At Webroot we’ve been researching and chronicling developments with SpyEye since we first saw it in April 2010. This nasty Trojan is the successor to the Zeus Trojan, and it became essentially the main rootkit available for sale after the author of ZeuS left the underground market and sold ZeuS sources to the SpyEye team.
Over the last six months, through Webroot’s real-time watch technology and through my own adventures hunting malware proactively in my spare time, I’ve noticed an extreme escalation of SpyEye infections.
Last week I came across a URL for a password-protected site and at first didn’t think very much of it. But once I logged in, I realized I was on the administrator’s page of a SpyEye Panel, with what appeared to be full access. The administration panel was so easy to run, a fifth grader could do it.
At first glance, there were about 3,000 bots with approximately 600 active at the moment I was looking. The site was moved four days later which at that point, the number of bots was quickly approaching 10,000.
Now some of this is started to make sense. The authors of SpyEye have made it so simple to operate and in case of any trouble, apparently provide support promptly. Their selling points are working quite effectively and a lot of the wrong type of people are able to acquire the builders, Command and Control Servers for a small amount of money.
Taking a look at some of the screenshots, it doesn’t look very nice from any view.