Now blocking SpyEye C&C hosts

One of our malware research partners - abuse.ch - has started tracking the SpyEye C&C (command & control) hosts in the same way that it has been tracking the ZeuS C&C hosts.

We have added this data sourceto our feeds. It is now contributing to the BOTNETS feed in standard mode and it is a stand alone feed in Expert mode. The list is currently small (37 addresses when I checked just now) and analysis shows that it, currently, has a number of IP addresses on the ZeuS list and that about 25% of the IP addresses not in the ZeuS list are in other lists such as the PhishTank and SpamHaus lists.

This article at The Register explains why SpyEye is important:

Chatter on Russian cybercrime forums has suggested the developer of ZeuS has handed over development of the customisable crimeware toolkit to the miscreant behind SpyEye. [...]

Both ZeuS and SpyEye are toolkits that allow the creation of customised Trojans. Each is sold through carding and other black-market forums for hundreds of dollars per licence.

It is worth noting that there is not one single ZeuS botnet, rather there are many different ones and the same will apply to SpyEye. This means that while malware researchers and law enforcement agencies have had some success shutting down ZeuS botnets and arresting the criminals behind them, they are unlikely to ever get them all. Also, becasue both ZeuS and SpyEye are toolkits for sale, they are frequently modified and improved by the crooks who buy them. Recently for example some ZeuS trojans have been seen that avoid Microsoft's Malicious Software Removal Tool and others have been used with a back end apparently designed to act as a honeypot to malware researchers and other crooks. However, as hinted at above, the vulnerability that all these bots and trojans have is that they have to "call home" and - as we see from the SpyEye list - many of the ip addresses they call home to are already known to us here at ThreatSTOP so we stop infected machines calling them anyway. And we log the attempt so you can clean up the infection.

Share this: