Spy Eye and Carberp — the new banker trojans offensive

The common way for a “wanna-be” hacker to fulfill his sick aspirations is to achieve a known trojan — there is a plenty on the Internet, sometimes they are called RATs(Remote Administration Tools) and use a crypter for the trojan executable file in an attempt to deceive the antiviruses scanning engines based on files signatures. In the same idea, of using the simpliest approach that does not require too much programming work, the vast majority of crypters are coded in Visual Basic 6, the most accesible programming language ever. Still very dangerous by the features they have as : injects code into legitimate processes, bypass firewalls by using reverse connections, decrypt and steal browser saved passwords, elevation of privileges, these are only the minor league on a trojan viruses scale.

In the major league there are rootkits and banker(banking) trojans, the most known being Zeus(as aliases Zbot, Wsnpoem, Gorhax) and the newest Spy Eye and Carberp, used by hackers to steal hundreds of millions of dollars from the victims. According to the statistics, most of banker trojans are created in the russian space but are used by hackers from around the world without difference. Taking note about the astonishing complexity of a such trojan, we can guess they are not the creation of a single person, instead a group of developers are involved in its creation aspiring to the high financial returns. This is my opinion however and I must mention here a story about an auto-claimed russian author of Spy Eye bot trojan, Gribodemon. He said in an interview that he develop this trojan because he needs 50,000,000 $. Hmmm, childish, nobody knows for sure if he’s the real author of Spy Eye trojan or a spokesman of a group of developers.

In comparison with the old common trojans which uses a  two executable files system client and server, the banking trojans use a more sophisticated system using configuration files and php files able to handle a mySQL database for storing stolen information on the server or for other nefarious tasks. While first versions of  Zeus trojan targeted email or social network accounts credentials, its creators quickly specializes it in stealing banking account informations and banks from around the globe was targeted immediately.

Though it still wreak havoc, Zeus is a well known banking trojan and a case study for the security solutions vendors, all of its versions and even the Command and Control servers are tracked by the governamental agencies but the things are far from finishing, two new banking trojans proving at least the same complexity as Zeus come into the scene:  Spy Eye and Carberp. It seems even these trojans are rivals, since there is an option in Spy Eye builder panel to eliminate Zeus trojan from the victim’s computer. There is a rumour these days about a mixture between Zeus and Spy Eye resulting a super-trojan and a few screenshots with the Builder Control Panel of this super-trojan appear on a few websites. Well, I don’t believe this rumour, it’s rather about a version of Spy Eye trying to imitate the Zeus interface. If I’m worried about something, that’s the Carberp trojan, it seems to exceeds in complexity the other two trojans.

The most common method used to infect a computer with these trojans is using an exploit kits installed on malicious websites but can be aswell a hacked legit website. The links to these websites are offered to an innocent user via instant messaging platforms, via emails as spam or simply are posted to dubious websites. For example a lot of  Live-Cam porn websites are providing links targeting these malicious domains, once an unaware user reach a such website, the exploit kit system will decide automatically what exploit can be applied depending upon the computer system configuration. A successful exploit can attain for the hacker a back door into the infected machine, granting unlimited capabilities for him to install what malware he wishes. Very quickly the infected machine will become a zombie or drone, a computer found totally at hacker disposition and very often used for other nefarious activities like sending spams or attack other computers, bear in mind please, all these without user knowledge. Another method of infection is using malicious javascripts or  iFrames. And things can be much more complicated when the hackers are using Pay-Per-Install(PPI) affiliates.

