[teleboti]

The analysis and plugin reconstruction ffcertcrabber.dll, sorry only in russian http://malwrecon.blogspot.com/2011/09/1 ... lugin.html

[Maxstar]

http://www.security.nl/artikel/38522/1/ ... ckers.html

http://pastebin.com/F46U8zwK

[Xylitol]

bullshit this exploit is for SpyEye 1.0, and ripped.
I would not be astonished if the guys who ripped it even don't know how to use.

ripped spl0it: http://pastebin.com/F46U8zwK
Original: http://pastebin.com/gZtcpYZm

More ripped stuff: http://pastebin.com/T0pUiEJp
Original: http://www.promon.no/spyeye.html

i've flamed this guys on twitter (@sanjar_satsura)

@sanjar_satsura:
hi. hmmm.... and о what are you guy? and what profit u search ? I only translate xploit and post it on RW. plz contact me icq : 553769102.

also i don't know if r00tw0rm.com is associated with 1337day/inj3ct0r team, but if yeah, 1337day are known for carding, cf Owned And Exposed Issue 2 exposed also on seclists http://seclists.org/pen-test/2009/Nov/16

[kmd]

how do you guys know which spyeye version it is?
i mean how to decide if this is 1.3.39 or 1.3.44?

[EP_X0FF]

how do you guys know which spyeye version it is?
i mean how to decide if this is 1.3.39 or 1.3.44?

By analyzing network packets from the infected machine for example. SpyEye will tell version itself while initial call home. Get a packets sniffer for example Wireshark, setup it to capture packets. Run bot, stop capture. Filter packets by HTTP protocol. If there is no network activity usually spyeye "call home" request will be first in the list. Follow designated TCP stream and you will see something like on picture below.



SpyEye "call home" is encrypted by xor base64 encoded string. IIRC earlier this was simple plain text.

1. decode it from base64 to str
2. i=0 for each i in str do str xor 0xDB

if everything is fine result will be something like this

guid=5.1.2600!LABQU39!00D0D8B3&ver=10348&ie=6.0.2900.5512&os=5.1.2600&ut=Admin&ccrc=4B503A40&md5=a49835fda8df29744efd6e7bf49dfa6e&plg=customconnector&wake=90&stat=online

bot version highlighted, SpyEye v1.3.48

[Xylitol]

Here is my SpyEye Encoder/Decoder: http://xylithreats.free.fr/encodedecode.php

Also @EP, i've found a 'tinyurl generator' by brute forcing dirs:

Code: Select all

http://263rdasd.com/q/

Edit: found another dir 'sms spy'

Code: Select all

http://263rdasd.com/sms/

Edit2: found this Index Of/

Code: Select all

http://263rdasd.com/xyz/
jabber.php
ok.php
send.php
api.php
/banks/
/log/
/jaxl/

Edit3:

Code: Select all

http://263rdasd.com/icons/

Always no trace of formgrabber :(

Edit4:

Code: Select all

http://263rdasd.com/client/maincp/

Found the CN1, no trace of SYN1.

Edit5: SYN1 found.

Code: Select all

http://263rdasd.com/client/frmcp/

fuckyeah

[EP_X0FF]

@Xylitol

that's funny :)

----------------------

SpyEye v1.3.4x

Pass for decrypted config: 807DB4B3E92FC376EAC861BB9D0E9307

All gates are down.

_ttp://alpha.supportman.su/stats.php;500
_ttp://beta.demand.su/stats.php;500

Plugins: customconnector

Original, decrypted + config in attach.

[Xylitol]

SpyEye 1.3.48 sample include support for FF7 and FF8.

In attach some old samples.

hackhound.exe: 37/43 >> 86.0%
http://www.virustotal.com/file-scan/rep ... 1317710622

principe.exe: 37/43 >> 86.0%
http://www.virustotal.com/file-scan/rep ... 1317710743

spyeye100.exe: 35/41 >> 85.4%
http://www.virustotal.com/file-scan/rep ... 1317710790

ambler.exe: 39/43 >> 90.7%
http://www.virustotal.com/file-scan/rep ... 1317710821

[sugipula]

I have a question maybe you can answer me.
I saw how you can send custom data to the gate using your encoder , then POST.

My question is , is it possible to do the same thing to collector?
If you have IP:PORT of collector , is it possible to submit fake data?
If yes , how?

PS : Also , where can I get more spyeye samples?

[wacked]

It is perfectly possible but the collector uses a different protocol.
The only information (I could find) about it is here.
So you have the reverse-engineer the protocol yourself.

@Xylitol: As far as I see it there should be no reason why it shouldn't. There is no change in neither PR_Read, nor PR_Write.

Also, has anybody any information about the ActiveAZ plugin?