Archive for the ‘form grabbing’ Category

MSRT October ’11: EyeStye

October 13th, 2011 No comments

This month, the Malicious Software Removal Tool (MSRT) targets two families: Win32/EyeStye and Win32/Poison.

EyeStye (aka ‘SpyEye’) is a family of trojans that steals information, targeting authentication data used for online banking such as passwords and digital certificates. The method it employs is called “form grabbing” which involves the interception of webform data submitted to the host through the client’s browser. By intercepting this data, authentication information can be stolen, and web content presented to the user can be altered to the malware author’s preference. In one recent EyeStye variant (for example SHA1 e36287d81770d583679be28d9a229f8363ab4cde) we came across, we observed that the following browsers were targeted, indicating that the malware authors are leaving few stones unturned: Internet Explorer, Mozilla, Chrome and Opera.

The malware file contains obfuscated code, while the payload is injected into running processes. It also employs user-mode rootkit protection in an effort to prevent itself from being seen via Windows Explorer or the Command Prompt. This may be intended to make detection and remediation challenging for antivirus engines. As this bot is kit-based, the file names and mutexes it creates are variable, which makes identification (based on these factors) difficult.

Towards the end of 2010, the release of EyeStye kit 1.3.X included a feature to avoid detection by Trusteer’s Rapport, a feature also offered by Zeus (Zbot). This release also removed a feature to kill Zeus if it was detected running on the affected machine, leading some to suggest that the two bots were being merged. However, by that time the Zeus code was already publicly available, which lead us to believe that those rumors were speculative in nature. We continue to monitor both of these bots for evidence of such a merger.

As with much of the malware we see today, EyeStye is often spammed out to users or posted on open forums enticing users to click on a link, employing one of the increasingly common social engineering techniques. An example of such a spam email can be seen below: This spam mail was being posted in an open BSD forum; clicking on the link leads to a download of a file named “VIEW_EVENT_DOC.PIF”, which we detect as Win32/EyeStye (SHA1 df8a8483515dd0db3494d796ede33fddb369df10).


For more information on this malware family, please refer to Win32/EyeStye.


— Jaime Wong, MMPC