TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Β
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
1. Spying on SpyEye
What Lies Beneath ?
HackInTheBox Security Conference
Amsterdam , 2011
Aditya K Sood and Richard J Enbody
SecNiche Security | Department of Computer Science and Engineering
Michigan State University
2. About Us
ο§ Aditya K Sood
β Founder , SecNiche Security
β Independent Security Consultant, Researcher and Practitioner
β Worked previously for Armorize, Coseinc and KPMG
β Active Speaker at Security conferences
β Written Content β ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NES|CFS
β LinkedIn : http://www.linkedin.com/in/adityaks
β Website: http://www.secniche.org | Blog: http://secniche.blogspot.com
β PhD Candidate at Michigan State University
ο§ Dr. Richard J Enbody
β Associate Professor, CSE, Michigan State University
β Since 1987, teaching computer architecture/ computer security / mathematics
β Website: http://www.cse.msu.edu/~enbody
β Co-Author CS1 Python book, The Practice of Computing using Python.
β Patents Pending β Hardware Buffer Overflow Protection
2
3. Agenda
ο§ Walkthrough this Talk
β SpyEye Problem
Β» SpyEye chronology and released versions
Β» Bot wars β SpyEye vs. Zeus
β SpyEye Framework
Β» Builder β Understanding the design
Β» Backend Database Collector
Β» Admin Panel / Form Grabber
β SpyEye Browser Manipulation Tactics
Β» Paradigm of web fakes
Β» Digging inside web injects (complete working)
β SpyEye Peripheral Components
Β» Complete dissection of plugins and related functionalities
β SpyEye β Testing and Hacking
Β» Designing builder patches
Β» Active detection and verification tests
β Conclusion and Discussion
3
4. The True Artifact
Bank robber, Willie Sutton famously answered about why he robbed
banks: βThatβs where the money is!β
4
6. SpyEye Chronology
The development is not still over. Recent
analysis shown SpyEye 1.2.99 and latest
build 1.3.x is in the wild
6
7. Bots Collaboration- Is this True ?
ο§ False myth of predicting the truth. Fake Activity!
β No collaboration btw Zeus and SpyEye. No verification at all.
β Latest of version of SpyEye (1.3.xx) is out. Discussed later on
ο§ Why it is considered as collaboration?
β Ineffective analysis and rogue research based on small set of information
β SpyEye/Zeus uses PHP, MySql and relative similar obfuscators.
β This does not mean the rivals are collaborating !
7
8. SpyEye / Zeus - Bot Wars
ο§ Anatomy of deceasing the rate of infections
β SpyEye killing Zeus and vice versa
β Game of controlling infected machines and making botnet robust
β Incessant way to prove the power. Works good for analysts.
8
11. SpyEye Framework
ο§ Builder / Bot Generator
β Used to generate a bot based on the specific build settings defined in a
configuration file .
β Entries in the configuration file specify paths to local and remote resources which
are used to include modules dynamically
β Builder is protected with a collaborative protection mechanism using VMProtect
and Hardware Identifier. Bots are usually packed with UPX/ASPACK
β Configuration file is included from the remote server, it uses appropriate
encryption key is used to maintain the integrity of file
β It uses connection interval property to avoid delays when config file is in transfer
mode.
11
12. SpyEye Framework
ο§ Admin Panel / Form Grabber
β Controls the structural dependencies and administrative operations of the SpyEye
bot.
β Provides updates for SpyEye builder for configuration and building an executable
β Responsible for controlling the nature of plugins that are used by the SpyEye bot
for infecting victim machines
β Form grabber works explicitly in handling form data from victim machines
12
13. SpyEye Builder- HWID Protection
ο§ SpyEye Builder Protection
β HWID β Hardware Identifier
β One machine per license β one stable execution.
β VMProtect
β Converts x86 into VM pseudo code instructions
β Binary is subjected with inbuilt VM decrypting engine
β Pseudo code is chosen at random
β Hard to analyze , requires long time
β Used collectively with HWID
ο Good Read - http://www.usenix.org/event/woot09/tech/full_papers/rolles.pdf
13
14. SpyEye Execution Difference
SpyEye versions < 1.0.8 SpyEye versions > 1.0.8
Builder (SpyEye) Builder (SpyEye)
Dropper (build.exe)
Bot (Cleansweep.exe)
Bot (Cleansweep.exe) - name varies
SpyEye donβt use any more dropper nowadays !!
