SpyEye gets new DDoS functionality

Summary:Researchers from RSA's FraudAction Research Lab are reporting on a recently discovered new module within the popular crimeware SpyEye.

Researchers from RSA's FraudAction Research Lab are reporting on a recently discovered new DDoS module within the popular crimeware SpyEye. Based on various conversations within the cybercrime ecosystem -- I also get a mention there -- the primary application of the plugin would be to attack legitimate sites such as Abuse.ch's ZeusTracker, and the SpyEye tracker, a community-driven services aiming to track crimeware campaigns.

The DDoS plugin currently offers SYN Flood; UDP Flood and Slowloris Flood, modes of operation.

Next to the new module, the researchers have also observed a new trend aiming to generate additional noise and poison the results offered by the two services. By including legitimate sites next to the malicious one, cybercriminals aim to make it harder for the service to distinguish between legitimate and purely malicious ones:

This means that all the credentials collected by the Trojan from SpyEye bots, including screenshots, username and password combinations, and stolen certificates and cookies, will be sent to port 443 of the legitimate websites, like the ones mentioned above. When abuse.ch’s Trackers analyze SpyEye variants like the ones we traced, legitimate website domains will be classified as those variants’ communication points. These, in turn, will show up in the SpyEye Tracker blocklist, and serve to diminish its credibility.

This isn't (See: Crimeware tracking service hit by a DDoS attack) the first coordinated attempt to disrupt the operation of the service, and definitely not the last, clearly speaking for its usefulness.

Topics: Security


Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.