Infiltrated SpyEye C&C server provides glimpse into botnet activity

A C&C server controlling a small botnet comprised of computers infected by SpyEye – the information/data stealer Trojan often called “ZeuS Killer” on account of its ZeuS removing routines – has been accessed by Trend Micro researchers.

“The server was not particularly secure. In fact, the bot herder who used this particular server left several open folders as well as readable configuration files,” says one of the researchers.

The things that they managed to find out about the botnet are the following:

  • It’s rather small, which seems to indicate it is fairly new
  • Most of the bots are located in Poland, which is rather unusual since users in Western countries are often preferred victims
  • The C&C server is located in Ukraine, hosted by the PAN-SAM Ltd ISP
  • An analysis of the 400 Mb of stolen data that the researchers managed to download revealed that credentials for banks, social networking sites, and career/job-hunting sites have been stolen:

  • The bot master is currently using the botnet for pushing out a version of the TDSS rootkit, and is likely getting paid to do this by another gang.



Share this