border: 1px solid #d2d2d2; padding: 0px 8px 0px 8px; color: #a19999; font-size: 12px; height: 25px; width: 165px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; margin:0px; } .submitbutton{ background:#F66303; border: 1px solid #F66303; text-shadow: 1px 1px 1px #333; box-shadow: 3px 3px 3px #666; font:bold 12px Arial, sans-serif; color: #fff; height: 25px; padding: 0 12px 0 12px; margin: 0 0 0 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; cursor:pointer;}

Receive all updates via Facebook. Just Click the Like Button Below

You can also receive Free Email Updates:

Powered By Blogger Widgets

Related Posts Plugin for WordPress, Blogger...

Friday, April 29, 2011

SpyEye/ZeuS Toolkit v1.3.05 Beta

Ever since ZeuS’ author, Slavik/Monstr, left the cybercrime scene and handed over ZeuS’ source code to Gribodemon/Harderman, the author of SpyEye, everybody has been waiting for the resulting merger of the two toolkits. We’ve acquired a sample of version 1.3.05 of the SpyEye builder, which appears to be the result of the said merger.
Click for larger view
Here are the settings and commands that the builder supports:
  • Encryption key: Specifies the encryption key, which encrypts config.bin.
  • Clear cookies every startup: If enabled, the bot will constantly delete the cookies of Internet Explorer (IE) and Mozilla Firefox.
  • Delete nonexportable certificates
  • Dont send http-reports: HTTP request headers comprise a lot of garbage. It thus makes sense to those protected with HTTPS.
  • Compress build by UPX: If enabled, the resulting file will be compressed.
  • Make build without ZLIB support
  • Make LITE-config: Specifies whether or not to include some features specified in config.bin, including Web injects, screenshot captures, and the use of other plug-ins.
  • EXE name
  • Mutex name
  • Anti-Rapport: A built-in option to evade Rapport Trusteer software.
  • FF webinjects: Determines whether or not Web injects work in Mozilla Firefox.
  • timestamp: Time and date when the builder was created, as measured by the number of seconds from January 1, 1970.
Here is the list of available plug-ins:
  • webfakes: The webfakes plug-in can be used to spoof the contents of HTTP and HTTPS page resources without connecting to the original Web server in both IE and Mozilla Firefox.
  • ccgrabber: The plug-in collects credit card numbers by analyzing the POST requests made by the user and checking these against the Luhn algorithm.
  • ffcertgrabber: The basic SpyEye package only steals certificates from the cryptographic storage ofWindows. However, Firefox uses its own certificate storage folder, from which this plug-in grabs certificates.
  • SOCKS5 backdoor
  • FTP backdoor
  • RDP backdoor
  • bugreport: This plug-in allows the bot to send back technical information if it crashes.
Analyzing how this version has been written compared to previous versions, it seems like Gribodemon has received help from other criminals to polishing this version, particularly with the addition of the CC grabber plug-ins and anti-rapport option.
There are actually 2 live servers using this new version:
Click for larger viewClick for larger view

1 comment:


Twitter Delicious Facebook Digg Stumbleupon Favorites More