index.php81.176.236.109Phoenix exploit kit,
2010/10/03_09:44miraxgroupmirax.com/random4/tornado.jpg193.201.192.83zeus v2 config file,
2010/10/04_12:01biztracker24.com.tw/biz2zs/ttss.exe194.79.250.54zeus v2 trojan,
2010/10/05_20:33meqashopperinfo.com/js.php193.186.9.43redirects to fake av,
2010/10/06_07:08khdjkuj783623.net/vww/bzjpdlhnimxmin7.pdf193.23.126.4pdf exploit,
2010/10/11_06:25supergoldbiz.net/c195.3.145.42zeus v1 config file,
2010/10/11_15:50ztxspace.com/zmb/index.php85.234.190.22Zombie exploitation kit,
2010/10/17_20:41wireks.org/NUrovj48Gd/1iF645ji/ks.exe193.27.232.65zeus v1 trojan,
2010/10/18_17:49lernundsnej.com/a/k.exe81.176.236.109zeus v2 trojan,
2010/10/18_17:49wekemenal.com/b/n.exe81.176.236.109zeus v2 trojan,
2010/10/24_13:05muskelmirna.com/nb/azkvxnau.php77.78.240.81Phoenix exploit kit,
2010/11/02_14:17vwbombatry.com/sp/gate.php?guid=User!SANDBOX0!D06F0742&ver=10292&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=0&ccrc=2FF9BCEC&md5=43be8f760d464ed805e32a86dc1f21de91.204.48.98SpyEye C&C,
2010/11/09_09:32wekemenal.com/g/g.exe77.78.240.81zeus v2 trojan,
2010/11/10_19:05stylebite22.com/pek/kudlhpdzcl.php91.207.182.64Phoenix exploit kit,
2010/11/12_18:17tuwubino.com/test.php?tp=b9ec113ef7347bd8204.12.228.234exploit kit,
2010/11/15_08:33noski5.com/zus/bot.exe91.212.124.35zeus v1 trojan,
2010/11/15_18:18rightdeal77.net/pek/brfvjmkqemcobojoask.php109.196.134.41Phoenix exploit kit,
2010/11/20_07:03bbdeals22.net/pek/xuiqdwcweljsfoamdmcr.php91.207.182.64Phoenix exploit kit,
2010/11/26_18:46bbdeals33.com/pek/aqjlisyzepyocmd.php91.207.182.64Phoenix exploit kit,
2010/12/03_17:17onlinediller22.net/pek/fzdpxpfqfvaqisxrysf9.php91.207.182.64Phoenix exploit kit,
2010/12/23_11:10dfi-university.com/images/gif/3/_tmp/003/tmp/gate7489.php193.178.172.88zeus v2 drop zone,
2010/12/25_12:36bombino777.com/1/hrftxsbsftyv.php91.207.182.64Phoenix exploit kit,
2010/12/25_12:36bizzproffi.com/adm/controller.php?action=bot&entity_list=&first=1&rnd=916762&uid=1&guid=472384191.207.182.64Bredolab C&C,
2010/12/27_13:21geopozitiv.com/mell/ctjnbti.php204.12.228.238Phoenix exploit kit,
2010/12/27_13:21botevabe.com/mell/auy.php?i=2204.12.228.235trojan,
2011/01/06_19:59www.ergvb433s.com/asdewq/biiin/uj.bin194.63.144.98zeus v2 config file,
2011/01/10_20:46stayfreeatall.com/TrustedWithSign/ownresponse.dat194.63.144.56zeus v2 config file,
2011/01/13_18:56www.automauto.com/thfhc/biiin/uj.bin91.200.188.99zeus v2 config file,
2011/01/14_18:02mb53juu347d.com/durnr/hee3.bin173.208.154.30zeus v2 config file,
2011/01/15_17:06niancene.com/images/ghj.php?i=262.122.73.53fake av,
2011/01/15_20:06fullenergyfilled.com/StillMovingOn/keepGoingForward.php91.200.188.55zeus v2 drop zone,
2011/01/16_16:29bigthiscase.net/ara/gate.php91.204.48.98SpyEye C&C,
2011/02/20_15:25security-force.net/asd/cgi.bin222.88.205.209zeus v2 config file,

1 comment:

  1. Great blog post! I like your take on the cracked version of SpyEye actually speeding up its demise.

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.