|23 Apr 2010||#1|
| || |
SpyEye steals your data. Even in a limited account.
What we are going to talk about is not a brand new topic, but it's becoming more and more prevalent, here at Prevx research lab we are seeing a consistent number of infections caused by this. It is a new toolkit called SpyEye.
While this is not a kind of infection that subverts Windows kernel or modifies the master boot record of the hard drive, it's the perfect stereotype of current malware infections, designed to steal private data with low-impact infection techniques. Simple code, but at the same time effective, it is able to show how much of a gap there's yet between malware development and classic antivirus response.
SpyEye is the latest fad, the new toy in the malware underground, able to potentially become the next ZeuS trojan. It is cheaper than ZeuS, its code is effective and the toolkit allows any potential customer to set up both the C&C server and the trojan builds in a matter of minutes. It even wants to kill ZeuS trojan - yes, the trojan has a ZeuS-killer routine embedded.
When it reaches the machine and it's executed - which could be dropped by some exploit injected inside compromised websites or just social engineering attempts - it creates a new folder on the root drive called 'cleansweep.exe'', where it stores its executable code under the same executable name alongside another file called config.bin. The latter being the encrypted configuration file which contains address of the C&C servers.
Then, to be able to start at system startup, the trojan sets up the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run [cleansweep.exe][C:\cleansweep.exe\cleanwseep.exe].
After this it injects its code inside all the processes it could get access. In every infected process it hooks the following Windows APIs:
This allows the trojan to hide its folder and its registry key from the user's eyes and antivirus software, implementing user mode rootkit techniques.
Inside browser processes, the trojan hooks even the following APIs:
By doing so, it's able to steal all sensitive data going out through the browser session, even SSL encrypted web pages. Using this technique it is even able to conceptually bypass classic anti-keyloggers that encrypt keystrokes.
SpyEye steals your data. Even in a limited account
|My System Specs|
|Similar help and support threads for2: SpyEye steals your data. Even in a limited account.|
|Dorifel Malware Encrypts Files, Steals Financial Data...||Security News|
|'Your Account PAYPAL Has Been Limited': Phishing?||Browsers & Mail|
|can i created a limited account for a kid with many blocks?||General Discussion|
|Limited User Account Issues On Startup||General Discussion|
|Thief Steals Notebook, Returns Data On USB Stick||News|
|Creating Guest Account With Limited Authorities||General Discussion|
|Start/Computer access, limited user account.||General Discussion|