The notorious SpyEye banking trojan has been updated with distributed denial-of-service (DDoS) functionality and is being used to attack a C&C blacklisting project.According to experts from RSA FraudAction Research Lab, the new DDoS plug-in was added to SpyEye v.1.3.10 specifically to attack abuse.ch.
Abuse.ch is a project created by Swiss security researcher Roman Hüssy several years ago to track command and control (C&C) servers for the most prevalent botnets.
The effort started with ZeuS Tracker and expanded with SpyEye tracker and more recently Palevo Tracker.
All of these services track C&Cs in real time using a variety of techniques and they provide useful data for ISPs and companies who use it to block the offending IPs at network level.
According to independent security journalist Brian Krebs, the abuse.ch trackers are so effective that high profile SpyEye botnet masters have recently began brainstorming to find methods to destroy them or at least throw them off track.
Discussions on private underground forums went as far as to propose the assassination of Mr. Hüssy by hiring a hitman or by poisoning him.
More technical approaches put forward were DDoS and credibility attacks, both of which are to be executed with the help of SpyEye botnets.
The latest SpyEye variants don't only come with a DDoS plug-in, but also specify legitimate websites as backup C&Cs in their configuration files.
This trick is an attempt to get SpyEye Tracker to add those clean websites to its blacklist causing problems for users and putting abuse.ch in a bad light.
"DDoS attacks not only hurt the website’s availability by clogging its bandwidth with junk web traffic. When coupled with data corruption it could also render critical security information used by service providers, security researchers and the general public both unavailable and/or tainted," the RSA researchers explain.