Majority of SpyEye Trojan C and C Located in United States

Wednesday, March 28, 2012



Researchers from Korean security provider AhnLab have released a report that the majority of the domains and hosts used to propagate the SpyEye banking Trojan are located in the United States.

SpyEye is a particularly nasty piece of malicious software which can harvest credentials for online accounts.

"According to SpyEye-relevant host data extracted by the AhnLab Packet Center, 48% of all SpyEye domains were found to be located in the US, followed by Russia at 7%, and the Ukraine at 6%. The AhnLab Packet Center is the company’s malicious packet analysis system, which assesses suspicious packet data, including that from SpyEye C&C servers. The findings indicate that the main targets of SpyEye are mainly in the US, and that North American financial institutions and users should remain especially vigilant.," AhnLab stated.

SpyEye is known to be one of the more powerful data-sniffing Trojans ever developed, and the release of the source code last year meant the likelihood of a dramatic increase in its application became a very real scenario.

The SpyEye code, which was previously only available to malicious attackers on the black market for a hefty price in the vicinity of $10,000 or so, was leaked by a French researcher who goes by the handle Xyliton, and is a member of the Reverse Engineers Dream (RED) outfit.

"Since its toolkit first became public in 2010, the SpyEye Trojan has produced many variants. According to analysis by the AhnLab Packet Center, the “10310” variant was identified as the most distributed version at 34.5%. The '10299' and '10290' variants followed at 14.7% and 14.6%, respectively. Additional variants are expected in the future," AhnLab reported.

Researchers from security provider F-Secure recently released a list of the top forty banks being targeted by SpyEye based on an analysis of available data.

"Variants of the SpyEye trojan target banks using a plugin called webinject.txt. We collected 1,318 samples in our back end that matched those from SpyEye Tracker's RSS Feed. Taking a look inside, we discovered that this collection of samples contains 632 different bank domains and that was the most targeted bank domain," F-Secure's M. Hyykoski wrote.

A graph of the top forty banks targeted as identified by F-Secure can be found here:

Online banking users also have to contend with the the Zeus Trojan. Zeus is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and numerous variants of the malicious code continue to propagate.

The Zeus Trojan can lay dormant for long periods until the user of the infected machine accesses accounts such as those used for online banking. Zeus harvests passwords and authentication codes and then sends them to the attackers remotely.

"SpyEye, along with ZeuS, are notorious banking Trojans that have helped thieves steal more than $100 million around the world. Without an end-user PC solution, banks face great difficulty protecting individual customers from the sophisticated threats posed by these malicious codes," AhnLab noted.

Source: Email PR from

Possibly Related Articles:
Viruses & Malware
Trojans malware Online Banking Cyber Crime Zeus Headlines SpyEye keylogger Sniffer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.