Home / malwarePDF  

Win32/EyeStye


First posted on 10 May 2012.
Source: Microsoft

Aliases :

Win32/EyeStye is also known as SpyEye (other).

Explanation :



Win32/EyeStye is a family of trojans that attempts to steal sensitive data, such as login credentials, and sends it to a remote attacker. In order to perform this payload it utilizes a method known as "form grabbing". Win32/EyeStye may also download and execute arbitrary files, such as updates of its components and may utilize a rootkit component in order to hide its malicious activity from the affected user.

Installation

This malware may be installed by TrojanDropper:Win32/EyeStye. When run, the trojan creates one of the following mutex names to ensure only one instance of the malware executes:

  • __SPYNET__
  • __CLEANSWEEP__


Recent variants have also been observed creating mutexes with a configurable, variable name.

In the wild, we have observed the trojan dropping files in the directory in which it is executed. It may create a hidden top-level directory, using the following format:

  • \<file name>\<file name>.exe


Where <file name> may be, but is not limited to, the following:

  • cleansweep.exe
  • windowseep.exe


For example, cleansweep\cleansweep.exe.

The registry is modified to run the malware at each Windows start.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Win32/EyeStye file name>" (for example "syscheckrt.exe")
With data: "<path and file name of Win32/EyeStye>" (for example "c:\syscheckrt\syscheckrt.exe")

or

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random key>"
With data: "<path and file name of Win32/EyeStye>" (for example "c:\syscheckrt\syscheckrt.exe")

The configuration data file may also contain various "plug-ins" that are utilized to make up the malware's payload. This may include, the following:

  • Backdoor functionality (either through RDP or a Socks5 proxy) allowing unauthorized access and control of the affected computer
  • Jabber notification to the malware author of new infections
  • Specific connections to use for transmission of stolen information to a remote attacker
  • The ability to grab certificates from Firefox
  • FTP functionality


The configuration file may contain the following files:

  • config.dat
  • screenshots.txt
  • dns.txt
  • <plug-in>.dll
  • <plug-in>.cfg


Win32/EyeStye injects its payload into all currently running processes, while avoiding the following processes:

  • smss.exe
  • csrss.exe
  • services.exe
  • System
  • <Win32/EyeStye process>


Payload

Lowers browser security zone settings

The malware modifies registry data that lowers browser security for Internet Explorer:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "EnableHttp1_1"
With data: "1"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
Sets value: "1406"
With data: "0"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
Sets value: "1406"
With data: "0"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
Sets value: "1406"
With data: "0"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "EnabledV8"
With data: "0"

In subkey: HKCU\Software\Microsoft\Internet Explorer\Recovery
Sets value: "ClearBrowsingHistoryOnExit"
With data: "0"

Modifies Mozilla Firefox settings

The malware modifies the following settings for the web browser Mozilla Firefox:
  • Disables safe browsing
  • Disables malware blacklist check for downloads
  • Disables alerts
  • Disables clearing cookies and sessions


Uses stealth

Win32/EyeStye hooks the following APIs to prevent affected users from seeing malware files or system modifications with Windows Explorer, within a command prompt, or within the registry:

  • NtEnumerateValueKey
  • ZwEnumerateValueKey
  • NtQueryDirectoryFile
  • ZwQueryDirectoryFile
  • NtVdmControl
  • ZwVdmControl


Exports imported certificates

The malware hooks the "crypt32.dll" API "PFXImportCertStore" to make all imported certificates exportable.

Captures sensitive information

Win32/EyeStye hooks the following Windows APIs to steal authentication information and alter web content presented to the user:

  • HttpAddRequestHeadersA
  • HttpOpenRequestA
  • HttpSendRequestW
  • HttpQueryInfoA
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA
  • InternetCloseHandle
  • InternetQueryOptionA
  • InternetWriteFile


The following Firefox APIs are also hooked for the same purpose:

  • PR_Read
  • PR_Write
  • PR_Close
  • PR_OpenTCPSocket
  • PR_GetSocketOption
  • PR_SetSocketOption
  • PR_GetError
  • PR_SetError


It hooks the following APIs to take screenshots of the affected computer:

  • GdipSaveImageToStream
  • GdipSaveImageToFile
  • GdipCreateBitmapFromHBITMAP
  • GdiplusShutdown
  • GdiplusStartup


Bypasses SSL

Win32/EyeStye hooks the API "CryptEncrypt" to intercept SSL traffic. If the security program Trusteer Rapport is running, the malware returns an error "NTE_NO_MEMORY" so that plain authentication is used.

Sends captured data to a remote server

The trojan attempts to send captured data via HTTP post to a remote server. In the wild, we have observed this trojan connecting to the following remote servers:

  • microsoft-windows-security.com (not a Microsoft.com domain)
  • vinodelam.net
  • overclock.osa.pl
  • qualitaetvorun.org
  • svetodioduk.net
  • rtjhteyjtyjtyj.orge.pl
  • airiston.net
  • superboy999.ru
  • vertime.ru
  • bettasbreed.co.cc
  • nusofttechnologies.info
  • svetodioduk2.com
  • fieldsoflove.cc
  • fightforce.cc
  • totalhidden.cc
  • feldmar.ru
  • lyambosok.ru
  • picomarkets.ru
  • primedyl.com
  • domain391.org
  • securegateonline.com
  • reg.kygalu.ru
  • domain191.org
  • black-hosting.ru
  • hfhfhfhfee.com


It has been observed contacting the following remote server:

traxbax.<removed>/user/gate<removed>

While sending captured data, it may include the following additional information:

  • "Bot guid" - unique identifier associated with the trojan
  • User name
  • Computer name
  • Volume serial number
  • Process name associated with captured data
  • Name of hooked API function (for example PR_Write)
  • Captured raw data
  • Keys, logged keystrokes
  • Other information specific to computer locale such as:
  • Local time
  • Time zone
  • Operating system version
  • Language


Analysis by Jaime Wong

Last update 10 May 2012

 

TOP

Malware :