Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: SpyEye steals your data. Even in a limited account.

23 Apr 2010   #1

Win 7 Ultimate 64-bit. SP1.
SpyEye steals your data. Even in a limited account.

What we are going to talk about is not a brand new topic, but it's becoming more and more prevalent, here at Prevx research lab we are seeing a consistent number of infections caused by this. It is a new toolkit called SpyEye.

While this is not a kind of infection that subverts Windows kernel or modifies the master boot record of the hard drive, it's the perfect stereotype of current malware infections, designed to steal private data with low-impact infection techniques. Simple code, but at the same time effective, it is able to show how much of a gap there's yet between malware development and classic antivirus response.

SpyEye is the latest fad, the new toy in the malware underground, able to potentially become the next ZeuS trojan. It is cheaper than ZeuS, its code is effective and the toolkit allows any potential customer to set up both the C&C server and the trojan builds in a matter of minutes. It even wants to kill ZeuS trojan - yes, the trojan has a ZeuS-killer routine embedded.

When it reaches the machine and it's executed - which could be dropped by some exploit injected inside compromised websites or just social engineering attempts - it creates a new folder on the root drive called 'cleansweep.exe'', where it stores its executable code under the same executable name alongside another file called config.bin. The latter being the encrypted configuration file which contains address of the C&C servers.

Then, to be able to start at system startup, the trojan sets up the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run [cleansweep.exe][C:\cleansweep.exe\cleanwseep.exe].

After this it injects its code inside all the processes it could get access. In every infected process it hooks the following Windows APIs:


This allows the trojan to hide its folder and its registry key from the user's eyes and antivirus software, implementing user mode rootkit techniques.

Inside browser processes, the trojan hooks even the following APIs:

By doing so, it's able to steal all sensitive data going out through the browser session, even SSL encrypted web pages. Using this technique it is even able to conceptually bypass classic anti-keyloggers that encrypt keystrokes.

As soon as the collected data is ready, it's uploaded to the C&C server by using a plain HTTP session. Moreover, the infected PC can receive new commands from the C&C server.
Source -
SpyEye steals your data. Even in a limited account

My System SpecsSystem Spec

24 Apr 2010   #2

W7-Enterprise + WS-2008 (Converted to Workstation)

hi !

very interesting, thanks.
thats one good reason to use Winpatrol....
it gives you a notification about the "startup-file".
My System SpecsSystem Spec

 SpyEye steals your data. Even in a limited account.

Thread Tools

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:26 AM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33