Skip to content

2011 Press Releases

“Soldier” Uses SpyEye to Net $3.2 Million in Six Months

Taipei – October 31, 2011 –While the world is in the economic doldrums, cybercrime underground keeps growing. Trend Micro Inc., (TYO: 4704;TSE: 4704) a global cloud security leader, warns users about the growing use of a malware toolkit called SpyEye in the cybercriminal underground. A cybercriminal called "Soldier” successfully used ZeuS, SpyEye and blackhat SEO kits to amass $3.2 million in just over six months.

The operation was run by a young man, who went by the name "Soldier" on underground forums and resided in Russia. His SpyEye botnet compromised 25, 394 systems or 82,999 unique IP addresses between April 19 and June 29, 2011. "About 97 percent of his victims were in the US but we also saw a handful of victims spread across another 90 countries including the UK, Mexico, Canada and India, "said Myla Pilao, Director of Trend Labs. "In six months starting January 2011, his operations earned him $3.2 million, or $17,000 per day. His "top-earning” month was March 2011, when he earned almost $1 million.”

SpyEye continues to plague computers

First emerged in 2009 and still being developed, SpyEye is a leading commercially-sold botnet toolkit on the Internet. It was built to target Windows-based systems, with 57% of the infected systems running on Windows XP and 4,500 compromised systems running on Windows 7. Known for stealing bank credentials, SpyEye also steals other personal information. Several well-known Web services with most number of stolen credentials are Facebook, Yahoo!, Google, eBay, Amazon, Twitter, and Paypal.

Once installed on a victim’s system, the SpyEye variant downloads a configuration file, which contains the websites that it monitors. When users visit any of these monitored sites, it performs web injection and logs keystrokes to steal information. SpyEye also utilizes rootkit technology to hide malicious files and processes from affected users, allowing its variants to avoid detection and possible removal.

SpyEye is known for targeting consumers, as well as small and medium businesses. However, large organizations are affected in more recent attacks. Users may encounter SpyEye variants via various infection vectors such as blackhat search engine optimization (SEO), spam, and other malware to infect users’ systems. Its main routine is information, identity, and financial theft. An effective security program with updated signatures should be able to scan and clean system of the bot agents. For manual solution, visit

Stay safe by carrying out best practices

Since SpyEye is still continuously being modified by cybercriminals, users need to be vigilant about practicing safe computing habits. Prevention/best practices are as follows:

  • Practice safe browsing habits. Avoid visiting suspicious-looking sites. Do not download and install software from untrustworthy sources.
  • Stay abreast of the latest threats and threat trends. Familiarizing oneself with the current threat landscape is a great way to stay informed about the latest scams. The most popular malware today tend to prey on unwary users.
  • Download and install the latest patches. Unpatched machines are more prone to malicious attacks. It is a good computing habit to regularly patch systems. Enabling the automatic update feature is also recommended.
  • Install an effective security suite that not only detects malware and cleans infected systems, but provides proactive protection against all types of threats, for instance blocking access to known malicious or suspicious sites.
  • For businesses, the use of various security layers are recommended, such as firewall, gateway, messaging, network, server, endpoint, and mobile security for optimal protection against attacks like this.


About Trend Micro

Trend Micro Incorporated (TSE: 4704), a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years’ experience, we deliver top-ranked client, server and cloud-based security that fits our customers’ and partners’ needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the industry-leading Trend Micro™ Smart Protection Network™ cloud computing security infrastructure, our products and services stop threats where they emerge – from the Internet. They are supported by 1,000+ threat intelligence experts around the globe.


TrendLabs is Trend Micro’s global network of research, development, and support centers committed to 24/7 threat surveillance, attack prevention, and timely and seamless solutions delivery. With a 1,000-strong staff of threat experts and support engineers deployed in round-the-clock operations, it stays at the forefront of the Internet security industry and serves as the backbone of Trend Micro’s service infrastructure.

With accurate, real-time data, TrendLabs delivers more effective security measures designed to detect, preempt, and eliminate attacks. TrendLabs monitors the threat landscape and conducts research and analysis used to develop the technologies needed to combat new threats. It also houses the Trend Micro support organization that provides continuous coverage to Trend Micro customers worldwide.

Headquartered in the Philippines, TrendLabs is the only multinational research, development, and support center with an extensive regional presence. With labs in the United States, Japan, France, Germany, and China, TrendLabs enables Trend Micro to identify and respond more quickly to targeted threats. Because our research and support groups never sleep and are capable of understanding local languages, we can respond to our customers as well as to new threats in real time. As a result, customers can minimize damages, reduce costs, and ensure business continuity.

Additional information about Trend Micro Incorporated and the products and services are available at Trend This Trend Micro news release and other announcements are available at and as part of an RSS feed at Or follow our news on Twitter at @TrendMicro.

Connect with us on