SpyEye Botmasters Hit Anti-Botnet Site with Denial-of-Service Attack

Cyber-criminals launched distributed denial-of-service attacks against the Swiss site abuse.ch, which identifies malicious domains and botnet command and control servers.

A white hat Website that identifies malicious domains is under attack by criminals using Zeus and SpyEye toolkits.

Cyber-criminals using the SpyEye and Zeus rootkits are conducting a DDoS (distributed denial-of-service) attack against a Swiss "white hat" Website, abuse.ch, according to researchers at RSA's FraudAction Research Lab. The Swiss site has been identifying rogue Internet service providers and malicious domains hosting banking Trojans and in November launched its SpyEye Tracker, which tracks malicious SpyEye (C&C) command and control services.

The attackers are using new plug-ins developed for the latest variants of the SpyEye Trojan, RSA said. The plug-ins' primary focus is DDoS attacks against legitimate Websites.

SpyEye botmasters are "battling" the site that "threatens the very existence and effectiveness" of their botnets, the researchers wrote on March 9.

The DDoS plug-in currently offers three types of attack mechanisms: SYN Flood, UDP Flood and Slowloris Flood, the researchers said. The plug-in is dedicated to attacking the SpyEye Tracker subdomain on abuse.ch.

The addition of DDoS-capabilities to the banking Trojan is significant because it shows "fraudsters are eager to damage the non-profit Website's availability and credibility," the researchers wrote.

Most recent versions of SpyEye allow developers to add new plug-ins in the form of distinct DLLs, RSA researchers said. The Trojans toolkit is even sold with a software development kit to allow other developers to create and package new modules in their own SpyEye variants.

The researchers noted that the DDoS plug-in is sold separately from the main SpyEye toolkit.

Abuse.ch provides the publicly available blocklists containing known Zeus and SpyEye command-and-control domains and IP addresses. The site employs automated systems called Trackers to identify malicious C&C domains, IP addresses and servers, and the information is regularly updated on the blocklists. Internet service providers, corporations, and browser-developers can use these lists to protect their users from SpyEye and Zeus. For example, the ISP can block the IP addresses on the list and prevent infected machines from being able to communicate with the C&C, preventing them from becoming zombies.

Attackers "deliberately" inserted legitimate Website domains into SpyEye's configuration files to throw off the site's blocklists, RSA said. This makes it difficult for the service to distinguish which domains are legitimate and which are malicious, the researchers speculated. Researchers found Google and Russian social networking site Vkontakte among other domains in the configuration files.

This means that all the credentials collected by the Trojan from SpyEye bots, including screen shots, user name and password combinations, and stolen certificates and cookies, will be sent to both the malicious C&C servers as well as legitimate Websites. Abuse.ch's Trackers may trace the information and decide those domains are also malicious, undermining its credibility and effectiveness, the researchers said.

SpyEye was developed after Zeus, but it's assumed that the two have merged the code, as Zeus code has been found within recent versions of the SpyEye toolkit. Both Zeus and SpyEye variants are used to infect computers, steal credentials, communicate with command-and-control servers, and steal money from bank accounts.

It is not the first time cyber-criminals attacked legitimate security sites in order to derail detection efforts. Russian cyber-criminals attacked Spamhaus in late December for flagging sites as being potentially malicious.