The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.
The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.
The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file:
As we can see, our website is listed as a target. The syntax for setting parameters in the DDoS SpyEye plugin is type-target-port-time:
But this was not the only surprise! Looking in the other configuration files, specifically in the Custom Connector plugin (customconnector.dll.cfg), I see a domain that looks familiar: http://[DELETE]/~ishigo/sp/main/gate.php
Custom Connection is a plugin that allows for communication between the zombies and C&C server through gate.php. Looking back at information from previous research, I found a domain (same IP range) with a similar structure, but this was involved in the case Ice IX. The following image is a fragment of the report obtained from an analysis of Ice IX:
Ishigo is the name of a botmaster who is very active in the cyber-criminal landscape, operating mainly through the crimeware ZeuS, SpyEye and now also experimenting with Ice IX.
Whether or not this is just a casual attempt to DDoS attack our portal, we will continue to investigate the activities of this and other botmasters. So I’ll keep you posted!
Kaspersky Lab… also in my list of DDoS attacks! [by SpyEye]