Trojan:Win32/EyeStye.N
来源:互联网 发布:微博相册图床源码 编辑:程序博客网 时间:2024/05/29 10:11
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FEyeStye.N&ThreatID=-2147322129
Trojan:Win32/EyeStye.N
(?)Updated: Aug 08, 2011 | Published: Mar 09, 2011
Aliases
Not available
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Definition: 1.111.939.0
Released: Aug 28, 2011 Detection initially created:
Definition: 1.103.286.0
Released: Apr 22, 2011
On this page
Summary
Top
Symptoms
System changes
- The presence of the following files:
c:\recycle.bin\recycle.bin.exe
c:\recycle.bin\config.bin
c:\rcss.bin\rcss.bin.exe
c:\rcss.bin\config.bin
c:\poooooooasi\<random name>.exe
c:\montes\montes.exe
c:\montes\config.bin
c:\system.bin\<random name>.exe
c:\system.bin\config.bin
c:\systemtools\<random name>.exe
C:\recycle.bin\<random name>.exe - Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.
Top
Technical Information (Analysis)
Installation
- settingstravell
- SystemBoot
- SystemSrv
- Global\__Recycle__
- Global\LateFix
- Global\LocksNA
- Global\Skype
- Global\SPYNET
- Global\SystemMo
- Global\SysMsg
- Global\system1
- Global\SystemService
- Global\TaskExp
- Global\WindowsServices
- zXeRY3a_PtW|00000000
- c:\recycle.bin\recycle.bin.exe
- c:\recycle.bin\config.bin
- c:\rcss.bin\rcss.bin.exe
- c:\rcss.bin\config.bin
- c:\poooooooasi\<random name>.exe
- c:\montes\montes.exe
- c:\montes\config.bin
- c:\system.bin\<random name>.exe
- c:\system.bin\config.bin
- c:\systemtools\<random name>.exe
- C:\recycle.bin\<random name>.exe
- cmd.exe
- DRWEB32.EXE
- explorer.exe
- lsass.exe
- svchost.exe
- winlogon.exe
- wmiprvse.exe
Payload
Uses stealth techniques
Win32/EyeStye employs a user-mode rootkit that hooks the following low-levelAPIs to hide its malicious files, directory and registry data:
NtQueryDirectoryFile
NtVdmControl
NtEnumerateValueKey
NtSetInformationFile
Steals login credentials
When a user visits certain Internet banking sites and enters login credentials,Trojan:Win32/EyeStye.N captures the credentials using a technique known as "form grabbing". The trojan hooks several systemAPIs to capture login information, such as online banking credentials, web form data and keystrokes. Win32/EyeStye.N hooks the followingAPIs:
TranslateMessage
NtResumeThread
LdrLoadDll
InternetCloseHandle
HttpSendRequestA
HttpSendRequestW
PR_Write
send
CryptEncrypt
PFXImportCertStore
InternetQueryOptionA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpQueryInfoA
InternetReadFile
InternetQueryDataAvailable
InternetWriteFile
InternetReadFileExA
By hooking the APIs mentioned above, the trojan can also inject malicious code into existing and new processes. This behavior assists the trojan to monitor the loading ofDLLs and manipulate the information sent and received through the Internet. The trojan attempts to send captured data viaHTTP POST to a remote server for collection by an attacker for financial gain. In the wild, we have observed this trojan connecting to one of the following remote servers:
- totdisseny.net
- burgermannnn7719.biz
- 188.72.201.213
- 195.88.191.44
- 212.150.164.200
- 213.155.31.136
- 46.166.131.160
- 46.4.73.27
- 74.50.98.160
- 80.91.191.228
- 95.168.178.220
- adbuleoncacc.info
- alunionylogen.ru
- analservice.eu
- aniani.info/cp
- bannedcellebs.biz
- bezdarniki.com
- californication.co.cc
- domonisteriosters.info
- frandiss.ru
- fullfreepoker.eu
- gallopusik.ru
- globallaty.ru
- gone4awalk.co.cc
- heartmusicjojo.co.cc
- host-checkker.net
- lenuki.ru/forum
- musictherealsouldx.ru
- nowtorrent.ru
- raz7pi7zop.com
- strflproject.com
- webawoke.com
- wefwef34.cz.cc
- eyesecurr657444.net
- youarelucky.ru
The trojan attempts to access login pages of popular websites such as "facebook.com" to capture the password of users of infected systems. While sending captured data, it may include the following other information:
- Bot guid - unique identifier associated with the trojan
- Trojan:Win32/EyeStye.N version
- User name and privilege
- Computer name
- Volume serial number
- Process name associated with captured data
- Name of hooked API function (for example PR_Write)
- Captured raw data
- Keys logged (keystrokes)
- Other information specific to computer locale such as:
- Local time and t ime zone
- Operating system language, version and service pack
- Web browser(s) used and version
The trojan modifies registry data that lowers security settings in Internet Explorer Internet Zones and also allows the browser to accessdata sources across domains.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
With data: "0"
With data: "0"
With data: "0"
Trojan:Win32/EyeStye.N attempts to connect to one of the servers previously mentioned and await commands from a remote attacker. Commands could include instructing the trojan to download arbitrary files that can include updates of the trojan. Successfully downloaded executable files are saved as the following and then run:
Analysis by Tim Liu and Zarestel Ferrer
- Trojan:Win32/EyeStye.N
- 遭遇Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.QQPass等
- Trojan.Win32病毒源码分析
- Trojan-Banker.Win32.Banker (1)
- Trojan-Banker.Win32.Banker (2)
- Trojan-Banker.Win32.Banker (3)
- Trojan.Win32.Scar.cjdy分析
- 遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等1
- 遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等2
- 遭遇Trojan.DL.Win32.Autorun.yuz,Trojan.Win32.Inject.gh,Trojan.Win32.Agent.zsq等
- Trojan.PSW.Win32.GameOL,Trojan.Win32.Undef,Trojan.DL.Win32.Undef等1
- Trojan.PSW.Win32.GameOL,Trojan.Win32.Undef,Trojan.DL.Win32.Undef等2
- 遭遇Trojan-PSW.Win32.WOW,Trojan.PSW.Win32.OnlineGames,Trojan.MnLess.kks等1
- 遭遇Trojan-PSW.Win32.WOW,Trojan.PSW.Win32.OnlineGames,Trojan.MnLess.kks等2
- 遭遇PSW.Win32.WoWar,Trojan.Win32.MnLess,Trojan.IMMSG.Win32.TBMSG等
- 遭遇Trojan-PSW.Win32.OnLineGames,Trojan.PSW.Win32.Agent,Virus.Win32.AutoRun.er等/v2
- 遭遇Win32.Loader.c,Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.AskTao等1
- 遭遇Win32.Loader.c,Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.AskTao等2
- MySQL 按照字母搜索数据库
- 10 个有用的 PHP 代码片段
- Shell脚本调试技术
- DateTimePicker實現日期與時間同時修改
- WMIC设置环境变量
- Trojan:Win32/EyeStye.N
- 正则表达式(转)
- Flex 用 POST 提交大量数据
- 完美实现GIF动画缩略图
- 哦哦
- vs2008 sp1安装时候系统盘空间不够问题,解决方式
- 强大的命令行工具wmic
- 喷砂
- flex panel设置顶层