OWASP Anti-Malware - Knowledge Base

Spyeye
SpyEye is considered the successor of ZeuS and globally considered as the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish its task, it provides a custom Encrypted Configuration File where there are:


 * Plugins
 * Web Injection Code
 * Collectors List- where stolen data is sent

SpyEye is capable of HTML code injection in the following browsers:


 * FireFox
 * Internet Explorer
 * Chrome
 * Opera

List of commonly used Plugins:


 * ccgrabber - used to collect Credit Card numbers by analyzing POST requests.
 * ffcertgrabber - used to steal Firefox stored Certificates.
 * ftpbc - used to reverse ftp connections to the bot.
 * socks5 - allows reverse connections via a proxy server.
 * billinghammer - charges Credit Cards by using stolen card data.
 * ddos - plugin used to ddos a specified target.
 * bugreport - send crash reports to the bot master.
 * SpySpread - capability to spread via USB, IM Messages
 * rdp - Remote Desktop capability

SpyEye kit, actually reached version 1.3.48

In the second half of 2011 appeared a mobile edition of SpyEye, called SpitMo specifically designed to steal mTAN (mobile TAN) authentication systems. SpitMo

Recently (Jenuary 2012) appeared a SpyEye Campaign able to Hide its Fraud Footprint also called Post-Transaction Attack

Resources:


 * A Guide to SpyEye C&C Messages
 * New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3
 * DDOS plugin for SpyEye
 * SpyEye steals your data. Even in a limited account
 * The SpyEye Interface, Part 1: CN 1
 * The SpyEye Interface Part 2: SYN 1
 * SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 1)
 * SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)

Zeus
ZeuS is a Banking Trojan identified for the first time in 2007, designed as HTTP Based Botnet specifically crafted to steal Online Banking Credentials.

Despite the fact that ZeuS Kit is no longer developed, infection statistics that can be checked here ZeuS Statistics clearly demonstrates that this trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted configuration file contains URL Triggers and HTML Code to be Injected.

In the past year appeared also a ZeuS for mobile called ZitMo, developed to bypass mTAN authentication system, more information can be reached here:


 * The ZitMo Trojan Bypasses Online Banking Security
 * Zitmo Trojan for Android defeats two-factor authentication

2011 was also the year of ZeuS Source Code leak, this essentially lead to a number of new ZeuS Variants, here the most significative:


 * ICE IX
 * ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able to interact with other victims (nodes) and get Updated Binaries and Configurations.

ZeuS P2P References:


 * ZeuS Gets More Sophisticated Using P2P Techniques
 * ZeuS – P2P+DGA variant – mapping out and understanding the threat

Other References:


 * ZeuS Tracker
 * Ice IX – Or Just ZeuS?
 * JaZeus: when Zeus meets Java
 * Zeus Malware Analysis by SophosLabs
 * ZeuS Banking Trojan Report
 * Abstract Memory Analysis: Zeus Encryption Keys

Carberp
After ZeuS and SpyEye the third advanced Malware Banking Trojan is Carberp, that during its evolution reached a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser Code Injection online Banking Credentials.

Synthesis of Carberp Functionalities :


 * Ability to run as non-administrator
 * Ability to infect Windows XP, Windows Vista and Windows 7
 * Will not make any changes to the registry (only in memory modifications)
 * Browser Hooking
 * Stolen data is transmitted in real-time to C&C server
 * Kill AntiVirus Software
 * Screenshot Ability
 * Form Grabber
 * Backconnect

Carberp makes use of encrypted Configuration Files that contains plugins and web injection code


 * miniav.psd - Kill Competitors Botnets (SpyEye. ZeuS)
 * vnc.psd - Remote VNC Session Capability
 * passw.psd - password grabber for FTP, VNC, E-Mail Clients, Stored Browser Passwords

References:


 * www.malwareint.com/docs/inside-carberp-botnet-en.pdf
 * Carberp + BlackHole growing fraud incidents
 * Bootkit Evolution of Win32Carberp: going deeper
 * Decrypting Carberp C&C communication

Tatanga
Tatanga appeared in the first half of 2011 as MiTB based trojan designed to steal Online Banking Credentials and spoof (Post Transaction Attack) the real balance of the victim.

Like previously seen trojans, also Tatanga makes use of Encrypted Configuration Files (3-DES) to store plugins and web injection code.

Additionally Tatanga is able to:


 * Grab E-Mail addresses
 * Remove Competitors Botnets
 * File Infector to increase malware spread
 * Kill Antivirus Software

References:


 * 2011 Tatanga: a new banking trojan with MitB functions
 * More on the Tatanga Banking Trojan