Shifting yourself to space

May 31, 2011

The case of the spying eyes: blizzard stubs

Filed under: Uncategorized — shift32 @ 11:17 pm
Tags: , , , , ,

So I finally managed to unpack SpyEye this Saturday, and only today (Thursday) had the time to start actually exploring what it does,
I’ve heard and read from friends and the net that SpyEye got some several interesting modules
also it’s module load – use – unload technique seemed interesting. I’ve also heard that it steals money and performs different kind of phising attacks, all of this seemed quite interesting to research.

I’ve hooked up olly and opened the unpacked version of spyeye, opened the names bar and looked for interesting function to set breakpoints on, I’ve also searched for all intermodular calls and found some (even more) interesting functions

As it seems, SpyEye doesn’t import all the function it’s using in it’s IAT, as when inspecting it with PEiD or anything else you see not many functions

To my humble guess it’s using a simple (yet, known), “trick” of dynamic libary loading, I have first seen it in uninformed and the technique is quite nice (originally by lsd-pl folks)

As olly shown in the “show all intermodular calls” window, it seems

However, be mistaken not – the calls repeat themselves, what really caught my eye was the unresolved call here, I’ve set bp on every possible call outside and started my static analysis journey

I started stepping the code, not running it, to see if there are any interesting things and it seems that the start of the code had some nice spots

The first thing which caught my eye was that SpyEye looks for kernel32.dll by first getting it’s address from the PEB, by walking through it’s linked list, this method is quite known as i mentioned earlier by uninformed ,however, spyeye doesn’t use a loop to look for kernel32.dll it
goes through two values and hopes for the best – if someone put kernel32.dll in a different place in the linked list – SpyEye is a bit doomed (;

The other thing which caught my eye was that SpyEye accesses its .rsrsrc section (resource), it gets a handle to them, changes their permissions and continues onward – this is something which might be pretty interesting

the find.resource calls are to find the specified resource with GetModuleFilenameA function
and the rsrsrc.alter.perm are to alternate the permissions the resource has probably to FFFFF, or something like it, it is still unknown what their purpose is, so I don’t know what to look for

One of the resources starts with a string “!EYE” which hints for some propriatery struct for SpyEye (or perhaps something different ? we don’t know yet)

There’re basically three resource section I got my eye on – C1 C2 and C3, but I didn’t find any usage with/of them for now, so we’ll leave them for now.

Also I found several strings which got my eye glitchy

Remember “algonic” from the previous posts ? this is the name of the child process that our malware creates, as for config.bin – well the name answers for everything, it seems to be some sort of configuration SpyEye has, perhaps it contains C&C IPs and passwords to communicate with our big brother

After stepping more code I’ve found some small jackpot, I remember when I was unpacking SpyEye I got really frustrated when I didn’t know which functions SpyEye was using in order to allocate space for itself, and once I’ve found them – everything went alot easier,
So after stepping some code I found that SpyEye calls NtAllocateVirtualMemory to allocate space for something…something big, as of writing now I have a few clues of what it might be, but I still can’t be sure,
however my guesses go from
1. a huge decryption stub to decrypt the configuration and other resource section
2. a huge decompression/compression stub to de/compress something else
3. something else I have no clue yet (always leave room for the unexpected, hehe)

Why am I not thinking about hooking processes ? because as it seems SpyEye is only going through the tasklist at later stages of the code, I’ve seen a few calls to GetCurrentProcessId, and you are right if you said that it doesn’t prove anything, this is only a guess…I’m writing this while still disassembling everything..
However in order to prove more that I’m right I’ve scrolled down with olly a bit more and found this little interesting (yet, exciting) block :

See the comments olly adds on the side ? see smss.exe, csrss.exe, services.exe, etc ? does this look to you like something that would’ve done after we hook things up ? This looks like a prologue to something…something interesting (:

I kept stepping the code until I reached the copy of a resource section, however, the rest seems to be like a topic for another post,
To be continued(:


1 Comment »

  1. […] Shifting yourself to space Short bytes of life Skip to content HomeAbout ← The case of the spying eyes: blizzard stubs […]

    Pingback by Spyeye: Father `n Son | Shifting yourself to space — June 5, 2011 @ 1:45 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at