SpyEye Operation Steals US$3.2 Million from Victims

Goh Chee Hoh, MD SEA Region Trend Micro Inc

Trend Micro researchers recently uncovered a cybercriminal operation involving a specific SpyEye botnet controlled by a criminal who went by the handle Soldier.

According to Trend Micro researchers, "Soldier" uses various criminal toolkits including SpyEye and ZeuS for crimeware, as well as exploit kits for driving blackhat search engine optimization (SEO) to spread SpyEye/ZeuS binaries.

SpyEye is a commercially-available botnet DIY tool. Using the SpyEye criminal toolkit, money mules and an accomplice believed to reside in Hollywood, USA, "Soldier", stole over US$3.2 million in over a six month period starting January 2011. "Soldier" was able to compromise several US businesses, including banks, airports, research institutions and even the US military and government.

Soldier's SpyEye botnet was able to compromise more than 25,000 systems between April 19, 2011 and June 29, 2011. Nearly all of the victims are located in the United States; however, there are a handful of victims spread across another 90 countries, including countries like India, Thailand, and Saudi Arabia.

How Does SpyEye Work?

Since its inception, SpyEye has been exhibiting routines similar to ZeuS's, particularly its information, financial, and identity theft routines. ZeuS is primarily a crimeware kit designed to steal users' online banking login credentials. It is the handiwork of Eastern European organized criminals that has entered the underground cybercriminal market as a commodity. ZeuS is also known by the name ZBOT due to its botnet capabilities

Like ZeuS, SpyEye makes use of a configuration file to further its criminal agenda. This comprises monitoring banking or other target sites to steal and send stolen data to a remote server maintained by a bot master. SpyEye also utilizes rootkit technology to hide malicious files and processes from affected users to avoid its detection.

What Happens in this SpyEye Operation?

Trend Micro detects the SpyEye variant as TSPY_SPYEYE.EXEI. Once installed, TSPY_SPYEYE.EXEI downloads a configuration file, which contains a list of its monitored websites. Once users visit any of these sites, it performs web injection and logs keystrokes to steal information from users.

Cybercriminals use web injection techniques to insert additional fields, such as requests for social security numbers and other questions that a bank does not normally display in banking login pages.This SpyEye variant is also capable of stealing other personal credentials. Trend Micro discovered that it also stole credentials from other well-known services like Facebook, Twitter, Yahoo!, Google, eBay, and Amazon.

One of the features of the SpyEye toolkit is its ability to capture screenshots from infected systems. This way, the bot master can see what the user is doing on his/her computer and can also defeat authentication mechanisms that don't rely on the keyboard. If a SpyEye Trojan cannot steal a user's login credentials using conventional means, it will still be able to steal them via screenshots.

Trend Micro researchers were able to determine which networks the victims’ IP addresses were assigned to. This was done based on the victims’ IP addresses recorded by Soldier’s SpyEye C&C server. However, Trend Micro believes that these organizations were not the intended target as they were impacted following end user compromise.

Implications of Successful Compromises

SpyEye is known for targeting consumers, as well as small to large organizations as businesses make highly profitable targets. As an information-stealing malware family, SpyEye is designed to steal user credentials for unauthorized transactions, like an online fund transfer. With its web injection routine, users unwittingly give out sensitive information which are up for sale in the underground market.

SpyEye continues to be known for engaging in criminal activities. This attack signals a new wave of online criminal business enterprises wherein different parties can cooperate with one another to perpetrate outright online theft and fraud. Along with Zeus, SpyEye continues to be one of the most notorious security threats to Internet users, especially with regard to users' online financial dealings. Users’ reputations are also at risk when their systems are compromised. Cybercriminals can use stolen credentials for identity theft and fraud on social networking and online shopping sites.

Safety Measures

The threats that SpyEye poses can and is likely to have a global reach. As such, Trend Micro recommends a multi-layered approach to ensure optimal protection. For businesses, use perimeter-based security (firewall, gateway Security), messaging, network, server, endpoint and mobile security. Users are also advised to keep their security solutions up to date. Trend Micro product users are already protected from this threat via the Trend Micro™ Smart Protection Network™ by blocking access to related malicious sites and domains and by detecting and deleting SpyEye binaries and other components used in criminal campaigns.