Tuesday, August 31, 2010

SpyEye Backend Collector - Victim Databases

SpyEye is a fast growing platform that is used for bot infection. SpyEye uses a definitive back end engine for collecting information from the bots. The SpyEye collector is not a part of the admin interface which is used to manage certain specific controls. The collector is an independent component of SpyEye infection platform. This method is used by SpyEye in order to make this component completely unique from the perspective of collecting information from various infected systems all around the world. It means the admin interface has no relation and impact on the working of backend collector because this component works inadvertently even if the admin is disabled or not working. Well, this is quite impressive in its functioning. It means that in a botnet, the main admin that starts infection does not have a much relation with the component that collects information from the bots.

Basically, SpyEye uses a daemon for Linux. It listens on a specific port, collect logs and store information in database. The logs use special compression library termed as LZO for real time data compression. Actually, the LZO is primarily known for its speed over compression ratio. The compression in itself is really fast in LZO and it does not require any memory for decompression. LZO use algorithms that are thread safe, lossless and portable. This provides a glimpse of high compression used for log transmission over the internet from the bots to the backend collector daemon. This simply sets the traffic control in a strict manner thereby economize traffic to transfer logs directly without much interference.

The SpyEye collector looks like as follows

SpyEye has its own SDK and development platform which is designed for generating plugins for infecting victims and stealing specific information. Through plugins, data can be easily transferred to collector. SpyEye provides relative function as a part of its API as follows
void TakeGateToCollector(LPVOID lpGateFunc);

This function is used in the SpyEye plug-in development as follows

The page is dumped as

The collector is configured in the builder part of SpyEye as follows

The collected logs provide statistics as follows

SpyEye uses a good technique and provision of storing information irrespective of user centric access.

Saturday, August 28, 2010

SpyEye 1.2.22 - Art of Web Fakes - Malware

SpyEye is one of the latest infection platform on the web which includes a satisfactory browser exploit pack and bot generating system. With the latest SpyEye version starting from 1.2.2X (1.2.4) on the run, we have noticed a state of web fakes which is generated in an artistic manner by the SpyEye. If we look at the profitable nature of SpyEye, it is named as banking Trojan, which comprises of efficient techniques to infect bank websites. In this post, we are going to talk about the technique used by SpyEye to infect banks website with Web Fakes.

SpyEye uses a well defined SDK for its development and infection among websites. It uses the same DLL injection technique. According to definition "DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend." In general it works as follows

1. At first, SpyEye infect the processes by DLL Injection in most of standard DLL's used by HTTP and socket generation functions in the system. It uses DLL hooking to take control of certain functions such as HTTP requests GET/POST to monitor the functioning of process.

2. SpyEye extensibility depends a lot on plug-in designing. The plug-ins have additional infection code which is to be injected into the process for variety of infections. This is done to ensure that initial process of infection remains intact. Plug-ins are used to increase the level of infection at later stage looking at the capability of infected targets.

3. SpyEye uses named pipes, as the same window concept, to read data from plugins and infecting HTTP processes directly.

SpyEye SDK uses following functions as follows

[1] DLLEXPORT bool IsGlobal() { return true; }

This function is called by plug-in itself at the start. It provides a full access to plug-in to communicate all the infected processes so that it is possible for plug-in to take control of all the infected interfaces directly from the source.

[2] DLLEXPORT void Callback_OnBeforeLoadPage(IN PCHAR szUrl, IN PCHAR szVerb, IN PCHAR szPostVars, OUT PCHAR * lpszContent, OUT PDWORD lpdwSize) {}

This function is called by plug-ins to set a hook on the HTTP/HTTPS request, so that contents of the page can be reported back to centralized repository for analyzing the type of information is going out of the network. Let's see the layout

[3] DLLEXPORT void Callback_ProcessContentOfPage(IN PCHAR szUrl, IN PCHAR szVerb, IN PCHAR szPageContent, OUT PCHAR * szOut, IN OUT PDWORD lpdwSize) {}

This function is used to infect the web page dynamically. It again performs a hook exactly before the page is about to render in the browser. It provides an edge to update page contents and inject additional Web Fakes in banking websites. Let's see

[4]DLLEXPORT void FreeMem(LPVOID lpMem) {}

At last, this function is used to set the allocated resource free. A good memory allocation and management benchmark :)

SpyEye mainly infects following DLL's

The payload to be injected or data to be used for infection is applied as follows

#include "data.cpp" /*
unsigned char data[] = {
0x48, 0x54, 0x54, 0x50, 0x2F, 0x31, 0x2E, 0x31, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4F, 0x4B, 0x0D,
0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, 0x20, 0x74,
0x65, 0x78, 0x74, 0x2F, 0x68, 0x74, 0x6D, 0x6C, 0x3B, 0x20, 0x63, 0x68, 0x61, 0x72, 0x73, 0x65,
0x74, 0x3D, 0x55, 0x54, 0x46, 0x2D, 0x38, 0x0D, 0x0A, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x3A,
0x20, 0x73, 0x72, 0x76, 0x0D, 0x0A, 0x0D, 0x0A, 0x3C, 0x68, 0x31, 0x3E, 0x57, 0x65, 0x62, 0x66,
0x61, 0x6B, 0x65, 0x73, 0x20, 0x69, 0x73, 0x20, 0x6E, 0x6F, 0x77, 0x3C, 0x2F, 0x68, 0x31, 0x3E,
0x3C, 0x62, 0x72, 0x3E, 0x3C, 0x62, 0x3E, 0x74, 0x61, 0x64, 0x61, 0x21, 0x3C, 0x2F, 0x62, 0x3E }; */

Let;s see the SpyEye Plug-ins infection at world level

So the Web Fakes look like as follows

This is really disastrous from security point of view as well as looking at the scenario of stealing information from victim machines by fooling them completely. This type of Malware is getting deadly day by day.

But that's true.