SHARE
TWEET

SpyEye Brief Note and r0073r xpl01t

R00TW0RM Sep 17th, 2011 1,558 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 0x00 Briefm, Logo, Blah-blah-blah
  2.  
  3.  
  4. 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
  5. 0             __      __   __                   __                           1
  6. 1           /'__`\  /'__`\/\ \__              /'__`\                         0
  7. 0     _ __ /\ \/\ \/\ \/\ \ \ ,_\  __  __  __/\ \/\ \  _ __    ___ ___       1
  8. 1    /\`'__\ \ \ \ \ \ \ \ \ \ \/ /\ \/\ \/\ \ \ \ \ \/\`'__\/' __` __`\     0
  9. 0    \ \ \/ \ \ \_\ \ \ \_\ \ \ \_\ \ \_/ \_/ \ \ \_\ \ \ \/ /\ \/\ \/\ \    1
  10. 1     \ \_\  \ \____/\ \____/\ \__\\ \___x___/'\ \____/\ \_\ \ \_\ \_\ \_\   0
  11. 0      \/_/   \/___/  \/___/  \/__/ \/__//__/   \/___/  \/_/  \/_/\/_/\/_/   1
  12. 1                                                                            0
  13. 0                                                                            1
  14. 1                                       >> SpyEye r0073r xpl01t              0
  15. 0                                       >> author : Sanjar Satsura           1
  16. 1                                       >> sanjar[at]xakep[dot]ru            0
  17. 0                                       >> Public v.0.1                      1
  18. 1                                       >> )c(  2011                         0
  19. 0                                                                            1
  20. 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-0
  21.  
  22.  
  23. 0x01 What is SpyEye ?
  24.  
  25. W32/SpyEye
  26.  
  27. Aliases
  28.  
  29. This is a list of aliases for the variant of SpyEye discovered in early February 2011 that has been actively targeting Norwegian banking websites:
  30. Trojan-Spy.Win32.SpyEyes.evg (Kaspersky)
  31. PWS-Spyeye.m (McAfee)
  32. Trojan:Win32/EyeStye.H (Microsoft)
  33. A variant of Win32/Spy.SpyEye.CA (NOD32)
  34. W32/Malware.QOOC (Norman)
  35. Trojan.Zbot (Symantec)
  36. Mal_Xed-24 (Trend Micro)
  37. Brief overview
  38.  
  39. SpyEye is a trojan with backdoor capabilities that attempts to steal sensitive information related to online banking and credit card transactions from an infected machine. SpyEye is sold via its author in an easy to configure kit form, which contains the trojan executable itself, command and control (C&C) server and basic configuration for targeting banking websites. As of the beginning of 2011, SpyEye has merged functionality from the ZeuS trojan family, which has been sold to the SpyEye author, and is now becoming more sophisticated with respect to the features and functionality offered.
  40. Technical overview
  41.  
  42. SpyEye executables are typically packed on the outer layer using UPX, but can be obscured by other executable packers. The trojan also contains a homebrew obfuscation layer within, which seems remarkably similar to the obfuscation techniques utilised by ZeuS. Some versions of SpyEye contain an embedded configuration, which is an XOR-SUB encoded password protected ZIP file, or optionally, this can be downloaded directly from the C&C server (as in the case of updates). Configuring SpyEye is relatively simple, with the following options available:
  43. Form grabbing. This allows the trojan to steal sensitive information from web forms, such as usernames and passwords.
  44. Credit card grabbing. This allows the trojan to steal credit card information.
  45. Screen shot grabber. This allows the trojan to steal screenshots on an infected system whenever a user visits predefined websites.
  46. Backdoor. This allows the trojan to create a backdoor on the system, so an attacker can gain remote access.
  47. Web injects. This allows the trojan to replace or insert information into web pages accessed on an infected system. For example, a typical use for this feature is to injec additional information into banking websites logon forms to prompt for PIN/TAN codes, where the website wouldn’t ordinarily do so.
  48. Firefox certificate grabber. This plugin allows the trojan to steal certificates installed under Firefox, in addition to the default Windows certificate store.
  49. DDoS. This enables the trojan to perform a distributed-denial-of-service attack, using either SYN flood, UDP flood or slowloris attacks against a specified internet resource.
