Threat
SpyEye malware targets consumers and business to obtain online banking login credentials for purposes of stealing/transferring funds and identity theft. This malware can hijack any Webpage and inject malicious code.
Proactive IT Security
SpyEye Banking Malware Vulnerability
About SpyEye
SpyEye is a malware toolkit that has become increasingly popular over the past few months and is similar to the widely-used ZeuS malware that has caused hundreds of thousands of costly infections globally. The ZeuS/Zbot is a malware kit particularly aimed at customers using online banks, and has several different modules.
Man-in-browser Attack
These malware tools perform attacks called “man-in-browser” attacks because, like trojans, they infect web browsers and modify pages and transactions to steal valuable personal information such as Social Security numbers, banking usernames and passwords, credit card data and even complete identity profiles from autofill applications. A consumer or business user may become infected while innocently browsing infected (often popular) Web sites. SpyEye waits for the user to access their online banking account before activating.
Researchers at Norman’s antimalware Lab have since early February been working with several banks in Norway to identify a specific variant of SpyEye that criminals have recently developed. This variant has also targeted other banks in Europe and Asia. It could easily be modified to work against any bank in any country. Online banking users in Europe and North America should be very vigilant to guard against this online threat.
This particular variant of SpyEye targets the initial login field on a bank’s legitimate web page, capturing login and password information and then rapidly (and illegally) transfers money until the application times out in about 20 seconds.
The trojan communicates with one or more command-and-control servers from where it receives instructions and where it also uploads information to. SpyEye is sold as a kit from its author and contains not only the trojan itself and configuration tools, but also code to run back end services, control panels, and statistics.
Web Injection
Because the trojan hooks traffic in the browser, it is capable of seeing the data after it comes from the SSL encryption but before it is presented to the user. Thus it can monitor HTTPS traffic and alter the web content as it wishes.
Rootkit Functionality
SpyEye attemps to hide from view by intercepting several Windows APIs connected with listing files and registry settings. This has the effect that you normally will not see the trojan’s installation folder, but it can be detected indirectly – f. ex by attempting to create a new folder by the name “cleansweep.exe”. If you get the error”A file with the name you specified already exists”, you are most likely running SpyEye.
Read the whole SpyEye Trojan description here.
All Norman antimalware solutions for consumers, business and government have detection for this Trojan and any attempt at infection will be blocked.
Detection & Cleaning Solutions
Prevention & Protection Solutions