14
15. SpyEye Bot
ο§ Bot Functionality
β Ring 3 rootkit characteristics
β DLL hooking and hijacking in userland space
β Performs injections in web processes
β Hooks HTTP communication interface
β Infection = SpyEye {Bots + Plugins}
15
18. SpyEye Traffic Gates Paradigm
ο§ Traffic Gates
β Critical data, credit card numbers, billing information is routed through gates
β Entry points for all the information that are stolen by the SpyEye bot
β Completely automated and update the bots information periodically in database
β Files ο GATE.PHP / GATE_BILLING.PHP (Works with CONFIG.PHP)
18
20. SpyEye - Mutex
ο§ Understanding the Mutex
β Mutual Exclusion
β Mutex is required explicitly for SpyEye bot
β Avoiding the concurrent use of SpyEye bot during administrative procedures
Β» Mutex name can be specified in the builder component
β SpyEye bot if not compiled with unique mutex name does not work properly
Β» Mutex is required to update the SpyEye bot in victim machine
Β» Mutex is required to delete the bot from the victim machine
20
21. SpyEye - Backend Collector
ο§ Backend Collector
β Storage database does not
reside on the same C&C
server
β Raw data is compressed
with LZO.
β Introduced after SpyEye
1.0.70
21
25. Web Browser Injects
ο§ Web Browser Injects
β Exemplary layout of Man in the
Browser (MITB) attacks
β Hooking the browser
communication channel
β Victim machine and active
session of the website
β URL remain intact, no possible
changes
β Pure hooking and DLL hijacking
in Wininet.dll / nspr4.dll
25
27. SpyEye Web Fakes
ο§ What are Web Fakes?
β Generating fake web pages with real domain names (manipulating address bar)
β Bots communicate with plugins to generate web fakes
β Example: bankofamerica.com
27
30. SpyEye β Bot Development Kit
ο§ SpyEye SDK
β Efficient and Modular
β Developing Bots
β Better to call it as Bot
development kit
β All the bot communication to
command and control server
is done using these proprietary
functions
β Well, treating bot from a
perspective of software design
β Hilarious and devastating
30
31. SpyEye (1.3.x) Plugins
ο§ SpyEye Plugins
β Credit Card Grabber
β ccgrabber.dll
β Distributed Denial of Service
β ddos.dll
β Firefox Certificate Grabber
β ffcertgrabber.dll
β SOCKS 5 Proxy
β socks5.dll
β FTP Back-connect
β ftpbc.dll
β Bug Reporting
β bugreport.dll
Separate configuration files are used for
β Custom Connector each plugins
β customonnector. Dll
31
33. SpyEye Plugin Analyzer
ο§ Inbuilt Plugin Analyzer
β It keeps a track on the state of installed plugins
β Developed to manage plugins using play and stop switches (Updates)
β Status (plugin infection) of any bot can be stopped at any time.
β It provides botmaster with more effective control over plugin infection rate
33
34. FTP Back Connect
ο§ FTP Back Connect
β Used to enumerate file system of
the infected machines (bots driven)
running FTP servers.
β Used to bypass NAT ( basically for
bots that installed on machines that
do not have dedicated IPβs)
β Default port - 3001
34
35. SOCKS 5 Back Connect
ο§ SOCKS 5 Proxy
β Attacking systems inside NAT,
bypassing firewalls.
β Default Port β 3000
β Effective in routing browser
communication (Encapsulation
TCP Packets in SOCKS)
β Session layer control (Layer 5
of TCP/IP model)
35
37. FF Certificates Grabber
ο§ Firefox Certificates Grabber
β SpyEye plugin (ffcertgrabber.dll ) communicates with gateway (POST)
β Bot sends certificate information in POST parameters to savecert.php file
hosted in C&C server. Opens database and store it.
β Uses, JSON, Autocomplete and AJAX calls in data operations
37
38. Credit Cards Grabber
ο§ Credit Card Grabber
β SpyEye plugin (ccgrabber.dll ) is used to steal credit card information
β Bot sends credit card information in POST parameters. Stored at backend.
β Well developed and designed Credit Card Stealer (CCS) plugin.
