Sunday, February 6, 2011

SpyEye CreditGrab.dll Module - Plugin Analysis

In our last post about SpyEye backend collector, we discussed about the the data transference mechanism in SpyEye botnet framework. SpyEye uses creditgrab.dll in order take care of the data that is stolen from the requisite credit cards from victim machines. However, last time we talked about the source code analysis. In order to support the point, we recently came across the dynamic link libraries for different modules. In this post, we are going to talk about the creditgrab.dll.

The DLL main function is designed as follows

At first part, Credit Grab Module (CGM) is designed to get the bot information with a guid reference. This bot guid is used to keep a track of the infection occur in the victim machine and the requisite credit card information stolen from that machine. The code snippet presented below shows this fact

The function "TakeBotGuid" is used in conjunction with the CGM. In this particular function, bot guid is checked. The "repne scasb" instruction keep on checking the string for NULL terminated value there by decrementing the counter (dec ecx). If the carry ( jnb short loc_1000167D) value (carry=0)is zero, the function jumps to the required address which points to the bot guid "unknown".

The gate collector function TakeGateToCollector is structured as follows

void TakeGateToCollector(LPVOID lpGateFunc);
typedef void (*GATETOCOLLECTOR)(IN PBYTE pbData, IN DWORD dwSize);

The next function that plays a critical role in hijacking the HTTP communication channel is Callback_OnBeforeLoadPage. The code snippet taken from this function is presented below

The function loads the bot guid, URI and data by calling a same sub routine as "sub_10001370", which is an appropriate string checking and terminating routine to scrutinize appropriate parameters passed to the SpyEye function.

The above presented snippet from the code shows the dissection of strings. The "strstr" and "strtok" functions are used together to find similar patterns and separating string from tokens ("&"). Basically, in this function it is used for URL dissection and collection of data from a raw source (i.e. information extraction from raw HTTP content). The XREF structure of the plugin module is traced below

So this post clearly indicates the data collection working of SpyEye bot by analyzing a specific DLL sample.

We will be covering the analysis of other modules (some new ones) in upcoming posts.