Following the news that Virgin Media has warned 1,500 customers about a malicious virus called SpyEye, SecureWorks made the following comments about this latest threat.
“In January 2010, an individual announced the development and sale of a new toolkit known as SpyEye. It was heavily targeted in online criminal web forums as a low-cost, “ZeuS Killer” alternative and aimed to combine the best features of ZeuS and SpyEye into a “best-of-breed” crimeware toolkit.
While its a relative newcomer to the marketplace, the SpyEye Trojan, has quickly grown into one of the most popular toolkits available. Since then there have been various developments including rumours of the sale of Zeus source code to the author of SpyEye; possibly of more interest is that there has been a significant uptick in the use of SpyEye for online banking fraud.
“SpyEye provides a standard set of capabilities that have been commonly found in malware over the past few years and it is able to:
* Modify web content – on-the-fly – without user knowledge
* Steal data entered into HTML forms, such as online banking account credentials, ebay login details – in fact any user submitted information
* Takes screenshots of the web browser when a user navigates to a targeted website
* Instrument additional processes to attempt to steal additional account credentials (e.g. FTP (File Transfer Protocol) and POP3 (Post Office Protocol 3)) from network communications
“Current versions of SpyEye contain rootkit capabilities that attempt to hide the presence of its files from casual examination of an infected system.
In addition, the trojan attempts to make several registry additions and modifications to Internet Explorer settings in an attempt to lower the security posture of the infected computer. “The SpyEye trojan continues to become an increasingly popular choice as a toolkit for criminals looking to profit from online financial fraud. This continuous evolution necessitates monitoring new versions of SpyEye, SpyEye configurations, and any new plugins that are incorporated by individual customers to obtain a full view of the threat landscape posed by SpyEye. As a result, comprehensive monitoring of networks 24-7 in real-time, across multiple levels of security is vital so that organisations have a clear picture of what’s going on both in and outside their networks. Having a true 360 degree view of your network increases the chances of combating sophisticated and targeted attacks at any security layer.”