An Official Malware Research Blog of SecNiche Security Labs. Analysis, straight from the hidden and underground.
Saturday, August 28, 2010
SpyEye 1.2.22 - Art of Web Fakes - Malware
SpyEye is one of the latest infection platform on the web which includes a satisfactory browser exploit pack and bot generating system. With the latest SpyEye version starting from 1.2.2X (1.2.4) on the run, we have noticed a state of web fakes which is generated in an artistic manner by the SpyEye. If we look at the profitable nature of SpyEye, it is named as banking Trojan, which comprises of efficient techniques to infect bank websites. In this post, we are going to talk about the technique used by SpyEye to infect banks website with Web Fakes.
SpyEye uses a well defined SDK for its development and infection among websites. It uses the same DLL injection technique. According to definition "DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend." In general it works as follows
1. At first, SpyEye infect the processes by DLL Injection in most of standard DLL's used by HTTP and socket generation functions in the system. It uses DLL hooking to take control of certain functions such as HTTP requests GET/POST to monitor the functioning of process.
2. SpyEye extensibility depends a lot on plug-in designing. The plug-ins have additional infection code which is to be injected into the process for variety of infections. This is done to ensure that initial process of infection remains intact. Plug-ins are used to increase the level of infection at later stage looking at the capability of infected targets.
3. SpyEye uses named pipes, as the same window concept, to read data from plugins and infecting HTTP processes directly.
SpyEye SDK uses following functions as follows
[1] DLLEXPORT bool IsGlobal() { return true; }
This function is called by plug-in itself at the start. It provides a full access to plug-in to communicate all the infected processes so that it is possible for plug-in to take control of all the infected interfaces directly from the source.
[2] DLLEXPORT void Callback_OnBeforeLoadPage(IN PCHAR szUrl, IN PCHAR szVerb, IN PCHAR szPostVars, OUT PCHAR * lpszContent, OUT PDWORD lpdwSize) {}
This function is called by plug-ins to set a hook on the HTTP/HTTPS request, so that contents of the page can be reported back to centralized repository for analyzing the type of information is going out of the network. Let's see the layout
[3] DLLEXPORT void Callback_ProcessContentOfPage(IN PCHAR szUrl, IN PCHAR szVerb, IN PCHAR szPageContent, OUT PCHAR * szOut, IN OUT PDWORD lpdwSize) {}
This function is used to infect the web page dynamically. It again performs a hook exactly before the page is about to render in the browser. It provides an edge to update page contents and inject additional Web Fakes in banking websites. Let's see
[4]DLLEXPORT void FreeMem(LPVOID lpMem) {}
At last, this function is used to set the allocated resource free. A good memory allocation and management benchmark :)
SpyEye mainly infects following DLL's
The payload to be injected or data to be used for infection is applied as follows
#include "data.cpp" /*
unsigned char data[] = {
0x48, 0x54, 0x54, 0x50, 0x2F, 0x31, 0x2E, 0x31, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4F, 0x4B, 0x0D,
0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, 0x20, 0x74,
0x65, 0x78, 0x74, 0x2F, 0x68, 0x74, 0x6D, 0x6C, 0x3B, 0x20, 0x63, 0x68, 0x61, 0x72, 0x73, 0x65,
0x74, 0x3D, 0x55, 0x54, 0x46, 0x2D, 0x38, 0x0D, 0x0A, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x3A,
0x20, 0x73, 0x72, 0x76, 0x0D, 0x0A, 0x0D, 0x0A, 0x3C, 0x68, 0x31, 0x3E, 0x57, 0x65, 0x62, 0x66,
0x61, 0x6B, 0x65, 0x73, 0x20, 0x69, 0x73, 0x20, 0x6E, 0x6F, 0x77, 0x3C, 0x2F, 0x68, 0x31, 0x3E,
0x3C, 0x62, 0x72, 0x3E, 0x3C, 0x62, 0x3E, 0x74, 0x61, 0x64, 0x61, 0x21, 0x3C, 0x2F, 0x62, 0x3E }; */
Let;s see the SpyEye Plug-ins infection at world level
So the Web Fakes look like as follows
This is really disastrous from security point of view as well as looking at the scenario of stealing information from victim machines by fooling them completely. This type of Malware is getting deadly day by day.
But that's true.