Archive for the ‘EyeStye’ Category

We’ve got our eye on Eyestye

July 20th, 2012 No comments

Back in October 2011, we began to remove Eyestye variants using the Malicious Software Removal Tool (MSRT) in an effort to prevent the proliferation of this botnet. Today, we published a detailed MMPC Threat Report on this family. The report provides an in-depth analysis of how Win32/EyeStye works and the telemetry we have on its activity in 2011 and early 2012.

Win32/EyeStye is a family of trojans that attempt to steal sensitive data, such as logon credentials, from banking websites and other online properties. EyeStye does not spread on its own by default; instead, it is typically distributed using spam email messages and social engineering. In its effort to steal data, EyeStye lowers your browser’s security settings, making it possible to obtain online banking user names and passwords, credit card numbers, social security numbers, and other data. It then sends all its gathered information back to the operator.

The report examines the functionality of the bot: how it’s created, what it does to an infected computer, how it steals users’ data, and so on. It also discusses where this botnet has been the most prevalent, that is, what countries are most affected according to our data.

Download the report here. You can also read what our TWC friend Tim Rains has to say over here.

Happy reading!

-Jaime Wong

Categories: EyeStye, malware, MMPC, threat report Tags:

MSRT October ’11: EyeStye

October 13th, 2011 No comments

This month, the Malicious Software Removal Tool (MSRT) targets two families: Win32/EyeStye and Win32/Poison.

EyeStye (aka ‘SpyEye’) is a family of trojans that steals information, targeting authentication data used for online banking such as passwords and digital certificates. The method it employs is called “form grabbing” which involves the interception of webform data submitted to the host through the client’s browser. By intercepting this data, authentication information can be stolen, and web content presented to the user can be altered to the malware author’s preference. In one recent EyeStye variant (for example SHA1 e36287d81770d583679be28d9a229f8363ab4cde) we came across, we observed that the following browsers were targeted, indicating that the malware authors are leaving few stones unturned: Internet Explorer, Mozilla, Chrome and Opera.

The malware file contains obfuscated code, while the payload is injected into running processes. It also employs user-mode rootkit protection in an effort to prevent itself from being seen via Windows Explorer or the Command Prompt. This may be intended to make detection and remediation challenging for antivirus engines. As this bot is kit-based, the file names and mutexes it creates are variable, which makes identification (based on these factors) difficult.

Towards the end of 2010, the release of EyeStye kit 1.3.X included a feature to avoid detection by Trusteer’s Rapport, a feature also offered by Zeus (Zbot). This release also removed a feature to kill Zeus if it was detected running on the affected machine, leading some to suggest that the two bots were being merged. However, by that time the Zeus code was already publicly available, which lead us to believe that those rumors were speculative in nature. We continue to monitor both of these bots for evidence of such a merger.

As with much of the malware we see today, EyeStye is often spammed out to users or posted on open forums enticing users to click on a link, employing one of the increasingly common social engineering techniques. An example of such a spam email can be seen below: This spam mail was being posted in an open BSD forum; clicking on the link leads to a download of a file named “VIEW_EVENT_DOC.PIF”, which we detect as Win32/EyeStye (SHA1 df8a8483515dd0db3494d796ede33fddb369df10).


For more information on this malware family, please refer to Win32/EyeStye.


— Jaime Wong, MMPC