Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    This is part 2 of a two-part blog covering the SpyEye interface. In the first part, we looked into CN 1 aka the Main Access Panel and how it is used. In this part, we are going to talk about SYN 1 or the Formgrabber Access Panel. We will examine what the cybercriminals steal and how they use the SpyEye interface to profit from innocent users.

    Click for larger view

    In the screenshot above, you can see the layout of the SYN 1 interface. It has the date on the left and the amount of data being collected on the right. Just like CN 1, there are various buttons that guide the bot master to what he/she is looking to do.

    Click for larger view

    The first button we will look at is the Find !NFO button. This button lets the bot master search the database of stolen information. He/She can perform the search by using the bot GUID (a unique identifier), injected process name, hooked function, URL, or any other data string. He/She can also narrow down his/her search by date.

    This particular screenshot shows a search for a specific bank. The search result shows the full details of how the user accessed the said bank’s site—the full URL, type of request, and other data one would find within an HTTP request. This particular result came from a user using Mozilla Firefox. SpyEye can steal data from many browsers not just Internet Explorer.

    Click for larger view

    This highly edited screenshot shows the entire HTTP request and all of the data the user sent to the bank. Once a cybercriminal finds what he/she is looking for, he/she can drill down the results to get the full data. At the bottom of the screenshot, you can see the user name and password that was used to log in to the bank.

    Click for larger view

    The next button is the Statistic button that gives a brief overview of the sites that the infected computers are going to the most. Notice that Facebook is listed second on the list and not too far below is Gmail.

    Click for larger view

    Besides stealing login credentials for websites, SpyEye can also steal FTP credentials. Under the FTP accounts button, the bot master can create a .TXT file that will display FTP user names and passwords along with the FTP server that these are used for. This file can be searched by date and it also shows how many accounts it stole per day in the results.

    Click for larger view

    The last button on the top row is the Settings button. This is where the bot herder can specify an email address to receive a copy of the C&C server’s database. SpyEye can regularly backup data, compress and email data, and wipe out the database backup so nobody else can find it. This ensures that the SpyEye botnet operator always secures and backs up data should the server be taken down.

    Click for larger view

    Just like ZeuS, SpyEye can also capture screenshots from infected machines. This way, the bot master can see what the user is doing on his/her computer and can also defeat authentication mechanisms that don’t rely on the keyboard. In the screenshot above, one can search by date and/or by bot GUID when looking for screenshots.

    Click for larger view

    This shows a SpyEye screenshot of a user at home authenticating with his/her bank login by using an onscreen keypad. Notice that SpyEye takes a screenshot whenever the mouse button is pressed. There were four screenshots showing the user’s login credentials with each one showing what number the user pressed every time. Even though the SpyEye Trojan cannot steal a user’s login credentials using conventional means, it was able to steal it via screenshots.

    Click for larger view

    Once the user was done authenticating his/her login creadentials, the SpyEye Trojan was then able to take a screenshot displaying all of the user’s account numbers and how much money was in each account. The screenshots also see the user at home clicking a user account as he/she proceeds through the normal banking routine.

    Click for larger view

    The next button on the list is called the BOA Grabber. This button steals only Bank of America credentials and formats them nicely for the SpyEye bot master. Notice that once again, a cybercriminal can search via a specific date range and/or via bot GUID. In the screenshot, you can see that the Trojan was able to steal the user’s account ID, address, password, account balances, answers to security questions, and IP address.

    Click for larger view

    The next button on the list is the CC Grabber button. This button displays stolen credit card information, which gives the SpyEye bot master the opportunity to use the user’s credit cards for the Create task for Billing feature mentioned in part 1.

    Click for larger view

    The last button that we will look at is the Certificate Grabber. This button allows a cybercriminal to perform a search in the database based on the bot GUID, date range, and/or a data string. The results are security certificates that SpyEye has stolen off infected machines. Some websites uses these certificates to log users in either as a substitute for or in addition to passwords. This way, SpyEye is able to steal information for those websites as well.

    The SpyEye bot Control Panel has many functions to suit the needs of a bot master. It has many methods to help him/her steal money using the data that is collected and to potentially gain access to other systems via stolen FTP credentials. With all of these features, we believe that SpyEye is a decent competitor to the ZeuS banking Trojan.

    With the recent ZeuS busts going on, some cybercriminals may want to stay away from ZeuS and go with SpyEye instead. We at Trend Micro have seen a recent uptick in SpyEye servers that are out there and we expect this to continue in the future.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice