Recently, a new tool has started to get some attention on IRC and a few forums. Called SpyEye, this new toolkit is looking to take over the botnet world, and even singles out the Zeus botnet in its design. Here is a breakdown of the tool itself, and a high-level explanation on how it would affect a normal Internet user.
[Note: This article is an added feature to the original news item located here.]
Tools of the trade:
Online, toolkits are a collection of code. However, as is the way of things on the Internet, even the most harmless of terms can be perverted. To a criminal, a toolkit can mean several things. More often than not, a toolkit will allow a criminal to compile Malware with a large set of features.
If you follow security news, terms like Malware, botnet, Crimeware, Zeus, and Trojan are probably familiar to you. If not, here is a brief overview. Malware and Crimeware are two names for essentially the same thing, malicious software that can be used for various tasks. A Trojan is a piece of Malware that can hijack a computer, completely taking it over, while allowing a remote operator the ability to capture data, send commands to make the compromised computer do something, or simply install more Malware on the system.
The compromised computer is often called a bot, depending on the Malware that has infected it. Simply put, a bot is a computer that a criminal can control at will. A botnet is a large collection of bots, often in the tens of thousands, sometimes more. It is possible for a single system to be a part of more than one botnet, but lately the criminals developing toolkits are taking out the competition by adding code that removes the competition. SpyEye is one such toolkit.
Toolkits are used to create Malware that targets any number of software vulnerabilities on a system. Toolkits also allow the criminal to distribute it via Spam. However, the distribution part of the process is unique to the toolkits alone. Criminals often use the computers infected by the Malware their toolkit created to do their dirty work. For example, botnets send most of the Spam online, and those junk messages contain links to malicious websites. The botnets and the majority of the Spam you see online were all created by a toolkit. Some toolkits will even design the site for the criminal.
Zeus and SpyEye:
Zeus is a botnet toolkit; the systems infected by the Malware it can create are all a part of the Zeus botnet (a.k.a zBot). Depending on the version of Zeus purchased by the criminal, the cost is about $400-700 USD. When it comes to toolkits, Zeus is the standard by which all others are built. Its advanced design allows for third-party integration with other Malware toolkits, such as those used to develop “news” sites where you need to download a video codec. Moreover, Zeus is currently tested and running on all versions of Windows, including Windows 7.
Zeus can capture FTP credentials, so if you stored a password in your FTP application, Zeus will steal them and ship them off to the criminal controlling your system. Like online banking? So does Zeus. So if you access one of the banks that is on its list, your login ID and password are captured. Zeus can also modify, in your browser, the genuine web pages from a bank’s web servers to ask for personal information, such as payment card number and PIN, one time passwords, etc.
SpyEye is like Zeus. The difference is that SpyEye is not as advanced yet, and based on chatter online (IRC and forums like OpenSC), it has a mixed set of reviews. There is interest, not just for the features within SpyEye, but also because it is so cheap. SpyEye offers a rounded package to criminals for only $500 USD. In addition, version 1.0.7 offers those who purchased it the ability to kill Zeus if it is discovered on a system. However, the costs are making some potential customers skeptical.
So far, SpyEye (coded in C++) is invisible, in the process listings, the registry and in files, it also works in Ring3 mode like Zeus does, but that is beyond the scope of this little article. We say so far, because as SpyEye gets more use, the developers will need to work to hide it. Eventually, SpyEye will be detectable like Zeus is, but even now some variants of Zeus remain hidden from many security measures.
SpyEye can capture data on forms within Internet Explorer and Firefox, but likewise if an application uses wininet.dll or nspr4.dll, it can capture data from it as well, thanks to a built-in keylogger. Windows Messenger, for example, uses wininet.dll, as does Netscape Navigator 9. It has been tested, and works on all versions of Windows, from Windows 2000 to Windows 7. The ability to capture stored FTP data is there as well, as is a POP3 grabber so email accounts can be compromised. As this is a toolkit, it comes with a builder so that the Trojan itself, which infects the system adding it to the botnet, can be created and distributed.
