A new sophisticated bot named SpyEye is on the market

A new fresh and sophisticated web-based bot named SpyEye is around in the markets and looks like to be the possible successor of the famous Zeus Trojan due to its very interesting features, with the main objective to steal bank accounts, credit cards, ftp accounts and other sensitive data from the victim’s computer.

Screenshot

SpyEye was written in C++ and the size of the compiled binary is of 60 KB, the operating systems supported are from Windows 2000 to the recent Windows 7, it works in ring3 mode (same as Zeus Trojan). It is sold as undetected from most Antivirus Software and it is invisible from the task managers and other user-mode applications, it hides the files from the regular explorer searches and it hides also its registry keys.

SpyEye is actually sold by its author at a price of approximately 500 $ USD for a base bundle, it is cheaper than the price of Zeus Trojan that is sold for more than 1,000 $ USD, but it looks like to have all the requirements, if not more, of the famous Zeus Trojan.

The features of SpyEye (v1.0.75) are:

  • CC Autofill
  • Module able to automate the process of getting the money from the stolen credit cards by the bot’s owners using geo ip location.

  • Formgrabber with built-in keylogger
  • Used to capture specific data inserted in a web form.. Mostly used to steal bank accounts and credit cards details when the user need to insert them in legit websites to buy something. The formgrabber works in most used web browsers, such as Firefox, Internet Explorer, Maxthon and Netscape.

  • Web Control Panel
  • The user can control all the bots from a web panel

  • Every day the bot send a backup of the database to the owner’s email
  • Encrypted config file
  • Exe Builder [IMAGE]
  • Strings in the resource of the PE are encrypted
  • Ban URLs using regular expressions from the control panel
  • Steal FTP accounts
  • Steal POP3 accounts
  • Time interval for bot’s connection to the control panel
  • Exe Loader
  • Used to download and execute a remote file in the victim’s computer.

  • Statistics with graphs for bots and loader [IMAGE]
  • Zeus spy
  • SpyEye can watch where Zeus-bot’s main control panel is located.

  • Zeus killer [IMAGE]
  • This new option is able to kill any version of the Zeus Trojan installed in the victim’s computer, making SpyEye the only trojan running on the compromised system.

  • Steal basic-authorisation
  • Installers for main CP & formgrabber CP [IMAGE] [IMAGE]
  • Make easier the process of installation of the web interface.

  • New abilities for basic-auth
  • For applications which uses libraries for traffic-encryption

  • SpyEye Collector [IMAGE]
  • Protocol of logs-receiving has changed.
    LZO-compression was added.
    Logs flying not to PHP-script, now. It fly to the server’s prot, which listening by SpyEye Collector. He accepting connections, read logs from them, and other thread, by-queue, dump accepted logs into MYSQL DB. This scheme will very nice for high botnets.
    PHP-CP of formgrabber, now, needs only for logs parsing.
    So, very difficult to create abuse-repoort for such server with SpyEye Collector.

  • EXE size of SpyEye was reduced
  • Now, size of compressed SpyEye = 40 KB.

SpyEye trojan, when executed, it creates the following files:

1
2
3
c:\cleansweep.exe\cleansweep.exe
c:\cleansweep.exe\config.bin
%TempFolder%\upd1.tmp

The file cleansweep.exe is the main trojan and the file config.bin is the configuration file encrypted. This is an example of the network traffic generated by this trojan:

1
bt_version_checker.php?guid=%USER%!%COMPUTER%!00000000&ver=10060&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=57&ccrc=11111111
  • guid= %USER% -> Username of the PC
  • guid= %COMPUTER% -> Computer name
  • guid= 00000000 -> Identification code
  • ver= 10060 -> Trojan version
  • stat= ONLINE -> Status of the bot
  • ie= 6.0.2900.2180 -> Internet Explorer version
  • os= 5.1.2600 -> OS version
  • ut= Admin -> User task
  • cpu= 57 -> CPU
  • ccrc= 11111111 -> Maybe it is the “Command CRC”

This is an example network traffic of the trojan that failed to execute a file downloaded remotely:

1
bt_version_checker.php?guid=%USER%!%COMPUTER%!00000000&ver=10060&stat=LOAD-ERROR&tid=1106&rep=CreateProcess()%20fails&cpu=0&ccrc=11111111

The trojan creates the following registry entries:

1
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Run:
cleansweep.exe = "C:\cleansweep.exe\cleansweep.exe"

The trojan runs every time Windows starts.

It is clear that this bot has the same objective of Zeus Trojan and we can also see from the features that it looks a very powerful bot that can surely make even more dangerous the life of the regular internet users and increments the already high problem of the data theft and internet fraud.

Analysis from Malware Intelligence:

SpyEye Bot. Analysis of a new alternative scenario crimeware
SpyEye Bot (Part two). Conversations with the creator of crimeware

Random Posts

Previous Posts

Comments are closed.