Shifting yourself to space

June 5, 2011

Spyeye: Father `n Son

Filed under: Uncategorized — shift32 @ 1:45 pm
Tags: , , , , ,

I do not work much on SpyEye, I only get a chance to view it on my days off nowadays, hence the slow progress, but here’s my latest progress with SpyEye.

Also, a short tip before I start digging a bit – I found that the collaboration of IDA and OllyDBG together (if you got two screen [ I don’t have two screen though 😦 ] ) is quite great, how is this possible some of you might ask ?
Well, you can use OllySync + IDA-Sync plugins in order to share comments etc
The plugin is a bit outdated and I plan to rewrite it a bit (though Pedram has done great work)
When trying to set function names in OllySync the IDA-Sync server fails to interpret it well, but comments are amazing and IDA’s analysis adds quite alot of information.

It seems that I was mistaken in my previous post , the function which I stepped into was not the decryption stub of anything, it was only an initial check of the system and grabbing some basic info about what’s what and where
basically, the function consisted of fetching the computer’s name, the windows version, and some other details which are not that interesting for us.

It seems that SpyEye’s resource section play an important role in it’s infection process, section C2 and C3 are the sections which SpyEye holds the compressed configuration and sections SC1 and SC2 (I might be mistaken here with the exact names, but they do reside under the “SC” dir in the resources) hold the parasite code

After gathering all the information SpyEye needs from the basic initialization function, SpyEye creates a mutex and constantly checks for the Volume:\algonic\ directory existence, the reason for that is because that’s where SpyEye creates it’s reboot-killer executable named algonic.exe, it also contains the config.bin which has all the juicy information and plugins one wants to obtain once SpyEye reversed.

SpyEye frequently calls RtlAdjustPrivilege in order to get max privileges and infect processes with it’s parasite (inside the resource dir).
Also – a small hint to those who fear the “600 functions spyeye contains” – the reason SpyEye holds so “many” functions is quite simple – SpyEye doesn’t import/export all the functions it uses, if the author would’ve been smarter, he would’ve used only GetProcAddress and used the PEB to get the kernel32.dll base address
SpyEye uses some sort of “special” macro which uses a classical technique to walk through the dll the function resides in and find it, it has a hardcoded value of the hash it’s looking for and whenever someone wants to call any function it just wraps it around some wrapper function
This could be easily evaded by writing some sort of pattern matching function
Since the function which finds the dll and walks through it is the same, and the push order is always the same to find the function – a simple pattern matching procedure could name all those functions by simple instrumentation

Another thing I wanted to discuss is the infection process, which I found a bit nice,
SpyEye calls CreateToolhelp32Snapshot to get a list of all running processes and walks through them using Process32Next, each time it finds a process which isn’t csrss, smss, or System (which are critical system processes :/) it injects itself into, the parasite injection process is as follows:

1. Spyeye Calls OpenProcess(CREATE_THREAD | VM_READ | VM_WRITE | QUERY_INFORMATION,FALSE,1144 /* explorer.exe */);
2. Called NtAllocateVirtualMemory in the remote process at address 0F60000 (RWE)
3. I started debugging explorer.exe and found the page spyeye is going to inject itself into and set a memory on access breakpoint
4. Spyeye Calls NtWriteProcessMemory
5. Called CreateRemoteThread to create a new thread for spyeye malicious parasite
6. Called WaitForSingleObject to figure out that the thread was injected correctly (?)
7. Called GetExitCodeThread to see if it was injected successfully

After that, the parasite SpyEye injected has finished executing or is executing at the moment, the parasite, from what I’ve seen so far does the following things:

1. open Volume:\algonic\
2. write Volume:\algonic\algonic.exe
3. execute Volume:\algonic\algonic.exe
4. delete the original malware executable using DeleteFileA
5. sleep
6. call ExitThread

I might be missing the whole hooking part, as while I’m writing this document seems to be part I’m currently debugging
As I’ve written previously – SpyEye has a loop which walks through all the processes and injects itself into them, somewhere inside it it performs the hooking process

I hope you’ve enjoyed this although it lacked assembly information, I’ll however try to edit the post and add some assembly code too.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at