Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Find and Remove SpyEye Banking Trojan

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

SpyEye banking trojan first made its appearance about a year back as a competitor to what is till then known as the king of all bots Zeus/Zbot. Security researchers believe that both bots have now joined hands to prey upon online banking users world-wide.

Similar to Zbot, SpyEye trojan is created using a specialized builder or kit. The kit contains tools to customize, create and control individual bots and botnets.

Trojan SpyEye requires a C&C (Command and control) server to which the bots (individual machines infected by spyeye trojan) connect for receiving instructions from the botnet owner. which is running a Zeus tracker, also has a project called SpyEye Tracker for tracking an monitoring SpyEye command and control Servers. At the time of this writing the tracker’s statistics are as follows:

  • SpyEye C&C servers tracked: 230
  • SpyEye C&C servers online: 61
  • SpyEye C&C server with files online: 25
  • Average SpyEye binary Antivirus detection: 29.72%

What is the danger of SpyEye trojan?

Image of spyeye-bot-builder-kit

SpyEye Builder kit. Used by criminals to customize and control the trojan bot.

Similar to Zeus/Zbot trojan, SpyEye specializes in stealing valuable personal information from the victim’s computer. Some of the data it can be made to steal are:

  • Online banking login username and passwords
  • Credit card numbers, names and PIN numbers
  • Social Security numbers
  • FTP account names and passwords
  • Complete ID profiles from form Auto-fill function of your browser

All these data can be stolen even if you communicate with sensitive web sites using SSL (HTTPS) encrypted connections.

How does a computer get infected with SpyEye trojan

This trojan must be manually installed. This is achieved in several ways. The popular ones seem to be through exploited web sites and downloadable email spam products. For example the victim may be downloading an illegal file like warez/crack files or what may proclaim to be a free screensaver. Beware! this trojan could hitch hike with one those programs and silently install itself in the background on an unprotected computer.

Symptoms/Indications of SpyEye infection

The victim will not see any visual indication of its installation. The only indication that you have SpyEye in your system may be when an antivirus software alerts you to its presence.

SpyEye trojan dropper is detected as Win-Trojan/Spyeyes, Trojan.Siggen, TSPY_SPYEYE, BScope.Trojan-Dropper by different antivirus vendors.

Trojan SpyEye silently sits in the background till the victim visits a sensitive Website like his bank site. It then captures valuable data using a keylogger. The trojan can be customized by its master to automatically steal and transfer money using the captured data or use it otherwise.

SpyEye Associated Files and Folders

It is difficult to manually identify its files and registry keys as it hides them from regular Windows explorer, Task Manager and Registry editor using rootkit techniques.

Image of spyeye-bot-builder-name-customize-option

Executable name of the bot can be customized.

The name of the executable file can be customized to anything by the criminals. The default entry cleansweep.exe is the most commonly seen name. Typically, SpyEye trojan installs itself and its encrypted configuration file named config.bin in C:\.exe\.exe

  • C:\cleansweep.exe\cleansweep.exe
  • C:\cleansweep.exe\config.bin

According to Microsoft, some of the file names seen are:

  • cleansweep.exe
  • windowseep.exe
  • systemhost.exe
  • mssetupers.exe
  • msixxxxxxx.exe
  • systemrxxt.exe
  • malacuxatx.exe
  • windowsxxx.exe
  • portwexexe.exe
  • bofabotxxx.exe
  • cxlacuxatx.exe
  • googlemaps.exe
  • windowsdvd.exe
  • ciaxxxxxxx.exe
  • onweretetr.exe
  • moneyxmexx.exe
  • wlcwlcwlcw.exe
  • shitspykid.exe
  • rundllxxxx.exe
  • jdsfjsdijf.exe
  • usxxxxxxxx.exe
  • inetserver.exe
  • intelcored.exe
  • bbbxxxxxxx.exe
  • defenderxx.exe
  • bootstartx.exe
  • mdnsrespon.exe
  • winstackxx.exe

SpyEye Associated Registry Values and Keys

A hidden registry key is created so that the malware runs at every system restart>

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cleansweep.exe=C:\cleansweep.exe\cleansweep.exe

Tampers with system internet settings by modifying these keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet=0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1409
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1406
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 1406

How to remove SpyEye – SpyEye Removal

Run a full-system scan with an up-to-date antivirus and optionally an antimalware product to find and remove Zeus (Zbot) infection.

Recommended free antivirus software:

Alternatively an online malware scanner like Trend Micro HouseCall or Windows Live OneCare safety scanner may also be used to scan your system for bot infection. More Online Anti-virus Scanners.

Recommended free antimalware software:

Related: Is your PC part of a Zombie Botnet? Check now!

Sources of Information

{ 0 comments… add one now }

Leave a Comment

{ 1 trackback }

Previous post:

Next post: