Embed Size (px)
Citation preview
www.thevigilant.comCopyright 2009 , Vigilant LLC
Spy VS Spy Countering SpyEye with SpyEye
Lance James
Director of Intelligence
Vigilant, LLC
March 21st, 2011
securing and enabling dynamic business
Apr 18, 2023 2
Lance James
• Lance James– Director of Intelligence, Vigilant, LLC– Founder of Secure Science Corporation
• Brief Bio:– Infosec over a decade, development, research, network intrusion,
cryptography (IIP/I2P), IntelliFound, Daylight– Author of “Phishing Exposed”,– Co-Author of “Emerging Threat Analysis”– 3rd Book on it’s way (counter-intelligence)– Loves Karaoke– Very Hyper (but I am getting old)
Apr 18, 2023 3
• Research– SpyEye
• Web Panel based C&C • DIY Builder Kits• Merging with Zeus• $1000-$3000 WMZ
– Law• Title 18 USC 1030• Color of Right• Expectation of Privacy
Apr 18, 2023 4
SpyEye
Apr 18, 2023 5
Components of SpyEye
• Trojan– Build it yourself– Data interception– Formgrabs– Credit Cards– Software Collection– Process hooking– Kills Zeus/Zeus Merger– UPX Packed (most cases)
Apr 18, 2023 6
Components of SpyEye
• Web-based Panel– SYN 1 (Blind Drop)
• Formgrabber/Data Manager• FTP Theft• Bank of America• Theft Stats
– CN 1 (Command & Control)• Binary Updates• Configuration Updates• Statistic collection• Plugins• Backconnect (SOCKS5/FTP)
Apr 18, 2023 7
Builder
Apr 18, 2023 8
Web Panel (SYN 1)
Apr 18, 2023 9
Web Panel (CN 1)
Apr 18, 2023 10
What we know
• Web Panel Investigation– Build Inference (directories and files)
• Debug.log (general traffic)• Error.log (possible leaked IP’s and other info)• Tasks.log (what it’s doing)• Backup.sh (sql dump and passwords)• Config.ini (settings)
– Understand the code– AJAX driven
• AJAX queries and refreshes for data
Apr 18, 2023 11
Debug.log
Apr 18, 2023 12
Case Study
CnC Host: 91.211.117.25/sp/admin (currently down) History: specific URI discovered publicly 09/07/2010 Prior attacks from this IP discovered 07/26/2010 (same
operator) ASN 48587 (known for malicious activity) Location: Ukraine (UA) AS Name: Private Entrepreneur Zharkov Mukola
Mukolayovuch Malware Life-cycle: Monday 08/30/10 – Friday,
09/24/10 (25 days) Unique computers infected: 28,590 Unique binaries distributed: 2,325
Apr 18, 2023 13
C&C Activity
Apr 18, 2023 14
Botnet Infections
Apr 18, 2023 15
C&C Advancement & Law
• C&C has many world readable files• Including Frm_grab.php
– Doesn’t work without AJAX environment– Same concept as request 1 world readable file
• Many requests at once• Very useful intelligence
– Very complicated Legally• Explain what we did to a jury or judge• Explain it to attorney• DOJ conservative to risk
Apr 18, 2023 16
How it works
• C&C Target (SYN 1) main page password protected (illegal in US to log in)
Apr 18, 2023 17
Eating Dog Food
• Log in to local C&C setup
Fire up Proxy, Set Servers to Stun!
Apr 18, 2023 18
Kibbles & Bits
Proxy Setup – either with burp or netsed
Header Modification
Browser proxy configuration
Apr 18, 2023 19
Target Acquired
When this changes we know we are connected
Apr 18, 2023 20
Results
• All data compromised in real time• Bot GUIDS per data compromise• Dates of compromises• Bonus points!
– Bad guy activity– The day before 0– Settings– We can update the botnets (Not Approved)
Apr 18, 2023 21
Spy Wars
Adversary is quick, no boundariesJedi tools
Jedi CouncilDisciplined PhilosophyJedi skillLimited by Law
Apr 18, 2023 22
Be the Smart Jedi
• May the Force Be With Us– We’re gonna need it
• Do or Do Not!– There is no try
• Yoda is awesome
Apr 18, 2023 23
Contact
Thank You!
Lance James
Director of Intelligence
http://www.thevigilant.com
