Hackers of India

Spying on SpyEye – What Lies Beneath?

By  Aditya K Sood  on 19 May 2011 @ Hitb Sec Conf

Abstract

SpyEye is a web malware which has recently drawn much attention in the security field because of its nature and characteristics used for infecting banking websites. Considering the nature of Trojans, SpyEye resides in the victim machine and monitors the browsers to steal sensitive information from the active financial and banking websites. SpyEye Trojan captures the critical information and transfers it to the centralized server. However, the sophisticated techniques used by SpyEye are designed in order to bypass all the protection mechanisms used at the network level as well as on the client side.

This talk sheds light on the inadvertent development and infection strategies of the SpyEye Exploitation Framework. We have seen small snippets of information in the wild but lot more information is hidden about this Trojan. This talk discusses the real chronology of the development of SpyEye explaining the trade and tactics in detail. The main aim is to determine the hierarchical understanding of SpyEye exploitation framework in order to analyze the working behavior of whole of the framework rather than individual components.

The talk will cover:

  1. Dissecting the Exploitation Framework of SpyEye

  2. Chronology of various versions of SpyEye

  3. Trades and Techniques used by SpyEye in order to spread infection a. Web Fakes b. SOCKS implementation and NAT bypassing c. Self Developed SDK for generating custom plugins d. Web Injects – Internet Explorer – Firefox

  4. Detailed Working of Ring 3 SpyEye bot explaining the rootkit functionality

  5. Detailed dissection of Builder Component and Bot Component

  6. Detailed working of Mutex Code

  7. Killing of Zeus by SpyEye in detail

  8. Designing patches for SpyEye builder.