This is part 2 of a two-part blog covering the SpyEye interface. In the first part, we looked into CN 1 aka the Main Access Panel and how it is used. In this part, we are going to talk about SYN 1 or the Formgrabber Access Panel. We will examine what the cybercriminals steal and how they use the SpyEye interface to profit from innocent users.
In the screenshot above, you can see the layout of the SYN 1 interface. It has the date on the left and the amount of data being collected on the right. Just like CN 1, there are various buttons that guide the bot master to what he/she is looking to do.
The first button we will look at is the Find !NFO button. This button lets the bot master search the database of stolen information. He/She can perform the search by using the bot GUID (a unique identifier), injected process name, hooked function, URL, or any other data string. He/She can also narrow down his/her search by date.
This particular screenshot shows a search for a specific bank. The search result shows the full details of how the user accessed the said bank’s site—the full URL, type of request, and other data one would find within an HTTP request. This particular result came from a user using Mozilla Firefox. SpyEye can steal data from many browsers not just Internet Explorer.
This highly edited screenshot shows the entire HTTP request and all of the data the user sent to the bank. Once a cybercriminal finds what he/she is looking for, he/she can drill down the results to get the full data. At the bottom of the screenshot, you can see the user name and password that was used to log in to the bank.
The next button is the Statistic button that gives a brief overview of the sites that the infected computers are going to the most. Notice that Facebook is listed second on the list and not too far below is Gmail.
Besides stealing login credentials for websites, SpyEye can also steal FTP credentials. Under the FTP accounts button, the bot master can create a .TXT file that will display FTP user names and passwords along with the FTP server that these are used for. This file can be searched by date and it also shows how many accounts it stole per day in the results.
The last button on the top row is the Settings button. This is where the bot herder can specify an email address to receive a copy of the C&C server’s database. SpyEye can regularly backup data, compress and email data, and wipe out the database backup so nobody else can find it. This ensures that the SpyEye botnet operator always secures and backs up data should the server be taken down.
Just like ZeuS, SpyEye can also capture screenshots from infected machines. This way, the bot master can see what the user is doing on his/her computer and can also defeat authentication mechanisms that don’t rely on the keyboard. In the screenshot above, one can search by date and/or by bot GUID when looking for screenshots.
This shows a SpyEye screenshot of a user at home authenticating with his/her bank login by using an onscreen keypad. Notice that SpyEye takes a screenshot whenever the mouse button is pressed. There were four screenshots showing the user’s login credentials with each one showing what number the user pressed every time. Even though the SpyEye Trojan cannot steal a user’s login credentials using conventional means, it was able to steal it via screenshots.
Once the user was done authenticating his/her login creadentials, the SpyEye Trojan was then able to take a screenshot displaying all of the user’s account numbers and how much money was in each account. The screenshots also see the user at home clicking a user account as he/she proceeds through the normal banking routine.
The next button on the list is called the BOA Grabber. This button steals only Bank of America credentials and formats them nicely for the SpyEye bot master. Notice that once again, a cybercriminal can search via a specific date range and/or via bot GUID. In the screenshot, you can see that the Trojan was able to steal the user’s account ID, address, password, account balances, answers to security questions, and IP address.
The next button on the list is the CC Grabber button. This button displays stolen credit card information, which gives the SpyEye bot master the opportunity to use the user’s credit cards for the Create task for Billing feature mentioned in part 1.
The last button that we will look at is the Certificate Grabber. This button allows a cybercriminal to perform a search in the database based on the bot GUID, date range, and/or a data string. The results are security certificates that SpyEye has stolen off infected machines. Some websites uses these certificates to log users in either as a substitute for or in addition to passwords. This way, SpyEye is able to steal information for those websites as well.
The SpyEye bot Control Panel has many functions to suit the needs of a bot master. It has many methods to help him/her steal money using the data that is collected and to potentially gain access to other systems via stolen FTP credentials. With all of these features, we believe that SpyEye is a decent competitor to the ZeuS banking Trojan.
With the recent ZeuS busts going on, some cybercriminals may want to stay away from ZeuS and go with SpyEye instead. We at Trend Micro have seen a recent uptick in SpyEye servers that are out there and we expect this to continue in the future.