Home
Solutions
Technology
Threat
News
Partners
About Promon

SpyEye

Promon Shield Proactively Blocking SpyEye Trojan

23.02.2011 - During last week a trojan identified as SpyEye has been targeting Norwegian online banking customers in order to steal money from their accounts. Promon has the technology in place that can proactively protect online banking services against these kinds of attacks.

Analysis of the sample show that (see more details on this further on) the behavior of the trojan is controlled from several dedicated servers on the internet. Through this sophisticated and highly dynamic process the bad guys can change the actual behavior of SpyEye by the hour. This means that, even though the actual attack is over for this time, Norwegian banks can be targeted at any time again and in a completely different and more effective way than last time.

Promon is analyzing SpyEye on a constant basis and is able to register configuration changes as they happen. This means that as soon as we see SpyEye targeting certain banks we can react immediately.

Trojans like SpyEye are widespread and come in huge numbers of different variants. Security solutions like Firewalls and AntiVirus programs are important tools, but are unfortunately having problems preventing infection with these kinds of malware. Security analysts reported that more than half of the investigated systems infected with the Zeus trojan (a similar trojan like SpyEye) were running fully updated AV and OS versions.

The counter measures of the Banks advising their users to install a firewall and an AV solution and keep them updated is therefore not enough to effectively deal with this problem. Also other security advices like: “do not open any suspicious links or attachments”, is not protecting a banking customer using an already infected system.

Promon is implementing their technology as an integrated solution with the actual online banking service. Through different deployment variants, Promon is able to offer a wide scope of protection covering all users. The Promon technology is implemented by the bank and creates a secure browser session from the client PC each time the online banking service is accessed. In this way online banking customers are protected against trojan attacks even when using an infected PC for access and even when the actual Trojan is configured to behave in a new and unexpected way.

W32/SpyEye

Aliases

This is a list of aliases for the variant of SpyEye discovered in early February 2011 that has been actively targeting Norwegian banking websites:
  • Trojan-Spy.Win32.SpyEyes.evg (Kaspersky)
  • PWS-Spyeye.m (McAfee)
  • Trojan:Win32/EyeStye.H (Microsoft)
  • A variant of Win32/Spy.SpyEye.CA (NOD32)
  • W32/Malware.QOOC (Norman)
  • Trojan.Zbot (Symantec)
  • Mal_Xed-24 (Trend Micro)

Brief overview

SpyEye is a trojan with backdoor capabilities that attempts to steal sensitive information related to online banking and credit card transactions from an infected machine. SpyEye is sold via its author in an easy to configure kit form, which contains the trojan executable itself, command and control (C&C) server and basic configuration for targeting banking websites. As of the beginning of 2011, SpyEye has merged functionality from the ZeuS trojan family, which has been sold to the SpyEye author, and is now becoming more sophisticated with respect to the features and functionality offered.

