Customers started to become rapidly annoyed of seeing no progress and bored of gribodemon excuses for the update delay.
In parallel of the 1.3.x update, Gribodemon started to code the version 2 of SpyEye (bootkit, more injects, and some other items according to him)
The version 2 looked a totally new product, he even has been offline for several days as he's really working hard on v2
And when December 2011 come... no news... jabber bot shutdown, no more reply from the SpyEye team.
It's also due to this inactivity that most of SpyEye customers moved to others criminal toolkit like IceIX, Citadel...
Leaving Gribodemon alone with his problems...
More recently things come to light:
The last time i've talked of SpyEye on my blog was about the Video grabber, but there is also another kind of beta plugin released the same time as the video grabber: the data grabber
On a limit of 100 users, infos was grabbed for these programs:
of course this plugin target many more application, it's just a tiny part.
A guys with alot of plugins:
Now let's talk about Gribo who has gone into hiding and taken down his infrastructure.
A tiny graph about Gribodemon connections:
The SpyEye support:
Many people think there is just one guys behind SpyEye but there is an entire team.
Example with a ticket, Isla (you are a true skyzophrene dude) who use social engineering for get his license back.
1) Gribodemon don't respond directly
2) SpyEye team don't care about vulnerability report (LOL)
Another ticket regarding a bugfix:
Now to come back on the first picture with contacts info of Gribodemon
This jabber adress was a bot for get latest SpyEye packages
In September 2011 many 'good guys' used this service for get the latest SpyEye toolkit.
The SpyEye team added later a filter as response who reply each time "Unkown command. Type "!help" to display list of avaiable commands" if you are not a customer.
Anyway i've compromised many jabber accounts who was on the white list so...:)
For the Email "email@example.com" it was one of the first adress he used for sell products.
When Antichat was hacked and the db published you can even find details related to this adress:
He used firstly ICQ (4571122) then moved to jabber "firstname.lastname@example.org" Example in my blog with a conversation between Gribodemon and a customer
For the mail 'email@example.com' of virtest it's a fake adress, the guys under is probably Ishigo (who is also a customer of SpyEye)
And for firstname.lastname@example.org and email@example.com i've no idea what's these gmail adress was used for, and if gribo was really behind.
Well, now that the e-mails of gribo are also demystified, let's look for some old stuff.
Gribodemon selling 'Email Regger' in 2009:
gribodemon saying he sell on MF and DC (MF stand probably for maza and DC for DirectConnect)
gribodemon answers to guys who lynch him
gribodemon have a phoenix exploit kit and traffic on it
That all... for the moment.
There is alot of things to say on what currently happens, others bloggers and av guys will probably make more constructed posts... wait and see.