SPYEYE
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
SPYEYE is a malware family notorious for stealing user information related to banking and finance websites. SPYEYE variants may be downloaded unknowingly by users when visiting malicious sites or dropped by other malware. They may also arrive through spam.
SPYEYE has rootkit capabilities, which enable them to hide processes and files from users. SPYEYE steals information by logging user keystrokes. Variants also perform web injection—inserting additional HTML forms—to get additional information. Stolen login credentials are used to initiate unauthorized transactions like online fund transfers. The stolen information may also be sold in the underground market.
When executed, SPYEYE malware connect to various sites to send and receive information.
SPYEYE has been utilized in many information theft attacks since its discovery. In 2011, a cybercriminal in Russia used SPYEYE to steal more than US$3.2 million dollars from various organizations in the United States.
TECHNICAL DETAILS
Installation
This spyware drops the following copies of itself into the affected system:
- %Windows%\AvProtector.exe
- %Windows%\rundlll.exe
- %Windows%\scvhost.exe
- %Windows%\win32Runtime.exe
- %System Root%\trivax1.Bin\trivax1.Bin.exe
- %System Root%\usxxxxxxxx\usxxxxxxxx.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %System Root%\trivax1.Bin
- %System Root%\usxxxxxxxx
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Other System Modifications
This spyware adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
win32Runtime = "%Windows%\win32Runtime.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorAdmin = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewal = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\ DomainProfile
DoNotAllowExceptions = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
ShownServiceDownBalloon = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery
ClearBrowsingHistoryOnExit = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnPostRedirect = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnIntranet = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\0
1409 = "3"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1409 = "3"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
1409 = "3"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1409 = "3"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
1409 = "3"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"
(Note: The default value data of the said registry entry is 1.)
Other Details
This spyware connects to the following possibly malicious URL:
- http://{BLOCKED}e.net/banners/testing.exe
- http://{BLOCKED}ion-crew.biz/asdfg/gate.php
- http://{BLOCKED}x.com/user/gate.php
- http://{BLOCKED}giftstore.com/icard/gate.php
- http://{BLOCKED}stat.org/stats/gate.php
- http://{BLOCKED}bit.org/upload/gate.php
- http://{BLOCKED}4.{BLOCKED}5.228.147/~main/us1/gate.php
- http://{BLOCKED}8.{BLOCKED}9.96.95/us1/gate.php
- http://{BLOCKED}8.{BLOCKED}9.99.250/us1/gate.php
- http://{BLOCKED}checker007.ru/us10/gate.php