Wednesday, 28 March 2012

Behind SpyEye... Gribodemon

Not a surprise, Gribodemon have not delivered (and will never deliver?) a new SpyEye 1.3.50 update.
Customers started to become rapidly annoyed of seeing no progress and bored of gribodemon excuses for the update delay.
In parallel of the 1.3.x update, Gribodemon started to code the version 2 of SpyEye (bootkit, more injects, and some other items according to him)
The version 2 looked a totally new product, he even has been offline for several days as he's really working hard on v2
And when December 2011 come... no news... jabber bot shutdown, no more reply from the SpyEye team.
It's also due to this inactivity that most of SpyEye customers moved to others criminal toolkit like IceIX, Citadel...
Leaving Gribodemon alone with his problems...
More recently things come to light:
So now it's just vx1 and gribo running loose and there are indictments and detention orders for both of their real identities (cannot say more for obvious reasons)

The last time i've talked of SpyEye on my blog was about the Video grabber, but there is also another kind of beta plugin released the same time as the video grabber: the data grabber





FRMCP:

Data grabber:


On a limit of 100 users, infos was grabbed for these programs:
Mozilla Firefox/Opera/Internet Explorer/Google Chrome
Windows Live Messenger/Windows Live Mail
FileZilla/Windows/Total Commander/Core FTP/FreeFTP/DirectFTP
Mozilla Thunderbird/Outlook/IncrediMail
CamFrog/Cisco VPN Client/PokerStars
Windows RAS/ASP.NET/Virgin Mobile
of course this plugin target many more application, it's just a tiny part.

A guys with alot of plugins:




Now let's talk about Gribo who has gone into hiding and taken down his infrastructure.
A tiny graph about Gribodemon connections:

The SpyEye support:

Many people think there is just one guys behind SpyEye but there is an entire team.
Example with a ticket, Isla (you are a true skyzophrene dude) who use social engineering for get his license back.

So what's can we says...
1) Gribodemon don't respond directly
2) SpyEye team don't care about vulnerability report (LOL)

Another ticket regarding a bugfix:
No answer from the SpyEye team and the ticket is still open today.


Now to come back on the first picture with contacts info of Gribodemon
glazgo-update-notifier@gajim.org:
This jabber adress was a bot for get latest SpyEye packages
In September 2011 many 'good guys' used this service for get the latest SpyEye toolkit.
The SpyEye team added later a filter as response who reply each time "Unkown command. Type "!help" to display list of avaiable commands" if you are not a customer.
Anyway i've compromised many jabber accounts who was on the white list so...:)

For the Email "gribodemon@pochta.ru" it was one of the first adress he used for sell products.
When Antichat was hacked and the db published you can even find details related to this adress:
(87372, 2, '', 0, 'gribodemon', 'be1120301dc625eb3495754d8917fd58', '2009-06-07', 'gribodemon@pochta.ru', 0, '', '', '4571122', '', '', 1, 'Новичок', 0, 1244321423, 0, 1274652004, 1275689120, 1275688931, 4, 9, 4, 5, '3', 0, 0, 100, 100, 0, 3415, '', '0000-00-00', -1, 1, '93.91.114.18', 0, 0, '', 0, 0, -1, 10, 2, ' S3', 0, 39074, 'A410615478A274836618A591384711A705316511A35415316A451064195A1479238499A1963182541', 0),

He used firstly ICQ (4571122) then moved to jabber "gribo-demon@jabber.ru" Example in my blog with a conversation between Gribodemon and a customer

For the mail 'gribodemon5@gmail.com' of virtest it's a fake adress, the guys under is probably Ishigo (who is also a customer of SpyEye)

And for johnlecun@gmail.com and shwark.power.andrew@gmail.com i've no idea what's these gmail adress was used for, and if gribo was really behind.

Well, now that the e-mails of gribo are also demystified, let's look for some old stuff.

Gribodemon selling 'Email Regger' in 2009:




gribodemon saying he sell on MF and DC (MF stand probably for maza and DC for DirectConnect)

gribodemon answers to guys who lynch him

gribodemon have a phoenix exploit kit and traffic on it

That all... for the moment.
There is alot of things to say on what currently happens, others bloggers and av guys will probably make more constructed posts... wait and see.

9 comments:

  1. DC stands for DirectConnect (private forum), not DarKode

    ReplyDelete
  2. Okay, thanks for the correction Anon ;)

    ReplyDelete
  3. Back in '09 he was pretty active on russian freelance sites, he published bunch of projects related to the nix stuff and vulnerability searching in _unnamed_control_panel_ coded in php. He was using the name Grigory Alexeev or Alexey Grigoryev, I don't remember which one exactly. His account was just right here > free-lance.ru/users/harderman <, currently it's blocked.

    ReplyDelete
  4. Nice work, that connections diagram has grown a bit in the last few months!

    ReplyDelete
  5. addition to the post from Mar 29
    mht from this > free-lance.ru/users/harderman < page when his account was not blocked

    sendspace.com/file/wp3zc0

    ReplyDelete
  6. Does anyone know what the other plugins purposes are?

    Are some samples of them available?

    ReplyDelete
  7. spyticket.in are dow xD
    nice work steven xD

    ReplyDelete
  8. https://bitcointalk.org/index.php?topic=20222.0

    ReplyDelete
  9. how come you never went to look this hard for the zeus creator or his tools?

    Or cracked them like you did with Spy? Is it a harder challenge?

    ReplyDelete