Originally posted on opensc.ws the 2nd of January 2010, the Spy Eye information theif appears to be a very promising info-stealer with much functionality, similar to that of the notourius ZBot. Spy Eye, which could originally be purchased for 500 USD, currently costs 1000 USD and contains much functionality including the following:
- Form-grabbing
- Password stealing
- API-hooking
- PHP/MySQL cpmtrol panel
- Daily back-ups sent via e-mail
- Multiple protocol grabbing
- Hides it in other processes
- Creates invisible files/autorun keys
- Operates in ring 3
- Works on Windows 2000 -> 2007
What do you get for your money? You get a promising way to help earn you a quick buck. And with the proper choice of pay-per-install in place, your chances go up even more. Spy Eye is comprised of two main components; the builder, which builds the individual Spy Eye servers, and the drop-site/command and the control server, which is the PHP/MySQL web-application where harvested information is posted/bots are controlled.
The builder is a Win32 application, programmed in C++, which can be used to create server components. The builder provides the possibility for the user to specify settings, used by generated servers. Here is a list of the options:
- Path to the main control panel
- Alternative path to the main control panel
- Path to the formgrabber control panel
- Encryption key
- Connector interval (in seconds)
- UPX compression option
- Kill Zeus option
The Spy Eye server, when executed on a system, injects itself into explorer.exe and creates a new section within the process with read, write, and execute permissions. Spy Eye then calls a LPTHREAD_START_ROUTINE routine, which resides within the injected section located in explorer.exe’s memory space. This is done using the CreateRemoteThread() API. Shortly after, the Spy Eye server termimates execution by calling ExitProcess(). Spy Eye, from within explorer.exe, then begins writing files to disk including the following:
- C:\cleansweep.exe\
- C:\cleansweep.exe\cleansweep.exe
- C:\cleansweep.exe\cleansweepupd.exe
- C:\cleansweep.exe\config.bin
The Spy Eye payload is executed every time the system boots by adding the path to the payload (2) to the Run Registry Key. Configuration data is stored in encrypted form within the Spy Eye binary and is read using the LoadResource(). This configuration data includes the information defined in the builder as previously mentioned.
While Spy Eye boasts of being able to kill Zeus, the current implementation of this functionality is limited to Zbot versions 1.4 and prior, as it appears only to monitor two Zbot mutexes, illustrated below:
<snip>
if (strstr((LPSTR)name, "__SYSTEM__") || strstr((LPSTR)name, "_AVIRA_")) {
...
}
</snip>
If you’re interested in viewing the entire source code, search the web for the following: C++ Zeus Killer [SOURCE].
Will this spark the beginning of yet another bot war? Let’s watch and see.
Based on the Insight-article entitled: Technical Analysis of the Spy Eye Trojan (CSIS).
