Spy Eye and Carberp the new banker trojans offensive

Transcription

1 Spy Eye and Carberp the new banker trojans offensive The common way for a wanna-be hacker to fulfill his sick aspirations is to achieve a known trojan there is a plenty on the Internet, sometimes they are called RATs(Remote Administration Tools) and use a crypter for the trojan executable file in an attempt to deceive the antiviruses scanning engines based on files signatures. In the same idea, of using the simpliest approach that does not require too much programming work, the vast majority of crypters are coded in Visual Basic 6, the most accesible programming language ever. Still very dangerous by the features they have as : injects code into legitimate processes, bypass firewalls by using reverse connections, decrypt and steal browser saved passwords, elevation of privileges, these are only the minor league on a trojan viruses scale. In the major league there are rootkits and banker(banking) trojans, the most known being Zeus(as aliases Zbot, Wsnpoem, Gorhax) and the newest Spy Eye and Carberp, used by hackers to steal hundreds of millions of dollars from the victims. According to the statistics, most of banker trojans are created in the russian space but are used by hackers from around the world without difference. Taking note about the astonishing complexity of a such trojan, we can guess they are not the creation of a single person, instead a group of developers are involved in its creation aspiring to the high financial returns. This is my opinion however and I must mention here a story about an auto-claimed russian author of Spy Eye bot trojan, Gribodemon. He said in an interview that he develop this trojan because he needs 50,000,000 $. Hmmm, childish, nobody knows for sure if he s the real author of Spy Eye trojan or a spokesman of a group of developers. In comparison with the old common trojans which uses a two executable files system client and server, the banking trojans use a more sophisticated system using configuration files and php files able to handle a mysql database for storing stolen information on the server or for other nefarious tasks. While first versions of Zeus trojan targeted or social network accounts credentials, its creators quickly specializes it in stealing banking account informations and banks from around the globe was targeted immediately. Though it still wreak havoc, Zeus is a well known banking trojan and a case study for the security solutions vendors, all of its versions and even the Command and Control servers are tracked by the governamental agencies but the things are far from finishing, two new banking trojans proving at least the same complexity as Zeus come into the scene: Spy Eye and Carberp. It seems even these trojans are rivals, since there is an option in Spy Eye builder panel to eliminate Zeus trojan from the victim s computer. There is a rumour these days about a mixture between Zeus and Spy Eye resulting a super-trojan and a few screenshots with the Builder Control Panel of this super-trojan appear on a few websites. Well, I don t believe this rumour, it s rather about a version of Spy Eye trying to imitate the Zeus interface. If I m worried about something, that s the Carberp trojan, it seems to exceeds in complexity the other two trojans. The most common method used to infect a computer with these trojans is using an exploit kits installed on malicious websites but can be aswell a hacked legit website. The links to these websites are offered to an innocent user via instant messaging platforms, via s as spam or simply are posted to dubious websites. For example a lot of Live-Cam porn websites are providing links targeting these malicious domains, once an unaware user reach a such website, the exploit kit system will decide automatically what exploit can be applied depending upon the computer system configuration. A successful exploit can attain for the hacker a back door into the infected machine,

2 granting unlimited capabilities for him to install what malware he wishes. Very quickly the infected machine will become a zombie or drone, a computer found totally at hacker disposition and very often used for other nefarious activities like sending spams or attack other computers, bear in mind please, all these without user knowledge. Another method of infection is using malicious javascripts or iframes. And things can be much more complicated when the hackers are using Pay-Per-Install(PPI) affiliates. We will study the Spy Eye trojan particular case, the most important features of this trojan are : -Using rootkit methods it can hides its files and registry entries(ring 3 rootkit); -It can runs without Administrator privileges, from a Limited account and still do its job; -It can hook the web browser process and can inject code into it. The supported browsers are Internet Explorer, Firefox and Maxthon; -It can hook the wininet.dll and nspr4.dll API calls, therefore intercepting and controlling the traffic discretionary; -It can steal sensitive data even from a HTTP Secured connection session in real-time; -Using webinjects, it can inject forms in legitimate banks web pages urging the user to fill them(example card PIN number) and stealing these data aswell, this way are bypassed other additional security mechanisms the banks may implement for online clients; -Keylogger activity it steals sensitive data introduced by the victim in the bank web page fields(forms), that s why the name of a feature FormGrabber; -Encrypted connections with the Command & Control(C&C) server; -Encrypted configuration file; -It can automatically fill the payment credit card fields via the Admin Control Panel for various hacker needs, he will indicate only what credit card info to be used and the amount that must be charged. This task is performed via another infected computer from the BotNet, running Internet Explorer in invisible mode; -It runs on all Windows versions including Windows 7; -It automatically send another set of logs(back-up logs) to an account; I ve tested Spy Eye version and builders, they are not the newest but that s what comes in my hands, here are the builder Control Panels :

3 spy_eye_builder For an unknown reason, I was not able to build an working trojan server with this version, , so I ve used v for tests.

