Tuesday, August 31, 2010

SpyEye Backend Collector - Victim Databases

SpyEye is a fast growing platform that is used for bot infection. SpyEye uses a definitive back end engine for collecting information from the bots. The SpyEye collector is not a part of the admin interface which is used to manage certain specific controls. The collector is an independent component of SpyEye infection platform. This method is used by SpyEye in order to make this component completely unique from the perspective of collecting information from various infected systems all around the world. It means the admin interface has no relation and impact on the working of backend collector because this component works inadvertently even if the admin is disabled or not working. Well, this is quite impressive in its functioning. It means that in a botnet, the main admin that starts infection does not have a much relation with the component that collects information from the bots.

Basically, SpyEye uses a daemon for Linux. It listens on a specific port, collect logs and store information in database. The logs use special compression library termed as LZO for real time data compression. Actually, the LZO is primarily known for its speed over compression ratio. The compression in itself is really fast in LZO and it does not require any memory for decompression. LZO use algorithms that are thread safe, lossless and portable. This provides a glimpse of high compression used for log transmission over the internet from the bots to the backend collector daemon. This simply sets the traffic control in a strict manner thereby economize traffic to transfer logs directly without much interference.

The SpyEye collector looks like as follows

SpyEye has its own SDK and development platform which is designed for generating plugins for infecting victims and stealing specific information. Through plugins, data can be easily transferred to collector. SpyEye provides relative function as a part of its API as follows
void TakeGateToCollector(LPVOID lpGateFunc);

This function is used in the SpyEye plug-in development as follows

The page is dumped as

The collector is configured in the builder part of SpyEye as follows

The collected logs provide statistics as follows

SpyEye uses a good technique and provision of storing information irrespective of user centric access.