Win32/EyeStye is a family of trojans that attempts to steal sensitive data, such as login credentials, and sends it to a remote attacker. In order to perform this payload it utilizes a method known as "form grabbing". Win32/EyeStye may also download and execute arbitary files, such as updates of its components and may utilize a rootkit component in order to hide its malicious activity from the affected user.
Installation
This malware may be installed by TrojanDropper:Win32/EyeStye. When run, the trojan creates one of the following mutex names to ensure only one instance of the malware executes:
- __SPYNET__
- __CLEANSWEEP__
In the wild, we have observed the trojan dropping files in the directory in which it is executed. It may create a hidden top-level directory, using the following format:
- \<file name>\<file name>.exe
Where <file name> may be, but is not limited to, the following:
- cleansweep.exe
- windowseep.exe
For example, cleansweep\cleansweep.exe.
The registry is modified to run the malware at each Windows start.
In subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "
<Win32/EyeStye file name>" (for example "
syscheckrt.exe")
With data: "<path and file name of
Win32/EyeStye>" (for example "
c:\syscheckrt\syscheckrt.exe")
or
In subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "
<random key>"
With data: "<path and file name of
Win32/EyeStye>" (for example "
c:\syscheckrt\syscheckrt.exe")
The trojan also creates an encrypted configuration data file named "config.bin" in the malware folder. The configuration file contains the following files:
- collectors.txt - contains the IP address of the remote server used to collect captured data
- webinjects.txt - contains rules on how web traffic should be filtered
The configuration data file may also contain various "plugins" that are utilized to make up the malware's payload. This may include, the following:
- Backdoor functionality (either through RDP or a Socks5 proxy) allowing unauthorized access and control of the affected computer
- Jabber notification to the malware author of new infections
- Specific connections to use for transmission of stolen information to a remote attacker
- The ability to grab certificates from Firefox
- FTP functionality
Win32/EyeStye injects its payload into all currently running processes while avoiding the following processes:
- smss.exe
- csrss.exe
- services.exe
- System
- <Win32/EyeStye process>
Payload
Lowers browser security zone settings
The malware modifies registry data that lowers browser security for Internet Explorer:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "EnableHttp1_1"
With data: "1"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1409"
With data: "3"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1409"
With data: "3"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1409"
With data: "3"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1409"
With data: "3"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1409"
With data: "3"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
Sets value: "1406"
With data: "0"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
Sets value: "1406"
With data: "0"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
Sets value: "1406"
With data: "0"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "EnabledV8"
With data: "0"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Recovery
Sets value: "ClearBrowsingHistoryOnExit"
With data: "0"
Modifies Mozilla Firefox settings
The malware modifies the following settings for the web browser Mozilla Firefox:
- Disables safe browsing
- Disables malware blacklist check for downloads
- Disables alerts
- Disables clearing cookies and sessions
Uses stealth
Win32/EyeStye hooks the following APIs to prevent affected users from seeing malware files or system modifications with Windows Explorer, within a command prompt, or within the registry:
- NtEnumerateValueKey
- ZwEnumerateValueKey
- NtQueryDirectoryFile
- ZwQueryDirectoryFile
- NtVdmControl
- ZwVdmControl
Exports imported certificates
The malware hooks the "crypt32.dll" API "PFXImportCertStore" to make all imported certificates exportable.
Captures sensitive information
Win32/EyeStye hooks the following Windows APIs to steal authentication information and alter web content presented to the user:
- HttpAddRequestHeadersA
- HttpOpenRequestA
- HttpSendRequestW
- HttpQueryInfoA
- InternetQueryDataAvailable
- InternetReadFile
- InternetReadFileExA
- InternetCloseHandle
- InternetQueryOptionA
- InternetWriteFile
The following Firefox APIs are also hooked for the same purpose:
- PR_Read
- PR_Write
- PR_Close
- PR_OpenTCPSocket
- PR_GetSocketOption
- PR_SetSocketOption
- PR_GetError
- PR_SetError
It hooks the following APIs to take screenshots of the affected computer:
- GdipSaveImageToStream
- GdipSaveImageToFile
- GdipCreateBitmapFromHBITMAP
- GdiplusShutdown
- GdiplusStartup
Bypasses SSL
Win32/EyeStye hooks the API "CryptEncrypt" to intercept SSL traffic. If the security program Trusteer Rapport is running, the malware returns an error "NTE_NO_MEMORY" so that plain authentication is used.
Sends captured data to a remote server
The trojan attempts to send captured data via HTTP post to a remote server. In the wild, we have observed this trojan connecting to the following remote servers:
- microsoft-windows-security.com (not a Microsoft.com domain)
- vinodelam.net
- overclock.osa.pl
- qualitaetvorun.org
- svetodioduk.net
- rtjhteyjtyjtyj.orge.pl
- airiston.net
- superboy999.ru
- vertime.ru
- bettasbreed.co.cc
- nusofttechnologies.info
- svetodioduk2.com
- fieldsoflove.cc
- fightforce.cc
- totalhidden.cc
- feldmar.ru
- lyambosok.ru
- picomarkets.ru
- primedyl.com
- domain391.org
- securegateonline.com
- reg.kygalu.ru
- domain191.org
- black-hosting.ru
- hfhfhfhfee.com
While sending captured data, it may include the following additional information:
- "Bot guid" - unique identifier associated with the trojan
- User name
- Computer name
- Volume serial number
- Process name associated with captured data
- Name of hooked API function (for example PR_Write)
- Captured raw data
- Keys, logged keystrokes
- Other information specific to computer locale such as:
- Local time
- Time zone
- Operating system version
- Language