38
39. Virus Detector and Tester
ο§ Virus Tester
β SpyEye uses inbuilt virus test module to verify the detection rate of bot
β Uses AJAX calls to perform this task (Check Bot +Virus Test)
β After test verification, different encoding schemes can be used to make the
bot detection harder
β Quite impressive from thinking perspective.
39
40. Screen Shots Stealer
ο§ Screenshots Stealer
β Store images (captured screenshots) in the PNG format
β It uses frm_scr.php, frm_scr_sub.php and showimg.php files to manage
screenshots (Main Panel)
β Bots (installed keylogger) actively captures screen shots as a proper activity
based on time stamps
40
41. Reverse Attacking - DDoS
ο§ SpyEye Tracker
β Abuse.ch released monitoring framework for SpyEye
β Used in conjunction with Google Maps (API) with inherent logic
β Questions:- Is SpyEye reacting to it?
β Yes, it does. SpyEye(1.3.x) versions use DDoS plugin to use bots to attack
β https://spyeyetracker.abuse.ch is becoming the active target.
β Plugin β DDoS.dll.cfg is used to configure hosts for active DDoS attacks
β Not that robust but still works and still impacts the target
41
42. SpyEye (Bot) β Dynamic Verification
Active Detection and Results
42
43. SpyEye (Bot) Detection - Check
ο§ Experiment
β Infecting VMware machine with SpyEye bot with rogue destination address
β Client machine is infected and bot tries to connect back to gateway (No Setup)
β SpyEye bot uses (1181) port number
β Changes (incremental in nature)
β Points to infection in process explorer.exe
β Triggers as soon as VMware in connected
to internet
ο§ Sysinternals Rootkit Revealer
β No active detection of bot
β No warnings about modifications
β No promising results about infection
43
44. SpyEye (Bot) Detection - Check
ο§ Sophos Anti Rootkit Detector
β No modifications detected in modules
β Simply aims at verifying the file hierarchy
β Is their definition of rootkit is different ?
ο§ Trend Micro Rootkit Buster
β Detects no hidden process, drivers, services, files
modification related to bot
β Raised notification about kernel patching (skeptical)
β May be productive. Depends on requirement
ο§ Anti Rootkit Ice Sword
β Not analysis
β Only Information
44
45. SpyEye (Bot) Detection - Check
ο§ Invisible things System Virginity Verifier
β Detects modification in dynamic Link Libraries
β Raises high level alert (DEEPRED)
β Gives much more better control over the state of infected machine (Information)
45
46. SpyEye (Bot) Detection - Check
ο§ System Virginity Verifier
β Points to the infected
modules
β Effective in
understanding low level
hooking
ο§ HKCU Run Registry
β Must be analyzed
β Informative
β Definitely provides
some information about
malware.
46
47. Patching SpyEye Builder β Prototype
ο§ Opening Process Handle
β Adjusting tokens for controlling privileges
β Taking process snapshot
ο§ Patching the Required Offsets
47
48. Patching SpyEye Builder β Prototype
ο§ Writing the Process Memory
β Writing the required offsets to active process memory
β Patch should be placed in the same directory as builder
48
49. Precautionary & Analytical Steps
ο§ Deterministic Points
β Always be careful in picking samples of SpyEye (forums/ networks)
β A method of distributing the bot rather sample sharing
Β» Bots are usually configured in these samples
Β» Once installed for analysis, the builder detection tool gives wrong information about
the presence of bot in the system. CRITICAL.
β SpyEye bots usually creates a hidden directory
β Possibly in the root path
Β» Always analyze the C: directory.
Β» Number of tool fails from anti virus companies. Try manually.
β Run time registry detection
β Always map the entry in βRunβ HKCU to the required program
β Determine the network activity carefully from infected machine
β SpyEye bot uses PORT incremental approach in establishing connections
Β» Verify your network traffic in a continuous manner
β Never ever forget to walk through browser configuration entries
β SpyEye bot manipulates the browser functionality
Β» Verify the registry entries and configuration of the running browser
49
50. Released and Future Work
ο§ Botnet Resistant Coding Concept
β Check out our paper in latest edition of HITB Ezine
β http://magazine.hackinthebox.org
ο§ Malware at Stake Blog
β Continuous research over latest happenings
β http://secniche.blogspot.com
ο§ Protecting Websites from Web Injects
β Developing solutions to prevent bank websites from being manipulated
by Web injects by bots
β Work and research is on the way
50