As of version 1.0.72, SpyEye has a detection rate of zero. However, Symantec claims to have a signature for the version they reported on. [SpyEye v1.0.72 test results]
How it impacts you:
The SpyEye toolkit, even Zeus, impacts you, the average Internet user, simply because it’s how botnet-related Malware is created and managed. Once infected, the criminals can do almost anything they want with your computer. As mentioned, bots send Spam, lots of it, but at the same time they can be used to attack things online. Denial-of-Service attacks, where a site gets so many connections it goes offline, use bots almost exclusively to pull off the attack.
Another way bots, and the toolkits that make them possible, impact you is bandwidth. As more and more systems are turned into bots and used to send Spam or attack other systems, you’ll notice your Internet connection might not run as fast. All of this Spam and junk traffic bog down the ISP’s networks, if they get bogged down, so will you. Not to mention, when the ISP’s spend money to deal with bots, they pass this expense on to you, the user.
Bots exist because there is a good deal of money to be made from them, like when all that stolen data is sold. Coders get paid to develop new processes and tools, especially when the code creates something that can remain undetected on a system. If security software can detect the bot’s code, then there is no infection. Managing a botnet is a numbers game. The more you have, the more you can make off of them.
After the code is paid, someone will sell the newly created bot kit. This toolkit can fetch hundreds of dollars, and there are added fees depending on what the toolkit is expected to do. There are also fees for installation and support. Botnets can be sold and rented, which can bring in a decent amount of money if there are lots of infected systems on the botnet.
Protecting your system and blocking the toolkits ultimate goal:
The best protection from the Malware created by these toolkits is a layered defense. Nothing is foolproof. Zeus is installed this very moment on systems running anti-Virus protection, yet additional scanning from Spybot Search & Destroy for example, will locate it. Another reason Zeus can exist on a system with anti-Virus is that the security software is out of date. The point being, use anti-Virus and keep it current. Adding additional scanning, such as Malwarebytes Anti Malware or Spybot Search & Destroy, is another layer of defense.
When it comes to infection itself, a third layer of protection lies in the operating system and installed software, meaning that Microsoft patches and updates from Adobe and Mozilla (Firefox) are a must. The toolkits sold to criminals are often able to package the botnet code into executables that will take advantage of vulnerabilities in out of date software. If your software is current, then the odds of you being infected are lessened tremendously.
However, anti-Virus, additional scanning software, and patches alone are not enough. You yourself will need to use caution. This is because some software flaws, also known as ZeroDay vulnerabilities, are unavoidable. They exist, and there isn’t a security system yet that can fully protect you from them. In this case, common sense is the only layer of protection you have, and it is highly effective.
Never trust links in email, especially if they want something from you or warn you of an urgent matter that needs your attention. No bank will email you and send you an attachment with your new account number or password. Likewise, no bank needs you to follow a link so that all of your security information can be reset. If there is a security change for online banking, you’re more likely to see it the next time you login, or get a letter in the mail.
Considering that Zeus can modify legit banking pages and add forms seeking additional information, be skeptical about any online banking process that asks you for several pieces of information. When in doubt, call the bank on the phone directly.
Another example of using common sense and defeating the Malware created by the toolkits, is to avoid operning random email attachments. Many toolkits share the same problem; they often need you to install something before they can infect your computer. The easiest way to do this is ask you to install the Malware on your own.
To do this, they tell you that an important UPS or DHL package is on its way to your house, or was not delivered because you were missing. Naturally, details are attached in a ZIP file to the email, and all you need to do is open it to be infected. This scam is played online as well. Most sites that offer a “shocking new video” require that you install a codec before you can play it. Once installed, your system is compromised.
As mentioned, nothing is foolproof. However, layered security is your best defense, and common sense plays the largest role in those protections. Stay safe!
The Tech Herald has 16 photos offered by the SpyEye author on our Flickr stream. You can view them here.