SpyEye Brief Note and r0073r xpl01t

1. 0x00 Briefm, Logo, Blah-blah-blah
2.  
3.  
4. 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
5. 0 __ __ __ __ 1
6. 1 /'__`\ /'__`\/\ \__ /'__`\ 0
7. 0 _ __ /\ \/\ \/\ \/\ \ \ ,_\ __ __ __/\ \/\ \ _ __ ___ ___ 1
8. 1 /\`'__\ \ \ \ \ \ \ \ \ \ \/ /\ \/\ \/\ \ \ \ \ \/\`'__\/' __` __`\ 0
9. 0 \ \ \/ \ \ \_\ \ \ \_\ \ \ \_\ \ \_/ \_/ \ \ \_\ \ \ \/ /\ \/\ \/\ \ 1
10. 1 \ \_\ \ \____/\ \____/\ \__\\ \___x___/'\ \____/\ \_\ \ \_\ \_\ \_\ 0
11. 0 \/_/ \/___/ \/___/ \/__/ \/__//__/ \/___/ \/_/ \/_/\/_/\/_/ 1
12. 1 0
13. 0 1
14. 1 >> SpyEye r0073r xpl01t 0
15. 0 >> author : Sanjar Satsura 1
16. 1 >> sanjar[at]xakep[dot]ru 0
17. 0 >> Public v.0.1 1
18. 1 >> )c( 2011 0
19. 0 1
20. 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-0
21.  
22.  
23. 0x01 What is SpyEye ?
24.  
25. W32/SpyEye
26.  
27. Aliases
28.  
29. This is a list of aliases for the variant of SpyEye discovered in early February 2011 that has been actively targeting Norwegian banking websites:
30. Trojan-Spy.Win32.SpyEyes.evg (Kaspersky)
31. PWS-Spyeye.m (McAfee)
32. Trojan:Win32/EyeStye.H (Microsoft)
33. A variant of Win32/Spy.SpyEye.CA (NOD32)
34. W32/Malware.QOOC (Norman)
35. Trojan.Zbot (Symantec)
36. Mal_Xed-24 (Trend Micro)
37. Brief overview
38.  
39. SpyEye is a trojan with backdoor capabilities that attempts to steal sensitive information related to online banking and credit card transactions from an infected machine. SpyEye is sold via its author in an easy to configure kit form, which contains the trojan executable itself, command and control (C&C) server and basic configuration for targeting banking websites. As of the beginning of 2011, SpyEye has merged functionality from the ZeuS trojan family, which has been sold to the SpyEye author, and is now becoming more sophisticated with respect to the features and functionality offered.
40. Technical overview
41.  
42. SpyEye executables are typically packed on the outer layer using UPX, but can be obscured by other executable packers. The trojan also contains a homebrew obfuscation layer within, which seems remarkably similar to the obfuscation techniques utilised by ZeuS. Some versions of SpyEye contain an embedded configuration, which is an XOR-SUB encoded password protected ZIP file, or optionally, this can be downloaded directly from the C&C server (as in the case of updates). Configuring SpyEye is relatively simple, with the following options available:
43. Form grabbing. This allows the trojan to steal sensitive information from web forms, such as usernames and passwords.
44. Credit card grabbing. This allows the trojan to steal credit card information.
45. Screen shot grabber. This allows the trojan to steal screenshots on an infected system whenever a user visits predefined websites.
46. Backdoor. This allows the trojan to create a backdoor on the system, so an attacker can gain remote access.
47. Web injects. This allows the trojan to replace or insert information into web pages accessed on an infected system. For example, a typical use for this feature is to injec additional information into banking websites logon forms to prompt for PIN/TAN codes, where the website wouldn’t ordinarily do so.
48. Firefox certificate grabber. This plugin allows the trojan to steal certificates installed under Firefox, in addition to the default Windows certificate store.
49. DDoS. This enables the trojan to perform a distributed-denial-of-service attack, using either SYN flood, UDP flood or slowloris attacks against a specified internet resource.
