On April 16, we found a Pastebin entry selling the latest version of the infamous SpyEye botnet (Version 1.3.48) for a much lower price than we’ve seen elsewhere. (This botnet is mainly used to steal banking information.) The quote was just US$150 including three months hosting, after that it’s $15 per month. This version was first seen in October 2011, according to the XyliBox blog. The Pastebin seller of this SpyEye release included all the information about the software, injection types, and plug-ins supported–along with the MSN ID “blackhatsale@live.com.” Here is the screenshot from Pastebin:
Further research shows from multiple freelancing project websites shows price quotes of up to $1,500. Here are a couple of project entries found on those websites:
The source code for SpyEye Version 1.3.45 had already been leaked, and a lot of technical information about this botnet is available on the web. Fortunately, we obtained a live sample (with an active control server) created by the latest release (the version ID is hard-coded in the build and sent to the control server along with other information). We proceeded to reverse engineer the latest version to look for any differences.
After unpacking and reversing the latest sample, we found it behaved similarly to the description in the Prevx blog (so we will skip the full details). The only difference we found is the XOR key used to decrypt the config.bin file from the resource section. For this binary, the XOR key used is 0x4C. Here is the snippet of the decryption algorithm to decrypt config.bin:
Note the slight difference between the keys used by the sample we analyzed and the sample analyzed by the Prevx blog. (Was this intentional by the SpyEye author?) The decrypted config.bin file is nothing but a password-protected ZIP file whose password is stored in the C3 resource section in plain text. Here is the screenshot of the unzipped contents:
The unpacking/decryption routine of the ZIP files and the infection method of this bot are the same as in the prior version. We next searched network activity to look for variations. The binary, as expected, sends an HTTP POST request with encrypted data shown below:
As mentioned in a screenshot from the XyliBox blog, this version of SpyEye can be identified by the network capture. The packet can be decoded using a Base64-decoded string and the simple XOR key 0xDB. The sample PHP encoder/decoder created by XyliBox can be found here. Here is the converted sample Perl code to decode the traffic:
sub decode_spyeye
{
$encry_data = shift;
$decodeBase64 = decode_base64($encry_data);
$decodeBase64 =~ s/\+//g;
@charArray = split(“”, $decodeBase64);
$len = @charArray;
$decrypted = ”;
for($i = 0; $i < $len; $i++)
{
$num = ord($charArray[$i]);
if( $num != 219) #Key 0xDB = 219
{
$decrypted .= chr($num ^ 219);
}
}
return $decrypted;
}
$str = decode_spyeye($data);
The decoded string using the preceding routine is:
“guid=5.1.2600!XP-HOST01!D04EF662&ver=10348&ie=6.0.2900.2180&os=5.1.2600&ut=Admin
&ccrc=63B05A00&md5=25d37d161d0bc546429dc98185eca8c4&plg=ccgrabber;customconnecto
r;ffcertgrabber;ftpbc;Plugin_USBSpread;rdp;socks5&plgstat=0;0;0;0;0;0;0&wake=60&
stat=online”
The version information can be found in the preceding decoded string. The bot collects information about the infected machine and sends it to the control server. We have seen such traffic in plain HTTP GET requests in older versions of this botnet. The response is also decoded using the same routine, which was nothing but control commands to execute. Thus we find no major changes in encoding/decoding routines in the latest version.
SpyEye has definitely been buzzing on the Internet for the last few years and remains the top (in stealing money) banking botnet. Bad guys or script kiddies are willing to pay a lot of money for this popular botnet. With people selling this botnet for such low prices and with the availability of leaked code, we may see a rise in this botnet’s activities and control servers.