SpyEye gets new DDoS functionality

SpyEye gets new DDoS functionality

Summary: Researchers from RSA's FraudAction Research Lab are reporting on a recently discovered new module within the popular crimeware SpyEye.

TOPICS: Malware, Security

Researchers from RSA's FraudAction Research Lab are reporting on a recently discovered new DDoS module within the popular crimeware SpyEye. Based on various conversations within the cybercrime ecosystem -- I also get a mention there -- the primary application of the plugin would be to attack legitimate sites such as Abuse.ch's ZeusTracker, and the SpyEye tracker, a community-driven services aiming to track crimeware campaigns.

The DDoS plugin currently offers SYN Flood; UDP Flood and Slowloris Flood, modes of operation.

Next to the new module, the researchers have also observed a new trend aiming to generate additional noise and poison the results offered by the two services. By including legitimate sites next to the malicious one, cybercriminals aim to make it harder for the service to distinguish between legitimate and purely malicious ones:

This means that all the credentials collected by the Trojan from SpyEye bots, including screenshots, username and password combinations, and stolen certificates and cookies, will be sent to port 443 of the legitimate websites, like the ones mentioned above. When abuse.ch’s Trackers analyze SpyEye variants like the ones we traced, legitimate website domains will be classified as those variants’ communication points. These, in turn, will show up in the SpyEye Tracker blocklist, and serve to diminish its credibility.

This isn't (See: Crimeware tracking service hit by a DDoS attack) the first coordinated attempt to disrupt the operation of the service, and definitely not the last, clearly speaking for its usefulness.

Topics: Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: SpyEye gets new DDoS functionality

    We need to start dropping bodies of the people behind this crap!
  • RE: SpyEye gets new DDoS functionality

    We need to look at our surfing habits and modify them. Let's not JUST blame the authors of these programs. It's been over 20 years since I have been fighting against malware and since that time, everytime I get infected, it is caused directly by my own stupidity. Stop using P2P networks, stop clicking on links (posisoned) in emails, and for goodness sakes, avoid porn sites. There are other ways of course, that you can get infected. But they malware can't get in if you keep the front door closed and locked, keep your antivirus software up to date and just use common sense. BTW, for those that will scream bloody murder and say that antivirus programs don't work, reminder: check your surfing habits
  • RE: SpyEye gets new DDoS functionality

    ewet dedim ama neyse
    dogru deme
    tamam dedim
  • RE: SpyEye gets new DDoS functionality

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com" title="seslichat">sesli chat</a> <a href="http://www.yuregininsesi.com" title="seslisohbet">sesli sohbet</a>