Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.

Re: Trojan SpyEye (alias Pincav)

Postby EP_X0FF » Tue Mar 30, 2010 1:40 pm

Thanks for the samples :)

Seems to be It was reviewed by me here

It is using payload dll memory injection to running processes. When injecting trojan using simple loader so antirootkits will not flag it as hidden, because Windows loader wasn't used.
Rootkit performing hooking of these functions (if appreciate dll is loaded)
ntdll.dll-->NtEnumerateValueKey
ntdll.dll-->NtQueryDirectoryFile
ntdll.dll-->NtResumeThread
ntdll.dll-->NtVdmControl
ntdll.dll-->LdrLoadDll
user32.dll-->TranslateMessage
wininet.dll-->InternetCloseHandle
wininet.dll-->HttpSendRequestA
wininet.dll-->HttpSendRequestW
ws2_32.dll-->send
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan SpyEye (alias Pincav)

Postby vCatcher » Fri Apr 02, 2010 3:05 pm

Hello
Here is very simple cleaner i wrote.I have tested it with samples posted in this thread.
Im not sure which version of trojan it is,but cleaner should work on all versions.
I would be thankfull for samples when Trojan changes its file-paths or add self-protection
so i could update cleaner.

output:
SpyEyeCleaner version v1.00
SpyEye Infection detected,cleaning ...
Removing "C:\cleansweep.exe\cleansweep.exe": OK
Removing "C:\cleansweep.exe\config.bin": OK
Removing "C:\cleansweep.exe": OK
Removing SpyEye autostart key: OK
All SpyEye components removed from system
Now restart system to complete cleaning

link: http://rapidshare.com/files/371173568/S ... r.rar.html
md5 of binary:A99BEB87ECDBA9B6D81113FBB1B5E659
vCatcher
 
Posts: 2
Joined: Fri Mar 19, 2010 2:37 pm
Reputation point: 0

Re: Trojan SpyEye (alias Pincav)

Postby EP_X0FF » Fri Apr 02, 2010 5:47 pm

Hello,

thank you for your tool and time, perhaps it will be helpful for somebody.

vCatcher wrote:I would be thankfull for samples when Trojan changes its file-paths or add self-protection
so i could update cleaner.


Sure of course. If this malware will be updated, it will be posted here.

Regards.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan SpyEye (alias Pincav)

Postby cjbi » Sat Apr 03, 2010 2:40 pm

Mutex name is changed to "__SPYNET__".

VirusTotal result

http://www.virustotal.com/analisis/e724 ... 1270298386
You do not have the required permissions to view the files attached to this post.
cjbi
 
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am
Reputation point: 84

Re: Trojan SpyEye (alias Pincav)

Postby EP_X0FF » Mon Jul 05, 2010 5:10 am

Some new info about SpyEye :)

Crapware author name is Gribodemon.

http://www.wasm.ru/forum/viewtopic.php?id=35855 (author has some troubles with NtDeleteFile)
hxxp://forum.zloy.bz/showthread.php?p=4810658
hxxp://damagelab.org/lofiversion/index.php?t=18763&st=30

Links including v1.2 info.

+ some sample from May 2010.

http://www.virustotal.com/analisis/e310f0433fcb9d6ebd49a34e03987ec049d0975db1906800cbc63a97ee79d491-1278309507
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan SpyEye (alias Pincav)

Postby EP_X0FF » Mon Jul 05, 2010 6:07 am

vCatcher wrote:Hello
Here is very simple cleaner i wrote.I have tested it with samples posted in this thread.

link: http://rapidshare.com/files/371173568/S ... r.rar.html
md5 of binary:A99BEB87ECDBA9B6D81113FBB1B5E659


Link is dead so I can't test your tools against current version I have.
This file is neither allocated to a Premium Account, or a Collector's Account, and can therefore only be downloaded 10 times.
This limit is reached.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan SpyEye (alias Pincav)

Postby PX5 » Tue Jul 06, 2010 2:50 pm

nerukabbcompany.com/fgdhfgvcryegf/bin/build.exe.crypted.exe was first release

nerukabbcompany.com/fgdhfgvcryegf/bin/build.exe is current

nerukabbcompany.com/fgdhfgvcryegf/bin/ is open directory :lol:
You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance
PX5
 
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am
Reputation point: 53

Re: Trojan SpyEye (alias Pincav)

Postby EP_X0FF » Tue Jul 06, 2010 3:09 pm

Thanks :)

Unpacked trojan seems to be belongs to newest SpyEye variants 1.2.4 (with screenshots feature).

SpyEye executable now randomly named and placed in randomly named directory.

Example from infected machine
C:\xgukxzrvux.exe\xgukxzrvux.exe


In attach you will find SpyEye's config data recovered by me from this bot posted above (archive recovered, spyeye pass removed).

Enjoy.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Trojan SpyEye (alias Pincav)

Postby PX5 » Tue Jul 06, 2010 7:21 pm

Think it is this one seems very mean, steals my other malware and or cause other running malware to bugout.

If not this is the other version I see of cleansweep.exe with cleansweepudp.exe I think.....think being keyword here! ;)
Arrogance led me to my Ignorance
PX5
 
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am
Reputation point: 53

Next

Return to Malware

Who is online

Users browsing this forum: nadia and 8 guests