50. FTP backdoor. This enables FTP connections to the infected machine.
51. Remote desktop. This allows an attacker to connect to an infected machine via remote desktop.
52. Anti-Rapport. This enables the trojan to bypass protection mechanisms offered by Trusteer’s Rapport product.
53. SpyEye is typically installed on a system via web exploits (drive-by-downloads) or distributed via email through spam networks. Once active on a system, SpyEye will create a folder on the root of the system drive (usually C:\), typically using a random name. Some of the names observed are:
54. cleansweep.exe
55. usxxxxxxxx.exe
56. mydnswatch
57. newdnswatch
58. Recycle.Bin
59. The trojan will then copy itself and its configuration file to the new location, where the executable is usually given the same name as the folder, with a .exe extension (i.e. mydnswatch.exe, or cleansweep.exe.exe), and the configuration is typically named config.bin. At this point, SpyEye will be re-executed from the new location, and will proceed to install many usermode hooks in various Windows APIs, for example NtQueryDirectoryFile(), which are used to hide the newly created folder as well as its executable and configuration files from Windows Explorer and security software, making it hard to establish if a system is infected with SpyEye. In addition, SpyEye will also hook the following APIs on a system, for the purpose of providing rootkit style stealth capabilities, as well as spying on network communications in an attempt to steal sensitive information:
60. advapi32.dll:CryptEncrypt
61. kernel32.dll:ExitProcess
62. kernel32.dll:FlushInstructionCache
63. kernel32.dll:GetProcAddress
64. kernel32.dll:LoadLibraryA
65. kernel32.dll:LoadLibraryExW
66. kernel32.dll:LoadLibraryW
67. ntdll.dll:DbgBreakPoint
68. ntdll.dll:KiUserExceptionDispatcher
69. ntdll.dll:LdrInitializeThunk
70. ntdll.dll:LdrQueryImageFileExecutionOptions
71. ntdll.dll:NtCallbackReturn
72. ntdll.dll:NtContinue
73. ntdll.dll:NtCreateProcess
74. ntdll.dll:NtCreateProcessEx
75. ntdll.dll:NtCreateSection
76. ntdll.dll:NtCreateThread
77. ntdll.dll:NtDisplayString
78. ntdll.dll:NtEnumerateValueKey
79. ntdll.dll:NtMapViewOfSection
80. ntdll.dll:NtOpenSection
81. ntdll.dll:NtQueryDirectoryFile
82. ntdll.dll:NtQueryVirtualMemory
83. ntdll.dll:NtResumeThread
84. ntdll.dll:NtSetInformationFile
85. ntdll.dll:NtTerminateProcess
86. ntdll.dll:NtTerminateThread
87. ntdll.dll:NtUnmapViewOfSection
88. ntdll.dll:NtVdmControl
89. user32.dll:CreateWindowExW
90. user32.dll:DialogBoxIndirectParamA
91. user32.dll:DialogBoxIndirectParamW
92. user32.dll:DialogBoxParamA
93. user32.dll:DialogBoxParamW
94. user32.dll:GetMessageA
95. user32.dll:GetMessageW
96. user32.dll:MessageBoxExA
97. user32.dll:MessageBoxExW
98. user32.dll:MessageBoxIndirectA
99. user32.dll:MessageBoxIndirectW
100. user32.dll:PeekMessageA
101. user32.dll:PeekMessageW
102. user32.dll:TrackPopupMenuEx
103. user32.dll:TranslateAccelerator
104. user32.dll:TranslateAcceleratorW
105. user32.dll:TranslateMessage
106. wininet.dll:HttpAddRequestHeadersA
107. wininet.dll:HttpEndRequestA
108. wininet.dll:HttpOpenRequestA
109. wininet.dll:HttpQueryInfoA
110. wininet.dll:HttpSendRequestA
111. wininet.dll:HttpSendRequestExA
112. wininet.dll:HttpSendRequestExW
113. wininet.dll:HttpSendRequestW
114. wininet.dll:InternetCloseHandle
115. wininet.dll:InternetConnectA
116. wininet.dll:InternetOpenA
117. wininet.dll:InternetOpenUrlA
118. wininet.dll:InternetReadFile
119. wininet.dll:InternetReadFileExA
120. wininet.dll:InternetWriteFile
121. ws2_32.dll:getaddrinfo
122. ws2_32.dll:gethostbyname
123. ws2_32.dll:send
124. In addition, the following modules have been seen loaded within SpyEye infected processes where they wouldn’t normally be loaded:
125. crypt32.dll
126. advapi32.dll
127. rpcrt4.dll
128. msvcrt.dll
129. user32.dll
130. gdi32.dll
131. msasn1.dll
132. ws2_32.dll
133. ws2help.dll
134. wininet.dll
135. shlwapi.dll
136. oleaut32.dll
137. ole32.dll
138. comctl32.dll
139. shell32.dll
140. comctl32.dll
141. After SpyEye is installed and active on a system, it will try to inject a thread into an active system service or process, typically explorer.exe, from where it will attempt to infect other processes, such as Internet Explorer. It will also typically try to avoid infecting processes with the following names:
142. services.exe
143. csrss.exe
144. smss.exe
145. System
146. SpyEye will create a registry entry, to ensure it is restarted each time Windows starts. Assuming SpyEye was installed under “C:\mydnswatch” as “mydnswatch.exe”, then the registry entry would appear in the following form:
147. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mydnswatch.exe = "C:\mydnswatch\mydnswatch.exe"
148. At this point, based on its configuration, SpyEye will attempt to steal sensitive information from the system, and pass it back to its C&C server.
149.  
150. SpyEye can potentially utilise a number of techniques in order to obtain a users online banking credentials, typically employing a phishing-style attack by presenting a faked logon web page, which is usually based on the original logon page from the bank, but that has additional HTML form fields and JavaScript inserted within, in order to obtain logon credentials that are not normally part of the logon process, such as PIN/TAN codes. A copy of the HTTP POST request is sent to the SpyEye C&C server, from which an attacker can extract the banking credentials or credit card details, and start conducting their own fraudulent transactions.
151.  
152.  
153. http://www.google.ru/search?q=SpyEye+Botnet
154.  
155. ================================================================================================
156. 0x02 Exploit :
157.  
158. Vulnn type : Blind SQL injection
159. vuln script : frm_cards_edit.php
160. Affected version : ALL
161. May use any botnet from : https://spyeyetracker.abuse.ch/monitor.php
162.  
163. ================================================================================================
164.  
165. 0x03 Greetz : inj3ct0r & r00tw0rm team.
166. site : http://r00tw0rm.com
167. mail : sanjar[at]xakep[dot]ru
168. twitter : twitter.com/sanjar_satsura
169.  
170.  
171. (c) S4(uR4 2011