We will study the Spy Eye trojan particular case, the most important features of this trojan are :

  • -Using rootkit methods it can hides its files and registry entries(Ring 3 rootkit);
  • -It can runs without Administrator privileges, from a Limited account and still do its job;
  • -It can hook the web browser process and can inject code into it. The supported browsers are Internet Explorer, Firefox and Maxthon;
  • -It can hook the wininet.dll and nspr4.dll API calls, therefore intercepting and controlling the traffic discretionary;
  • -It can steal sensitive data even from a HTTP Secured connection session in real-time;
  • -Using webinjects, it can inject forms in legitimate banks web pages urging the user to fill them(example card PIN number) and stealing these data aswell, this way are bypassed other additional security mechanisms the banks may implement for online clients;
  • -Keylogger activity — it steals sensitive data introduced by the victim in the bank web page fields(forms), that’s why the name of a feature FormGrabber;
  • -Encrypted connections with the Command & Control(C&C) server;
  • -Encrypted configuration file;
  • -It can automatically fill the payment credit card fields via the Admin Control Panel for various hacker needs, he will indicate only what credit card info to be used and the amount that must be charged. This task is performed via another infected computer from the BotNet, running Internet Explorer in invisible mode;
  • -It runs on all Windows versions including Windows 7;
  • -It automatically send another set of logs(back-up logs) to an email account;

I’ve tested Spy Eye version 1.1.39 and 1.2.60 builders, they are not the newest but that’s what comes in my hands, here are the builder Control Panels :

spy_eye_builder

spy_eye_builder

For an unknown reason, I was not able to build an working trojan server with this version, 1.2.60, so I’ve used v1.1.39 for tests.

spy_eye_builder2

These trojans come as a kit, exists also a “server-side” containing an Admin Control Panel whole system with capabilities to use a MySQL database, configuration files and a lot of other PHP files needed to create and administrate the botnet. This the main logo of the Admin Panel :

main_logo

As you can see, there is an option Kill Zeus, if this is checked, Spy Eye trojan will delete the Zeus banker trojan executable file in the infected computer.

After building the trojan with the version 1.1.39 of the builder, resulted an executable file named build.exe and a config.bin file with the following encrypted content (just an excerpt viewed in Notepad, I insert it as an image because this code corrupts the RSS feed) :

config_bin

config_bin

The actions performed on the system by the new built trojan, build.exe were logged by the Sandboxie add-on, BSA:

[ General information ]

* File name: g:\newegg\spyeye\spyeye\spyeye v1.1.39\build.exe

* File length: 115712 bytes * File signature: Borland Delphi 3.0 (???) *

* MD5 hash: b2ba487148172aa7763b9bad4673c023

* SHA1 hash: e62caab1bd8a67bbc7bc64adda38d7545b3ff2f0

* SHA256 hash: cb8365c56f03e4a8e5c1707dbdf37d158cf2d5e85b5db5c4d7aea011d69801cd [ Changes to filesystem ]

* Creates file C:\cleansweep.exe\cleansweep.exe

* Creates file C:\cleansweep.exe\config.bin

* Creates file C:\Documents and Settings\Administrator\Local Settings\Temp\a443_appcompat.txt [ Changes to registry ]

* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}

* Creates value “cleansweep.exe=C:\cleansweep.exe\cleansweep.exe” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RUN

* Injects code into process “”.

* Creates process “C:\cleansweep.exe\cleansweep.exe,(null),(null)) [g:\newegg\spyeye\spyeye\spyeye v1.1.39″.

* Creates a mutex “__SPYNET__”.

Here is the virustotal.com report for the build.exe file, as you can see(35/ 43 (81.4%) detection rate) even if these Spy Eye versions are rather old, still exists antivirus software that fails to detect it. However, a common antivirus software can not assure a 100% effective protection against this type of sophisticated trojans. A solution for a safe browsing and therefore a solution to prevent Spy Eye, Zeus or Carberp infection with the zero-day versions can be a sandboxed browser(using Sandboxie for example), in this case an exploit kit has no effect against the computer operating system. Another solution can be Prevx SafeOnline, but as a complement to an up-to-date antivirus.

Keep safe !

[EDIT]

Here is another analysis of a Spy Eye banker trojan caught in the wild cyberzone. These analysis is much more descriptive than the previous one, it seems I’ve used a faulty Builder to build and test the trojan. However, the following analysis is for a working and “in the wild” Spy Eye trojan.