Technical overview

SpyEye executables are typically packed on the outer layer using UPX, but can be obscured by other executable packers. The trojan also contains a homebrew obfuscation layer within, which seems remarkably similar to the obfuscation techniques utilised by ZeuS. Some versions of SpyEye contain an embedded configuration, which is an XOR-SUB encoded password protected ZIP file, or optionally, this can be downloaded directly from the C&C server (as in the case of updates). Configuring SpyEye is relatively simple, with the following options available:
  • Form grabbing. This allows the trojan to steal sensitive information from web forms, such as usernames and passwords.
  • Credit card grabbing. This allows the trojan to steal credit card information.
  • Screen shot grabber. This allows the trojan to steal screenshots on an infected system whenever a user visits predefined websites.
  • Backdoor. This allows the trojan to create a backdoor on the system, so an attacker can gain remote access.
  • Web injects. This allows the trojan to replace or insert information into web pages accessed on an infected system. For example, a typical use for this feature is to injec additional information into banking websites logon forms to prompt for PIN/TAN codes, where the website wouldn’t ordinarily do so.
  • Firefox certificate grabber. This plugin allows the trojan to steal certificates installed under Firefox, in addition to the default Windows certificate store.
  • DDoS. This enables the trojan to perform a distributed-denial-of-service attack, using either SYN flood, UDP flood or slowloris attacks against a specified internet resource.
  • FTP backdoor. This enables FTP connections to the infected machine.
  • Remote desktop. This allows an attacker to connect to an infected machine via remote desktop.
  • Anti-Rapport. This enables the trojan to bypass protection mechanisms offered by Trusteer’s Rapport product.
SpyEye is typically installed on a system via web exploits (drive-by-downloads) or distributed via email through spam networks. Once active on a system, SpyEye will create a folder on the root of the system drive (usually C:\), typically using a random name. Some of the names observed are:
  • cleansweep.exe
  • usxxxxxxxx.exe
  • mydnswatch
  • newdnswatch
  • Recycle.Bin
The trojan will then copy itself and its configuration file to the new location, where the executable is usually given the same name as the folder, with a .exe extension (i.e. mydnswatch.exe, or cleansweep.exe.exe), and the configuration is typically named config.bin. At this point, SpyEye will be re-executed from the new location, and will proceed to install many usermode hooks in various Windows APIs, for example NtQueryDirectoryFile(), which are used to hide the newly created folder as well as its executable and configuration files from Windows Explorer and security software, making it hard to establish if a system is infected with SpyEye. In addition, SpyEye will also hook the following APIs on a system, for the purpose of providing rootkit style stealth capabilities, as well as spying on network communications in an attempt to steal sensitive information:
  • advapi32.dll:CryptEncrypt
  • kernel32.dll:ExitProcess
  • kernel32.dll:FlushInstructionCache
  • kernel32.dll:GetProcAddress
  • kernel32.dll:LoadLibraryA
  • kernel32.dll:LoadLibraryExW
  • kernel32.dll:LoadLibraryW
  • ntdll.dll:DbgBreakPoint
  • ntdll.dll:KiUserExceptionDispatcher
  • ntdll.dll:LdrInitializeThunk
  • ntdll.dll:LdrQueryImageFileExecutionOptions
  • ntdll.dll:NtCallbackReturn
  • ntdll.dll:NtContinue
  • ntdll.dll:NtCreateProcess
  • ntdll.dll:NtCreateProcessEx
  • ntdll.dll:NtCreateSection
  • ntdll.dll:NtCreateThread
  • ntdll.dll:NtDisplayString
  • ntdll.dll:NtEnumerateValueKey
  • ntdll.dll:NtMapViewOfSection
  • ntdll.dll:NtOpenSection
  • ntdll.dll:NtQueryDirectoryFile
  • ntdll.dll:NtQueryVirtualMemory
  • ntdll.dll:NtResumeThread
  • ntdll.dll:NtSetInformationFile
  • ntdll.dll:NtTerminateProcess
  • ntdll.dll:NtTerminateThread
  • ntdll.dll:NtUnmapViewOfSection
  • ntdll.dll:NtVdmControl
  • user32.dll:CreateWindowExW
  • user32.dll:DialogBoxIndirectParamA
  • user32.dll:DialogBoxIndirectParamW
  • user32.dll:DialogBoxParamA
  • user32.dll:DialogBoxParamW
  • user32.dll:GetMessageA
  • user32.dll:GetMessageW
  • user32.dll:MessageBoxExA
  • user32.dll:MessageBoxExW
  • user32.dll:MessageBoxIndirectA
  • user32.dll:MessageBoxIndirectW
  • user32.dll:PeekMessageA
  • user32.dll:PeekMessageW
  • user32.dll:TrackPopupMenuEx
  • user32.dll:TranslateAccelerator
  • user32.dll:TranslateAcceleratorW
  • user32.dll:TranslateMessage
  • wininet.dll:HttpAddRequestHeadersA
  • wininet.dll:HttpEndRequestA
  • wininet.dll:HttpOpenRequestA
  • wininet.dll:HttpQueryInfoA
  • wininet.dll:HttpSendRequestA
  • wininet.dll:HttpSendRequestExA
  • wininet.dll:HttpSendRequestExW
  • wininet.dll:HttpSendRequestW
  • wininet.dll:InternetCloseHandle
  • wininet.dll:InternetConnectA
  • wininet.dll:InternetOpenA
  • wininet.dll:InternetOpenUrlA
  • wininet.dll:InternetReadFile
  • wininet.dll:InternetReadFileExA
  • wininet.dll:InternetWriteFile
  • ws2_32.dll:getaddrinfo
  • ws2_32.dll:gethostbyname
  • ws2_32.dll:send
In addition, the following modules have been seen loaded within SpyEye infected processes where they wouldn’t normally be loaded:
  • crypt32.dll
  • advapi32.dll
  • rpcrt4.dll
  • msvcrt.dll
  • user32.dll
  • gdi32.dll
  • msasn1.dll
  • ws2_32.dll
  • ws2help.dll
  • wininet.dll
  • shlwapi.dll
  • oleaut32.dll
  • ole32.dll
  • comctl32.dll
  • shell32.dll
  • comctl32.dll
After SpyEye is installed and active on a system, it will try to inject a thread into an active system service or process, typically explorer.exe, from where it will attempt to infect other processes, such as Internet Explorer. It will also typically try to avoid infecting processes with the following names:
  • services.exe
  • csrss.exe
  • smss.exe
  • System
SpyEye will create a registry entry, to ensure it is restarted each time Windows starts. Assuming SpyEye was installed under “C:\mydnswatch” as “mydnswatch.exe”, then the registry entry would appear in the following form:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mydnswatch.exe = "C:\mydnswatch\mydnswatch.exe"
At this point, based on its configuration, SpyEye will attempt to steal sensitive information from the system, and pass it back to its C&C server.

SpyEye can potentially utilise a number of techniques in order to obtain a users online banking credentials, typically employing a phishing-style attack by presenting a faked logon web page, which is usually based on the original logon page from the bank, but that has additional HTML form fields and JavaScript inserted within, in order to obtain logon credentials that are not normally part of the logon process, such as PIN/TAN codes. A copy of the HTTP POST request is sent to the SpyEye C&C server, from which an attacker can extract the banking credentials or credit card details, and start conducting their own fraudulent transactions.

SpyEye has been targeting a number of Norwegian banks.

By injecting a form that was displayed to the user, SpyEye tried to steal logon credentials when the user attempted to access their online bank.

Protection

Since its creation in 2007, Promon Shield is capable of proactively blocking all known SpyEye variants from performing man-in-the-browser attacks, thereby preventing the trojan from conducting transaction/credit card fraud.

More info

A full SpyEye report including more details about this trojan as well as screenshots of the actual attacks can be made available upon request. For more information please contact info@promon.no.
promon
© 2011 Promon AS | Gjerdrums vei 19 | 0484 Oslo | Norway | +47 22021130 | info@promon.no