Everyone is talking about the SpyEye Trojan, the info stealer malware that gained all the attention after the author of ZeuS left the underground market and sold ZeuS sources to the SpyEye team. We already wrote about SpyEye last year, when we focused on the threat claiming that it could potentially become one of the top password stealing threats. Now that the SpyEye authors have access to all of ZeuS source code, SpyEye is becoming the main kit available for sale in the underground with even more efficient coding with some additional ZeuS based technologies.
Let's have a closer look at the new variants of SpyEye.
The SpyEye dropper comes in a UPX packed executable. After unpacking the first layer, we are lucky as we could already get to the SpyEye code. Actually, we have some samples which make use of highly-obfuscated decryption code, used for a second stage decryption loop. This second stage decryption loop make uses of its own routine able to get function addresses by parsing library export tables. The function is using name hashes instead of plain-text names. The hash is calculated by an ROL/XOR loop.
After the second decryption loop was completed, we are up to the real SpyEye executable code. The Trojan is divided in a few parts: the main executable
itself is just a stub, it acts like a pre-loader. It then contains 5 resource files and an embedded executable - which is the real SpyEye code. The resource files are named C1, C2, C3, SC1, SC2.
C1 contains the basic settings of the Trojan, like the name of the folder that the Trojan needs to create along with the name of the two files that will be stored inside the folder and the mutex used to check if theinfection is already running in the system. The folder will have the hidden flag attribute set as well. C2 contains the real configuration file, called config.bin - we'll better explain it later in the blog post. C3 contains the config.bin password in plain text.
SC1 is instead a module that will be injected by the pre-loader inside explorer.exe process. This module is responsible of creating the folder and storing the Trojan dropper inside it, then it launches again the dropper from the new location and deletes the original dropper. SC2 is a module used by SpyEye pre-loader to get system information like the Windows build number, username account, Windows folder and a number of other data points.
SC1 module is injected inside the host process explorer.exe and does its job as showed above. The dropper now reloads from the right location and extracts the C3 resource file, reads the config.bin password and stores it as a local variable by calling SetEnvironmentVariableA API. This will help the Trojan in sharing the password between this pre-loader and the actual SpyEye code. Finally, the execution is passed to the embedded executable code.
Inside the real SpyEye code, the Trojan first check if the config.bin file has been already stored inside the hidden folder along with the dropper executable. If not, the config file is extracted from the C2 resource and is stored inside the folder. Then, the configuration file is decrypted by the Trojan. The encryption algorithm is not really complicated, and it's just a XOR-based loop starting from the end of the file till the beginning. Every byte is XOR'd with 0xC4 key and the result is being subtracted by the value of the byte that is located at the previous location. After the decryption, the config.bin file is just a password-protected zip archive. As mentioned above, the password is the string located inside the C3 resource.
Stored inside the configuration zip package are configuration files along with specifically chosen plugins. There could be some plugins able to make the infected PC act as a socks5 server, or credit card grabbers. There are other interesting information like the servers that are contacted by the Trojan and the HTML code that is being injected inside some specific HTML pages. This is already a feature implemented in ZeuS and has been copied out by the SpyEye authors.
After the configuration file has been decrypted and parsed, the embedded executable code injects all its code inside the explorer.exe process, and the pre-loader process terminates. The code is now active in memory and it is ready to be injected in every other running process except services.exe, smss.exe, csrss.exe and system processes.
In the targeted processes, the Trojan hooks following APIs:
CryptEncrypt, LdrLoadDll, NtEnumerateValueKey, NtQueryDirectoryFile, NtResumeThread, NtVdmControl, TranslateMessage, HttpAddRequestHeadersA, HttpOpenRequestA, HttpQueryInfoA, HttpSendRequestA, HttpSendRequestW, InternetCloseHandle, InternetQueryDataAvailable, InternetQueryOptionA,
InternetReadFile, InternetReadFileExA, InternetWriteFile.
Some newer variants of SpyEye implement a hooking engine protected by a number of watchdog threads, able to immediately restore all the Trojan hooks if they are being overwritten or deleted by security software.
The Trojan make uses of user mode rootkit techniques to hide both its registry key located inside HKEY_CURRENT_USER\SOFTWARE\Microsoft\Current Version\Run and the folder containing the Trojan executable along with the config.bin file. The folder is usually located on the root directory of the drive where the operating system is located.
Due to the way the Trojan is designed, it is perfectly able to steal sensitive data from every PC, no matter if it runs with administrative privileges or limited user account. Moreover, after the ZeuS authors resigned, SpyEye is soon to become the leading infostealing Trojan in the underground.
The increasing number of SpyEye infections we are detecting and cleaning on infected PCs tells us that SpyEye is very widespread and you should really pay attention to your computer security, even if using a limited account. Protect your web surfing experience with Prevx and SafeOnline.
没有评论:
发表评论