  50. FTP backdoor. This enables FTP connections to the infected machine.
  51. Remote desktop. This allows an attacker to connect to an infected machine via remote desktop.
  52. Anti-Rapport. This enables the trojan to bypass protection mechanisms offered by Trusteer’s Rapport product.
  53. SpyEye is typically installed on a system via web exploits (drive-by-downloads) or distributed via email through spam networks. Once active on a system, SpyEye will create a folder on the root of the system drive (usually C:\), typically using a random name. Some of the names observed are:
  54. cleansweep.exe
  55. usxxxxxxxx.exe
  56. mydnswatch
  57. newdnswatch
  58. Recycle.Bin
  59. The trojan will then copy itself and its configuration file to the new location, where the executable is usually given the same name as the folder, with a .exe extension (i.e. mydnswatch.exe, or cleansweep.exe.exe), and the configuration is typically named config.bin. At this point, SpyEye will be re-executed from the new location, and will proceed to install many usermode hooks in various Windows APIs, for example NtQueryDirectoryFile(), which are used to hide the newly created folder as well as its executable and configuration files from Windows Explorer and security software, making it hard to establish if a system is infected with SpyEye. In addition, SpyEye will also hook the following APIs on a system, for the purpose of providing rootkit style stealth capabilities, as well as spying on network communications in an attempt to steal sensitive information:
  60. advapi32.dll:CryptEncrypt
  61. kernel32.dll:ExitProcess
  62. kernel32.dll:FlushInstructionCache
  63. kernel32.dll:GetProcAddress
  64. kernel32.dll:LoadLibraryA
  65. kernel32.dll:LoadLibraryExW
  66. kernel32.dll:LoadLibraryW
  67. ntdll.dll:DbgBreakPoint
  68. ntdll.dll:KiUserExceptionDispatcher
  69. ntdll.dll:LdrInitializeThunk
  70. ntdll.dll:LdrQueryImageFileExecutionOptions
  71. ntdll.dll:NtCallbackReturn
  72. ntdll.dll:NtContinue
  73. ntdll.dll:NtCreateProcess
  74. ntdll.dll:NtCreateProcessEx
  75. ntdll.dll:NtCreateSection
  76. ntdll.dll:NtCreateThread
  77. ntdll.dll:NtDisplayString
  78. ntdll.dll:NtEnumerateValueKey
  79. ntdll.dll:NtMapViewOfSection
  80. ntdll.dll:NtOpenSection
  81. ntdll.dll:NtQueryDirectoryFile
  82. ntdll.dll:NtQueryVirtualMemory
  83. ntdll.dll:NtResumeThread
  84. ntdll.dll:NtSetInformationFile
  85. ntdll.dll:NtTerminateProcess
  86. ntdll.dll:NtTerminateThread
  87. ntdll.dll:NtUnmapViewOfSection
  88. ntdll.dll:NtVdmControl
  89. user32.dll:CreateWindowExW
  90. user32.dll:DialogBoxIndirectParamA
  91. user32.dll:DialogBoxIndirectParamW
  92. user32.dll:DialogBoxParamA
  93. user32.dll:DialogBoxParamW
  94. user32.dll:GetMessageA
  95. user32.dll:GetMessageW
  96. user32.dll:MessageBoxExA
  97. user32.dll:MessageBoxExW
  98. user32.dll:MessageBoxIndirectA
  99. user32.dll:MessageBoxIndirectW
  100. user32.dll:PeekMessageA
  101. user32.dll:PeekMessageW
  102. user32.dll:TrackPopupMenuEx
  103. user32.dll:TranslateAccelerator
  104. user32.dll:TranslateAcceleratorW
  105. user32.dll:TranslateMessage
  106. wininet.dll:HttpAddRequestHeadersA
  107. wininet.dll:HttpEndRequestA
  108. wininet.dll:HttpOpenRequestA
  109. wininet.dll:HttpQueryInfoA
  110. wininet.dll:HttpSendRequestA
  111. wininet.dll:HttpSendRequestExA
  112. wininet.dll:HttpSendRequestExW
  113. wininet.dll:HttpSendRequestW
  114. wininet.dll:InternetCloseHandle
  115. wininet.dll:InternetConnectA
  116. wininet.dll:InternetOpenA
  117. wininet.dll:InternetOpenUrlA
  118. wininet.dll:InternetReadFile
  119. wininet.dll:InternetReadFileExA
  120. wininet.dll:InternetWriteFile
  121. ws2_32.dll:getaddrinfo
  122. ws2_32.dll:gethostbyname
  123. ws2_32.dll:send
  124. In addition, the following modules have been seen loaded within SpyEye infected processes where they wouldn’t normally be loaded:
  125. crypt32.dll
  126. advapi32.dll
  127. rpcrt4.dll
  128. msvcrt.dll
  129. user32.dll
  130. gdi32.dll
  131. msasn1.dll
  132. ws2_32.dll
  133. ws2help.dll
  134. wininet.dll
  135. shlwapi.dll
  136. oleaut32.dll
  137. ole32.dll
  138. comctl32.dll
  139. shell32.dll
  140. comctl32.dll
  141. After SpyEye is installed and active on a system, it will try to inject a thread into an active system service or process, typically explorer.exe, from where it will attempt to infect other processes, such as Internet Explorer. It will also typically try to avoid infecting processes with the following names:
  142. services.exe
  143. csrss.exe
  144. smss.exe
  145. System
  146. SpyEye will create a registry entry, to ensure it is restarted each time Windows starts. Assuming SpyEye was installed under “C:\mydnswatch” as “mydnswatch.exe”, then the registry entry would appear in the following form:
  147. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mydnswatch.exe = "C:\mydnswatch\mydnswatch.exe"
  148. At this point, based on its configuration, SpyEye will attempt to steal sensitive information from the system, and pass it back to its C&C server.
  149.  
  150. SpyEye can potentially utilise a number of techniques in order to obtain a users online banking credentials, typically employing a phishing-style attack by presenting a faked logon web page, which is usually based on the original logon page from the bank, but that has additional HTML form fields and JavaScript inserted within, in order to obtain logon credentials that are not normally part of the logon process, such as PIN/TAN codes. A copy of the HTTP POST request is sent to the SpyEye C&C server, from which an attacker can extract the banking credentials or credit card details, and start conducting their own fraudulent transactions.
  151.  
  152.  
  153. http://www.google.ru/search?q=SpyEye+Botnet
  154.  
  155. ================================================================================================
  156. 0x02 Exploit :
  157.  
  158. Vulnn type : Blind SQL injection
  159. vuln script : frm_cards_edit.php
  160. Affected version : ALL
  161. May use any botnet from : https://spyeyetracker.abuse.ch/monitor.php
  162.  
  163. ================================================================================================
  164.  
  165. 0x03 Greetz :  inj3ct0r & r00tw0rm team.
  166. site    : http://r00tw0rm.com
  167. mail    : sanjar[at]xakep[dot]ru
  168. twitter : twitter.com/sanjar_satsura
  169.  
  170.  
  171. (c) S4(uR4 2011
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top