On April 16, we found a Pastebin entry selling the latest version of the infamous SpyEye botnet (Version 1.3.48) for a much lower price than we’ve seen elsewhere. (This botnet is mainly used to steal banking information.) The quote was just US$150 including three months hosting, after that it’s $15 per month. This version was first seen in October 2011, according to the XyliBox blog. The Pastebin seller of this SpyEye release included all the information about the software, injection types, and plug-ins supported–along with the MSN ID “firstname.lastname@example.org.” Here is the screenshot from Pastebin:
Further research shows from multiple freelancing project websites shows price quotes of up to $1,500. Here are a couple of project entries found on those websites:
The source code for SpyEye Version 1.3.45 had already been leaked, and a lot of technical information about this botnet is available on the web. Fortunately, we obtained a live sample (with an active control server) created by the latest release (the version ID is hard-coded in the build and sent to the control server along with other information). We proceeded to reverse engineer the latest version to look for any differences.
After unpacking and reversing the latest sample, we found it behaved similarly to the description
View full post on National Cyber Security » Security News