SpyEye banking trojan first made its appearance about a year back as a competitor to what is till then known as the king of all bots Zeus/Zbot. Security researchers believe that both bots have now joined hands to prey upon online banking users world-wide.
Similar to Zbot, SpyEye trojan is created using a specialized builder or kit. The kit contains tools to customize, create and control individual bots and botnets.
Trojan SpyEye requires a C&C (Command and control) server to which the bots (individual machines infected by spyeye trojan) connect for receiving instructions from the botnet owner.
Abuse.ch which is running a Zeus tracker, also has a project called SpyEye Tracker for tracking an monitoring SpyEye command and control Servers. At the time of this writing the tracker’s statistics are as follows:
- SpyEye C&C servers tracked: 230
- SpyEye C&C servers online: 61
- SpyEye C&C server with files online: 25
- Average SpyEye binary Antivirus detection: 29.72%
What is the danger of SpyEye trojan?
Similar to Zeus/Zbot trojan, SpyEye specializes in stealing valuable personal information from the victim’s computer. Some of the data it can be made to steal are:
- Online banking login username and passwords
- Credit card numbers, names and PIN numbers
- Social Security numbers
- FTP account names and passwords
- Complete ID profiles from form Auto-fill function of your browser
All these data can be stolen even if you communicate with sensitive web sites using SSL (HTTPS) encrypted connections.
How does a computer get infected with SpyEye trojan
This trojan must be manually installed. This is achieved in several ways. The popular ones seem to be through exploited web sites and downloadable email spam products. For example the victim may be downloading an illegal file like warez/crack files or what may proclaim to be a free screensaver. Beware! this trojan could hitch hike with one those programs and silently install itself in the background on an unprotected computer.
Symptoms/Indications of SpyEye infection
The victim will not see any visual indication of its installation. The only indication that you have SpyEye in your system may be when an antivirus software alerts you to its presence.
SpyEye trojan dropper is detected as Win-Trojan/Spyeyes, Trojan.Siggen, TSPY_SPYEYE, BScope.Trojan-Dropper by different antivirus vendors.
Trojan SpyEye silently sits in the background till the victim visits a sensitive Website like his bank site. It then captures valuable data using a keylogger. The trojan can be customized by its master to automatically steal and transfer money using the captured data or use it otherwise.
SpyEye Associated Files and Folders
It is difficult to manually identify its files and registry keys as it hides them from regular Windows explorer, Task Manager and Registry editor using rootkit techniques.
The name of the executable file can be customized to anything by the criminals. The default entry cleansweep.exe is the most commonly seen name. Typically, SpyEye trojan installs itself and its encrypted configuration file named config.bin in C:\
According to Microsoft, some of the file names seen are:
SpyEye Associated Registry Values and Keys
A hidden registry key is created so that the malware runs at every system restart>
Tampers with system internet settings by modifying these keys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1=0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1=0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving=0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect=0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet=0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1409
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1406
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 1406
How to remove SpyEye – SpyEye Removal
Run a full-system scan with an up-to-date antivirus and optionally an antimalware product to find and remove Zeus (Zbot) infection.
Recommended free antivirus software:
- Avira AntiVir Personal – FREE Antivirus
- AVG Anti-Virus Free Edition
- avast! antivirus Home Edition
- Microsoft Security Essentials
Recommended free antimalware software:
Sources of Information