W32/SpyEye

Summary

Fig 1 The SpyEye 1.2.6 configuration screen. This is what the trojan distributor uses before making a new trojan copy.

SpyEye is a large and complex banking trojan, which is by many predicted to become the next big thing after the Zeus trojan family. Indeed, rumor has it that the author of Zeus (Monstr) is retiring and has sold the entire Zeus codebase to the SpyEye author (gribodemon/harderman). There are indications that a merge is underway. Newer SpyEye trojans do contain some Zeus-like code.

The trojan communicates with one or more command-and-control servers where it gets instructions from and where it also uploads information to. SpyEye is sold as a kit from its author, and contains not only the trojan itself and configuration tools, but also code to run back end services, control panels, and statistics.

Installation

The trojan itself can be delivered to the user in several ways –typically through web exploits while surfing or downloaded from spammed download trojans.

Configuration

Just like the Zeus trojan, all targeting and info collecting data is contained in configuration files. In the case of SpyEye, the configuration file is called config.bin and is either downloaded or contained in the executable.

config.bin is an encrypted and password-protected ZIP file. It can contain several components depending on configuration and how much the distributor has been willing to pay the author. Some of the components can be:
 

• screenshot configuration file for screen grabs
• files to control the upload of status information
• keylogger
• credit card grabber
• proxy components & config
• remote desktop components & config
• web injection configuration file

Changes to the filesystem

As can be seen above, the name of the main executable is configurable, but cleansweep.exe is the default, and is the most commonly seen name. SpyEye will typically copy itself to the folder c:\cleansweep.exe\cleansweep.exe, and also install its configuration file config.bin there.

Changes to registry

"HKCU\Software\Microsoft\Windows\CurrentVersion\Run “cleansweep.exe"="C:\cleansweep.exe\cleansweep.exe"

"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “EnableHttp1_1"=""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyHttp1.1"=""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnPost"=""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" "WarnOnPostRedirect"=""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" "WarnOnIntranet"=""
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0” 1409
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0” 1609
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0” 1406
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1” 1406

Memory and process modifications

Creates mutex “ __SPYNET__” to avoid running multiple instances.
Enables privilege SeDebugPrivilege.

When SpyEye runs, it will inject threads into other running processes. The most aggressively targeted process is explorer.exe, but also other running processes may be injected . The processes "System", "smss.exe", "csrss.exe", "services.exe" and "cleansweep.exe" are avoided.

In addition, the trojan will hook several Windows and browser API’s in order to hide itself and in order to monitor activity:

CryptEncrypt
LdrLoadDll
NtEnumerateValueKey
NtQueryDirectoryFile
NtResumeThread
NtVdmControl
TranslateMessage
HttpSendRequestA
HttpSendRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
HttpQueryInfoA
InternetQueryDataAvailable
InternetCloseHandle
InternetReadFile
InternetReadFileExA
InternetWriteFile
send
PR_Read
PR_Write
PR_Close
PR_OpenTCPSocket
PFXImportCertStore

Web injection

Because the trojan hooks traffic in the browser, it is capable of seeing the data after it comes from SSL encryption but before it is presented to the user. Thus it can monitor HTTPS traffic, and alter the web content as it wishes. In the configuration file config.bin there will often be a file called webinjects.txt. This file contains rules for how web traffic should be filtered. Rules look something like this:

set_url http://my_bank.com/portal/login G (G means on GET)
data_before
<
data_end
data_inject
html>
custom replacement page for my_bank.com login
data_end
data_after

data_end

The net result is usually that the user attempts to log into the bank using credentials demanded by the web page – i.e. the trojan. Then the trojan typically either tells the user to wait or shows some error message prompting the user to try to log in again (with new one-time codes) – all the while in the background, the access credentials are posted to an intruder somewhere else, who can now use legitimate access credentials to log into the bank and make transfers.

If you notice any unusual behaviour when accessing your online bank, particularly if you notice long delays or strange error messages as you send your login credentials, it is advised that you contact your bank for more information.

Rootkit functionality

SpyEye attemps to hide from view by intercepting several Windows APIs connected with listing files and registry settings. This has the effect that you normally will not see the trojan’s installation folder, but it can be detected indirectly – f. ex by attempting to create a new folder by the name “cleansweep.exe”. If you get the error”A file with the name you specified already exists”, you likely have SpyEye running.

Norman’s antivirus products detect and remove all variants known to us at this time, but new SpyEye variations are released continuosuly, so it is important to keep the antivirus product updated.

Write-up by Snorre Fagerland

Spreading description

Spreading description

Normally spam or web vulnerabilities 

Removal

Removal

Norman’s antivirus products detect and remove all variants known to us at this time, but new SpyEye variations are released continuosuly, so it is important to keep the antivirus product updated.

Read More about the SpyEye Banking Malware Vulnerability

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.