Home / malwarePDF  

Trojan:Win32/Spyeye


First posted on 08 March 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Spyeye is also known as Win-Trojan/Pincav.125952.B (AhnLab), Win32/SpyEye.B (CA), Trojan.Win32.Pincav.rvy (Kaspersky), BackDoor-Spyeye (McAfee), Mal/Spyeye-A (Sophos), Trojan.SpyEYE (Symantec), TSPY_EYEBOT.SMA (Trend Micro).

Explanation :

Trojan:Win32/Spyeye is a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/Spyeye sends captured data to a remote attacker, may download updates of the components and has a rootkit component to hides it malicious activity.
Top

Trojan:Win32/Spyeye is a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/Spyeye sends captured data to a remote attacker, may download updates of the components and has a rootkit component to hides it malicious activity. InstallationThis trojan may be installed by other malware such as TrojanDropper:Win32/Spyeye and may be present as the following file: %SystemDrive%\cleansweep.exe\cleansweep.exe When executed, the trojan creates the mutex €œ__CLEANSWEEP__€ to ensure only one instance of the trojan executes. It then deletes the file €œ%SystemDrive%\cleansweep.exe\cleansweepupd.exe€. The registry is modified to run the trojan at each Windows start. Adds value: €œcleansweep.exe€With data: €œ%SystemDrive%\cleansweep.exe\cleansweep.exe€To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The trojan injects malicious code into running processes and avoids injecting code into the following system processes:

  • system
  • smss.exe
  • csrss.exe
  • cleansweep.exe (trojan executable)
  • Payload Hides files and registry dataWin32/Spyeye employs a user mode rootkit that hooks the following low-level APIs to hide its malicious files and directory and registry data: NtQueryDirectoryFile NtVdmControl NtEnumerateValueKey Captures sensitive dataThe trojan hooks several system APIs to capture login information such as form data and keystrokes. Win32/Spyeye hooks the following APIs: TranslateMessage NtResumeThread LdrLoadDll InternetCloseHandle HttpSendRequestA HttpSendRequestW PR_Write send By hooking the APIs mentioned above, the trojan can also inject malicious code into existing and new processes and monitor the loading of DLLs. Sends captured data to a remote serverThe trojan attempts to send captured data via HTTP post to a remote server. In the wild, we have observed this trojan connecting to one of the following remote servers: microsoft-windows-security.com (not a Microsoft.com domain) vinodelam.net While sending captured data, it may include the following other information: bot guid - unique identifier associated with the trojan user name, computer name, volume serial number process name associated with captured data name of hooked API function (for example PR_Write) captured raw data keys, logged keystrokes other information specific to machine locale such as local time, time zone, OS version and language Download updates and arbitrary filesOnce connected to the attacker€™s website and depending on the command, Trojan:Win32/Spyeye may update and execute the trojan itself as the following: %SystemDrive%\cleansweep.exe\cleansweepupd.exe It may also update a configuration file in ZIP archive format as the following: %SystemDrive%\cleansweep.exe\config.bin The trojan communicates via a mutex named €œ__CLEANSWEEP_UNINSTAL__€ to allow existing instances of malicious code in memory to reload data from the new configuration file. This allows the trojan to change the target server.

    Analysis by Rodel Finones

    Last update 08 March 2010

     

    TOP