What we are going to talk about is not a brand new topic, but it's becoming more and more prevalent, here at Prevx research lab we are seeing a consistent number of infections caused by this. It is a new toolkit called SpyEye.
While this is not a kind of infection that subverts Windows kernel or modifies the master boot record of the hard drive, it's the perfect stereotype of current malware infections, designed to steal private data with low-impact infection techniques. Simple code, but at the same time effective, it is able to show how much of a gap there's yet between malware development and classic antivirus response.
SpyEye is the latest fad, the new toy in the malware underground, able to potentially become the next ZeuS trojan. It is cheaper than ZeuS, its code is effective and the toolkit allows any potential customer to set up both the C&C server and the trojan builds in a matter of minutes. It even wants to kill ZeuS trojan - yes, the trojan has a ZeuS-killer routine embedded.
When it reaches the machine and it's executed - which could be dropped by some exploit injected inside compromised websites or just social engineering attempts - it creates a new folder on the root drive called 'cleansweep.exe'', where it stores its executable code under the same executable name alongside another file called config.bin. The latter being the encrypted configuration file which contains address of the C&C servers.
Then, to be able to start at system startup, the trojan sets up the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run [cleansweep.exe][C:\cleansweep.exe\cleanwseep.exe].
After this it injects its code inside all the processes it could get access. In every infected process it hooks the following Windows APIs:
This allows the trojan to hide its folder and its registry key from the user's eyes and antivirus software, implementing user mode rootkit techniques.
Inside browser processes, the trojan hooks even the following APIs:
By doing so, it's able to steal all sensitive data going out through the browser session, even SSL encrypted web pages. Using this technique it is even able to conceptually bypass classic anti-keyloggers that encrypt keystrokes.
As soon as the collected data is ready, it's uploaded to the C&C server by using a plain HTTP session. Moreover, the infected PC can receive new commands from the C&C server.
The infection is not so hard to detect and remove, even if it makes use of basic rootkit approach. However the infection is spreading and it's very efficient in completing its job, it is now time that to focus more on this infection.
The fact that the classic antivirus approach is no longer effective should be now obvious. Trojans like ZeuS or SpyEye need a rapid approach, that only in-the-cloud and automated technology could provide.
Malware writers usually take only a few minutes to repack their malware code and bypass antivirus signatures. Then, after the antivirus has been bypassed, the malicious code is installed on the machine. By using rootkit techniques, it is able to evade from antivirus eyes - if they are not armored with an anti-rootkit scanner. Even if the antivirus receives a signature update able to detect the infection, it would not be able to see it on the machine. This is the first point.
Then there's a myth that needs to be debunked: Windows, if used with standard limited user privileges it's safe from malware.
This is wrong, we have talked about this previously on this blog, and SpyEye is the perfect answer. SpyEye is able to install itself and perfectly run from limited accounts. Yes, it could still steal sensitive data from the browser, even if run with limited privileges.
I hear a lot of people claiming they don't need a security software because they use a Windows limited account: they could be already a victim of SpyEye actually.
Last, but not least, we should need to focus on the security of transactions. An antivirus, even if using in-the-cloud technology, could fail. Yes, even Prevx could fail. Any software can't detect 100% of malware out there. This is why it's important to secure our cyber life by implementing more security layers. We should add protection to our browser while surfing, trying to block potential malware from stealing our data.
Prevx SafeOnline it's the answer, the one which could fill the gap. Even if we are in a limited account, we should know that a malware could infect our PC. We should know that our antivirus could fail in detecting the new threat. What can we do then? The way Prevx SafeOnline works, by protecting the browser from keyloggers, screen grabbers, man-in-the-browser attacks, can definitely help us in preventing new infections running on the system from stealing our sensitive data.
Prevx is able to detect and clean the infection. Customers running Prevx SafeOnline have been protected against SpyEye since the beginning, because SpyEye, even if running on the system, would not have been able to steal anything from the browser session.
Malware is evolving rapidly, adapting itself to limited accounts. As said in a previous blog post, damaging the system is not anymore the goal. Your private data is the keyword.
Even if you are working from a limited account, take care about your digital life, it's precious. We can do it for you.