Inside the SpyEye toolkit
Developing malware from scratch is a highly complex task that requires considerable skill and effort. In recent years, crimeware toolkits have taken the heavy lifting out of creating malware. Toolkits, such as MPack, Neospoit and Zeus, can be found for sale on underground hacking forums, lowering the skills barrier for would-be criminals. For a fee and with little effort, hackers can generate their own malware that can be used for stealing credit card details, passwords and other sensitive information.
Toolkit developers quickly realised the demand for such applications as they started making vast profits from their creations. So began an underground crimeware industry. Toolkit developers released frequent upgrades that took advantage of recently unveiled operating system vulnerabilities and offered support for their malware creating customers.
SpyEye, which has been hitting the headlines of late, appeared on the black market in late 2009. It included a novel feature, ‘Kill Zeus” which searched for the presence of competing malware, Zeus, and optionally neutralised it, leaving SpyEye as the resident infection on the compromised machine.
Like most modern malware, SpyEye is concerned with collecting information that can be used for fraudulent purposes. When infected with SpyEye, the computer is recruited into a botnet. This allows the attacker to control the machine via a central server. Keylogging functionality that activates when a targetted bank website is accessed is also installed.
SpyEye is a particularly aggressive and stealthy example of modern malware. It runs as a user mode rootkit, buried deeply within the operating system.
The SpyEye toolkit behind the malware is a framework of several components. A builder module is used to set various configuration options which determine the behaviour of the malware. Once configuration is complete, the builder will compile the required code and generate the malware file to be surreptitiously installed on a victim’s machine.
A control panel component is used by the botmaster to handle administrative tasks, like update infected machines and view statistical information such as the amount of infected machines in their botnet, geographic location and to view stolen data like credit card and PIN numbers.
A “form grabber” is used to harvest log in credentials and other information entered in forms used on banking sites. Rather than collect all keystrokes from the compromised machine, it only collects information typed into HTML forms. Screen shots are also taken when the target bank site is loaded into the web browser, sending this information back to the botmaster’s control panel.
Finally, a database component is used to store stolen data.
In October, in effort to combat the rising number of machines compromised by SpyEye, Microsoft published an update to their free Malicious Software Removal Tool, which checks the operating system for specific and prevalent malware, to include detection and removal of active SpyEye infections.