14 DAY TRIAL // Security researchers from Trend Micro have located a server hosting the command and control infrastructure for three different banking botnets that target German users.
The discovery was made while investigating a SpyEye-based operation. SpyEye is a relatively new crimeware toolkit, which positions itself as a competitor for ZeuS.
Just like ZeuS, SpyEye produces custom trojans that can capture information typed into Web forms, like credit card data or online banking credentials, as well as steal POP3 e-mail messages and FTP logins.
"During a recent investigation into a server hosting SpyEye, we noticed that there were several open directories that led to other control panels," the Trend Micro researchers explain.
"One of the control panels is for URLZone/Bebloh. The other control panel, on the other hand, did not have any name or version so we named it after the server, 'Spencerlor'," they add.
Spencerlor is an intriguing botnet of apparent Russian origin, which has been particularly designed to transfer money from compromised bank accounts through the infected computers.
Using the victim's own browser to initiate money transfers allows cybercriminals to bypass some of the security mechanisms enforced by banks in their systems.
While functioning differently, the URLZone botnet and control panel serves a similar purpose – to automate fraudulent bank transactions.
The bot herders can specify complex transfer rules, which involve checking the account balance, leaving a percent of the available funds behind or using a particular browser.
"All three of the botnets on this server are designed and/or configured to only steal German banking credentials.
"Both Spencerlor and URLZone are actually coded to work with the German banking system using the so-called BLZ," the Trend Micro experts note.
Another interesting aspect is that the logging system has been modified not to record the drop bank accounts used in fraudulent transactions.