SpyEye

@img:1:center:size=original@Fig 1 The SpyEye 1.2.6 configuration screen. This is what the trojan distributor uses before making a new trojan copy.SpyEye is a large and complex banking trojan, which is by many predicted to become the next big thing after the Zeus trojan family. Indeed, rumor has it that the author of Zeus (Monstr) is retiring and has sold the entire Zeus codebase to the SpyEye author (gribodemon/harderman). There are indications that a merge is underway. Newer SpyEye trojans do contain some Zeus-like code.The trojan communicates with one or more command-and-control servers where it gets instructions from and where it also uploads information to. SpyEye is sold as a kit from its author, and contains not only the trojan itself and configuration tools, but also code to run back end services, control panels, and statistics.InstallationThe trojan itself can be delivered to the user in several ways –typically through web exploits while surfing or downloaded from spammed download trojans.ConfigurationJust like the Zeus trojan, all targeting and info collecting data is contained in configuration files. In the case of SpyEye, the configuration file is called config.bin and is either downloaded or contained in the executable.config.bin is an encrypted and password-protected ZIP file. It can contain several components depending on configuration and how much the distributor has been willing to pay the author. Some of the components can be:  screenshot configuration file for screen grabs files to control the upload of status information keylogger credit card grabber proxy components & config remote desktop components & config web injection configuration fileChanges to the filesystemAs can be seen above, the name of the main executable is configurable, but cleansweep.exe is the default, and is the most commonly seen name. SpyEye will typically copy itself to the folder c:\cleansweep.exe\cleansweep.exe, and also install its configuration file config.bin there.Changes to registry"HKCU\Software\Microsoft\Windows\CurrentVersion\Run “cleansweep.exe"="C:\cleansweep.exe\cleansweep.exe""HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “EnableHttp1_1"="""HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyHttp1.1"="""HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnPost"="""HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" "WarnOnPostRedirect"="""HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" "WarnOnIntranet"="""HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0” 1409"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0” 1609"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0” 1406"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1” 1406Memory and process modificationsCreates mutex “ __SPYNET__” to avoid running multiple instances.Enables privilege SeDebugPrivilege.When SpyEye runs, it will inject threads into other running processes. The most aggressively targeted process is explorer.exe, but also other running processes may be injected . The processes "System", "smss.exe", "csrss.exe", "services.exe" and "cleansweep.exe" are avoided.In addition, the trojan will hook several Windows and browser API’s in order to hide itself and in order to monitor activity:CryptEncryptLdrLoadDllNtEnumerateValueKeyNtQueryDirectoryFileNtResumeThreadNtVdmControlTranslateMessageHttpSendRequestAHttpSendRequestWHttpOpenRequestAHttpAddRequestHeadersAHttpQueryInfoAInternetQueryDataAvailableInternetCloseHandleInternetReadFileInternetReadFileExAInternetWriteFilesendPR_ReadPR_WritePR_ClosePR_OpenTCPSocketPFXImportCertStoreWeb injectionBecause the trojan hooks traffic in the browser, it is capable of seeing the data after it comes from SSL encryption but before it is presented to the user. Thus it can monitor HTTPS traffic, and alter the web content as it wishes. In the configuration file config.bin there will often be a file called webinjects.txt. This file contains rules for how web traffic should be filtered. Rules look something like this:set_url http://my_bank.com/portal/login G (G means on GET)data_beforecustom replacement page for my_bank.com logindata_enddata_afterdata_endThe net result is usually that the user attempts to log into the bank using credentials demanded by the web page – i.e. the trojan. Then the trojan typically either tells the user to wait or shows some error message prompting the user to try to log in again (with new one-time codes) – all the while in the background, the access credentials are posted to an intruder somewhere else, who can now use legitimate access credentials to log into the bank and make transfers.If you notice any unusual behaviour when accessing your online bank, particularly if you notice long delays or strange error messages as you send your login credentials, it is advised that you contact your bank for more information.Rootkit functionalitySpyEye attemps to hide from view by intercepting several Windows APIs connected with listing files and registry settings. This has the effect that you normally will not see the trojan’s installation folder, but it can be detected indirectly – f. ex by attempting to create a new folder by the name “cleansweep.exe”. If you get the error”A file with the name you specified already exists”, you likely have SpyEye running.@img:2:center:size=original@Norman’s antivirus products detect and remove all variants known to us at this time, but new SpyEye variations are released continuosuly, so it is important to keep the antivirus product updated.Write-up by Snorre Fagerland