4 These trojans come as a kit, exists also a server-side containing an Admin Control Panel whole system with capabilities to use a MySQL database, configuration files and a lot of other PHP files needed to create and administrate the botnet. This the main logo of the Admin Panel : As you can see, there is an option Kill Zeus, if this is checked, Spy Eye trojan will delete the Zeus banker trojan executable file in the infected computer. After building the trojan with the version of the builder, resulted an executable file named build.exe and a config.bin file with the following encrypted content (just an excerpt viewed in Notepad, I insert it as an image because this code corrupts the RSS feed) :

5 config_bin The actions performed on the system by the new built trojan, build.exe were logged by the Sandboxie add-on, BSA: [ General information ] * File name: g:\newegg\spyeye\spyeye\spyeye v1.1.39\build.exe * File length: bytes * File signature: Borland Delphi 3.0 (???) * * MD5 hash: b2ba aa7763b9bad4673c023 * SHA1 hash: e62caab1bd8a67bbc7bc64adda38d7545b3ff2f0 * SHA256 hash: cb8365c56f03e4a8e5c1707dbdf37d158cf2d5e85b5db5c4d7aea011d69801cd [ Changes to filesystem ] * Creates file C:\cleansweep.exe\cleansweep.exe * Creates file C:\cleansweep.exe\config.bin * Creates file C:\Documents and Settings\Administrator\Local Settings\Temp\a443_appcompat.txt [ Changes to registry ] * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE59 4F69C}

6 * Creates value cleansweep.exe=c:\cleansweep.exe\cleansweep.exe in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RUN * Injects code into process. * Creates process C:\cleansweep.exe\cleansweep.exe,(null),(null)) [g:\newegg\spyeye\spyeye\spyeye v * Creates a mutex SPYNET. Here is the virustotal.com report for the build.exe file, as you can see(35/ 43 (81.4%) detection rate) even if these Spy Eye versions are rather old, still exists antivirus software that fails to detect it. However, a common antivirus software can not assure a 100% effective protection against this type of sophisticated trojans. A solution for a safe browsing and therefore a solution to prevent Spy Eye, Zeus or Carberp infection with the zero-day versions can be a sandboxed browser(using Sandboxie for example), in this case an exploit kit has no effect against the computer operating system. Another solution can be Prevx SafeOnline, but as a complement to an up-to-date antivirus. Keep safe! [EDIT] Here is another analysis of a Spy Eye banker trojan caught in the wild cyberzone. These analysis is much more descriptive than the previous one, it seems I ve used a faulty Builder to build and test the trojan. However, the following analysis is for a working and in the wild Spy Eye trojan. [ General information ] * File name: c:\documents and settings\administrator\desktop\name\build who.exe * File length: bytes * File signature: UPX [com] * * MD5 hash: d7578e550c0a4d4aca0cfd01ae19a331 * SHA1 hash: c084e64c5cc19cb72b947ba aee9b * SHA256 hash: 3d a ef3b2b63ceda0fcbcd09976e79e94610a3cf674b8a [ Changes to filesystem ] * Creates file C:\mydnswatch\config.bin * Creates file C:\mydnswatch\mydnswatch.exe * Deletes file C:\Documents and Settings\Administrator\Desktop\name\build who.exe [ Changes to registry ] * Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE59 4F69C} * Empties value EnabledV8 in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\PhishingFilter old value EnabledV8= * Empties value ShownServiceDownBalloon in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\PhishingFilter old value ShownServiceDownBalloon= * Empties value WarnOnPost in key

7 Settings old value WarnOnPost= * Modifies value SavedLegacySettings= D C0C2EB CB C0A in key Settings\Connections old value SavedLegacySettings= CB C0C2EB CB C0A Settings\Lockdown_Zones\1 old value 1406= Settings\Lockdown_Zones\3 Settings\Lockdown_Zones\4 Settings\Zones\0 Settings\Zones\0 Settings\Zones\1 Settings\Zones\1 Settings\Zones\1 old value 1406= Settings\Zones\2 Settings\Zones\2

8 Settings\Zones\2 Settings\Zones\3 Settings\Zones\3 Settings\Zones\3 Settings\Zones\4 Settings\Zones\4 Settings\Zones\4 * Creates value mydnswatch.exe=c:\mydnswatch\mydnswatch.exe in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RUN * Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox [ Network services ] * Looks for an Internet connection. * Backdoor functionality on port 0. * Connects to on port * Connects to on port * Connects to on port 80. [ Process/window information ] * Creates a mutex gf4ggd4gdh5gdhg. * Enumerates running processes. * Creates process C:\mydnswatch\mydnswatch.exe,(null),(null). * Injects code into process c:\documents and settings\administrator\desktop\name\build who.exe. * Creates a mutex Local\_!MSFTHISTORY!_. * Creates a mutex Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!. * Creates a mutex Local\c:!documents and settings!administrator!cookies!. * Creates a mutex Local\c:!documents and settings!administrator!local settings!history!history.ie5!. * Creates a mutex RasPbFile. * Lists all entry names in a remote access phone book. * Opens a service named RASMAN. * Opens a service named Sens.

9 * Creates a mutex Local\ZonesCounterMutex. * Creates a mutex Local\!IETld!Mutex. * Creates a mutex Local\c:!documents and settings!administrator!ietldcache!. * Creates a mutex Local\ZoneAttributeCacheCounterMutex. * Creates a mutex Local\ZonesCacheCounterMutex. * Creates a mutex Local\ZonesLockedCacheCounterMutex. * Opens a service named RemoteAccess. * Opens a service named Router. * Creates a mutex L6L6L6L6L6L6L6L6L6L6L6L6L6L6LLL. The virustotal.com report, does not look so good, only 19 /43 (44.2%) detection rate, that s poor, even big names as Kaspersky fail to detect it is the malware server IP (C&C) in this case. Share this: Share