Computers continue to be plagued by SpyEye banking malware all over the globe. In addition, this malware infection is proving to be very difficult to detect and remove when residing in computers with infected Windows operating systems. This is according to two prominent researchers from the security division of EMC’s RSA, Uri Rivner and Jason Rader. [1]
Uri Rivner is currently the head of the new technologies division for consumer identity protection. Jason Rader is the chief security strategist. At the RAS security conference in London, last week, both put on white lab coats for their technical review and break-down of SpyEye. Their titles were also changed at the time of the event. Rader became the head of research for the US CDC (Centers for Disease Control and Protection) malware epidemic division and Rivner became a member of the RSA General Hospital’s dangerous malware department.
SpyEye is considered the successor of the Zeus banking malware and has been in existence for over a year. The author of the Zeus banking malware (screen name “Slavik”) had stopped developing Zeus. However, the project was taken over by another individual known as “Harderman”. This was when SpyEye emerged. At this time, SpyEye is sold to online criminals in kit form. It can be easy to use, but in order to attack, a high level of computer technical skill is required.
In this case, an identity theft cybercriminal can purchase the kit and then utilize the kit’s graphical user interface in order to set up a “drop zone”. This is where stolen banking information and credentials are received. The SpyEye kit also has provisions for making an attack against most banking websites. As an example, an extra field may be inserted on a bank website. This field will then ask for personal information other than login IDs and passwords. Example would be PINs and corresponding credit card numbers.
These fake bank fields are seamlessly integrated with the legitimate bank website. However, the data is sent directly to the cybercriminal by way of the drop zone.
One of the things that was pointed out by Rivner is that most people are quite unlikely to realize that their system has been infected. In addition, he noted that getting an infection is not difficult, at all. As a matter of fact, it can be very easy.
One of the ways that a system can become infected is merely be visiting a website that has been contaminated by hackers. A contaminated site will have a tiny 1×1 pixel that will attract JavaScript from another server which will then test to see if the victim’s computer contains software that has not been patched (protected). To illustrate how insidious this can be, note that last year the US Treasury’s website was infected and began delivering the Zeus Trojan.
There are a number of “tricks” that SpyEye can use in order to remain hidden. For example, it can place itself inside dynamic link libraries (DLLs) which are legitimate. DLLs are normal code libraries used by many applications. In addition, SpyEye has the capability to even delete its own installation files. Thus, it can be very persistent, as noted by Rader.
Microsoft has stated (October 12) that it will be updating the Microsoft Malicious Software Removal Tool in order to seek out SpyEye family malware.
While this is certainly good news for consumers and users, it’s more than possible that the removal tool would have a difficult time. It has been noted by Rader that the new variants of SpyEye are often missed by security suites of full-featured antivirus programs. On the average, it has taken 45 days for these security programs to detect new variants. Additionally, the removal tool can only detect SpyEye if it’s running and cannot prevent an infection.
Jump to: