Sep 8, 2010 14:20 GMT  ·  By

Security researchers from Trend Micro have infiltrated the command and control structure of a SpyEye-based botnet, which specifically targets users located in Poland.

SpyEye is an information stealing trojan that has a similar feature set to the ZeuS crimeware, the financial fraudsters' weapon of choice.

In fact, the SpyEye authors, who sell their creation as a toolkit on the underground market, specifically position it as a ZeuS competitor. The trojan's code even contains routines to remove Zbot.

Computer infected with SpyEye join together in botnets that connect and listen to instructions from command and control servers.

The Trend Micro researchers have recently managed to break into a SpyEye C&C server that was poorly protected and found interesting data.

For one, the vast majority of infected computers that were part of the investigated botnet were located in Poland.

"This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France," Loucif Kharouni, advanced threats researcher at Trend, writes.

The size of the botnet was rather small, suggesting that the operation was fairly new, but the experts were able to gather 400 MB of stolen information.

"After digging through all the data, we found that several credentials have been stolen. These credentials come from banks, social networking sites, and career/job-hunting sites," Kharouni noted.

A screenshot with samples of data suggests that ING Poland was amongst the targeted financial institutions.

Another interesting aspect is that the botnet distributes a version of the sophisticated TDSS rootkit. This is most likely done for another gang in exchange for money.

The pay-per-install (PPI) business model is very profitable for malware authors, but it is usually used to distribute income generating threats like rogue antiviruses or spam bots.