[ General information ]
* File name: c:\documents and settings\administrator\desktop\name\build___who.exe
* File length: 241664 bytes
* File signature: UPX [com] *
* MD5 hash: d7578e550c0a4d4aca0cfd01ae19a331
* SHA1 hash: c084e64c5cc19cb72b947ba205463051697aee9b
* SHA256 hash: 3d509341107a9577899918ef3b2b63ceda0fcbcd09976e79e94610a3cf674b8a

[ Changes to filesystem ]
* Creates file C:\mydnswatch\config.bin
* Creates file C:\mydnswatch\mydnswatch.exe
* Deletes file C:\Documents and Settings\Administrator\Desktop\name\build___who.exe

[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* Empties value “EnabledV8″ in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\PhishingFilter
old value “EnabledV8=00000001″
* Empties value “ShownServiceDownBalloon” in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\PhishingFilter
old value “ShownServiceDownBalloon=00000001″
* Empties value “WarnOnPost” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings
old value “WarnOnPost=01000000″
* Modifies value “SavedLegacySettings=46000000D0120000010000000000000000000000000000000000000000000000C0C2EB740
031CB0101000000C0A80165000000000000000000000000″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value “SavedLegacySettings=46000000CB120000010000000000000000000000000000000000000000000000C0C2EB740
031CB0101000000C0A80165000000000000000000000000″
* Empties value “1406″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
old value “1406=00000001″
* Empties value “1406″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
old value “1406=00000003″
* Empties value “1406″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
old value “1406=00000003″
* Creates value “1409=03000000″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
* Empties value “1609″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
old value “1609=00000001″
* Creates value “1409=03000000″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
* Empties value “1609″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
old value “1609=00000001″
* Empties value “1406″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
old value “1406=00000001″
* Creates value “1409=03000000″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
* Empties value “1609″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
old value “1609=00000001″
* Empties value “1406″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
old value “1406=00000003″
* Creates value “1409=03000000″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
* Empties value “1609″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
old value “1609=00000001″
* Empties value “1406″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
old value “1406=00000003″
* Creates value “1409=03000000″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
* Empties value “1609″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
old value “1609=00000001″
* Empties value “1406″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
old value “1406=00000003″
* Creates value “mydnswatch.exe=C:\mydnswatch\mydnswatch.exe” in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RUN
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

[ Network services ]
* Looks for an Internet connection.
* Backdoor functionality on port 0.
* Connects to “127.0.0.1″ on port 1527.
* Connects to “213.246.38.29″ on port 7010.
* Connects to “91.200.240.7″ on port 80.

[ Process/window information ]
* Creates a mutex “gF4gGd4GdH5GdHg”.
* Enumerates running processes.
* Creates process “C:\mydnswatch\mydnswatch.exe,(null),(null)”.
* Injects code into process “c:\documents and settings\administrator\desktop\name\build___who.exe”.
* Creates a mutex “Local\_!MSFTHISTORY!_”.
* Creates a mutex “Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!”.
* Creates a mutex “Local\c:!documents and settings!administrator!cookies!”.
* Creates a mutex “Local\c:!documents and settings!administrator!local settings!history!history.ie5!”.
* Creates a mutex “RasPbFile”.
* Lists all entry names in a remote access phone book.
* Opens a service named “RASMAN”.
* Opens a service named “Sens”.
* Creates a mutex “Local\ZonesCounterMutex”.
* Creates a mutex “Local\!IETld!Mutex”.
* Creates a mutex “Local\c:!documents and settings!administrator!ietldcache!”.
* Creates a mutex “Local\ZoneAttributeCacheCounterMutex”.
* Creates a mutex “Local\ZonesCacheCounterMutex”.
* Creates a mutex “Local\ZonesLockedCacheCounterMutex”.
* Opens a service named “RemoteAccess”.
* Opens a service named “Router”.
* Creates a mutex “L6L6L6L6L6L6L6L6L6L6L6L6L6L6LLL”.

The virustotal.com report, does not look so good, only 19 /43 (44.2%) detection rate, that’s poor, even big names as Kaspersky fail to detect it.

91.200.240.7 is the malware server IP (C&C)  in this case.

Posted in Thoughts.

Leave a Reply