The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.
The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.
The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file:
As we can see, our website is listed as a target. The syntax for setting parameters in the DDoS SpyEye plugin is type-target-port-time:
But this was not the only surprise! Looking in the other configuration files, specifically in the Custom Connector plugin (customconnector.dll.cfg), I see a domain that looks familiar: http://[DELETE]/~ishigo/sp/main/gate.php
Custom Connection is a plugin that allows for communication between the zombies and C&C server through gate.php. Looking back at information from previous research, I found a domain (same IP range) with a similar structure, but this was involved in the case Ice IX. The following image is a fragment of the report obtained from an analysis of Ice IX:
Ishigo is the name of a botmaster who is very active in the cyber-criminal landscape, operating mainly through the crimeware ZeuS, SpyEye and now also experimenting with Ice IX.
Whether or not this is just a casual attempt to DDoS attack our portal, we will continue to investigate the activities of this and other botmasters. So I'll keep you posted!
2011 Sep 21, 09:14