A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8627  by Xylitol
 Mon Sep 19, 2011 11:05 am
bullshit this exploit is for SpyEye 1.0, and ripped.
I would not be astonished if the guys who ripped it even don't know how to use.

ripped spl0it: http://pastebin.com/F46U8zwK
Original: http://pastebin.com/gZtcpYZm

More ripped stuff: http://pastebin.com/T0pUiEJp
Original: http://www.promon.no/spyeye.html

i've flamed this guys on twitter (@sanjar_satsura)
@sanjar_satsura:
hi. hmmm.... and о what are you guy? and what profit u search ? I only translate xploit and post it on RW. plz contact me icq : 553769102.
also i don't know if r00tw0rm.com is associated with 1337day/inj3ct0r team, but if yeah, 1337day are known for carding, cf Owned And Exposed Issue 2 exposed also on seclists http://seclists.org/pen-test/2009/Nov/16
 #8915  by kmd
 Sun Oct 02, 2011 8:28 am
how do you guys know which spyeye version it is?
i mean how to decide if this is 1.3.39 or 1.3.44?
 #8916  by EP_X0FF
 Sun Oct 02, 2011 8:34 am
kmd wrote:how do you guys know which spyeye version it is?
i mean how to decide if this is 1.3.39 or 1.3.44?
By analyzing network packets from the infected machine for example. SpyEye will tell version itself while initial call home. Get a packets sniffer for example Wireshark, setup it to capture packets. Run bot, stop capture. Filter packets by HTTP protocol. If there is no network activity usually spyeye "call home" request will be first in the list. Follow designated TCP stream and you will see something like on picture below.

Image

SpyEye "call home" is encrypted by xor base64 encoded string. IIRC earlier this was simple plain text.

1. decode it from base64 to str
2. i=0 for each i in str do str xor 0xDB

if everything is fine result will be something like this

guid=5.1.2600!LABQU39!00D0D8B3&ver=10348&ie=6.0.2900.5512&os=5.1.2600&ut=Admin&ccrc=4B503A40&md5=a49835fda8df29744efd6e7bf49dfa6e&plg=customconnector&wake=90&stat=online


bot version highlighted, SpyEye v1.3.48
Last edited by EP_X0FF on Sun Oct 02, 2011 8:39 am, edited 1 time in total. Reason: added screenshot
 #8918  by Xylitol
 Sun Oct 02, 2011 10:09 am
Here is my SpyEye Encoder/Decoder: http://xylithreats.free.fr/encodedecode.php

Also @EP, i've found a 'tinyurl generator' by brute forcing dirs:
Code: Select all
http://263rdasd.com/q/
Edit: found another dir 'sms spy'
Code: Select all
http://263rdasd.com/sms/
Edit2: found this Index Of/
Code: Select all
http://263rdasd.com/xyz/
jabber.php
ok.php
send.php
api.php
/banks/
/log/
/jaxl/
Edit3:
Code: Select all
http://263rdasd.com/icons/
Always no trace of formgrabber :(

Edit4:
Code: Select all
http://263rdasd.com/client/maincp/
Found the CN1, no trace of SYN1.

Edit5: SYN1 found.
Code: Select all
http://263rdasd.com/client/frmcp/
fuckyeah
Last edited by Xylitol on Sun Oct 02, 2011 2:32 pm, edited 5 times in total.
 #8919  by EP_X0FF
 Sun Oct 02, 2011 10:31 am
@Xylitol

that's funny :)

----------------------

SpyEye v1.3.4x

Pass for decrypted config: 807DB4B3E92FC376EAC861BB9D0E9307

All gates are down.
_ttp://alpha.supportman.su/stats.php;500
_ttp://beta.demand.su/stats.php;500
Plugins: customconnector

Original, decrypted + config in attach.
Attachments
pass: malware
(548.55 KiB) Downloaded 79 times
 #8945  by Xylitol
 Tue Oct 04, 2011 6:54 am
SpyEye 1.3.48 sample include support for FF7 and FF8.

In attach some old samples.

hackhound.exe: 37/43 >> 86.0%
http://www.virustotal.com/file-scan/rep ... 1317710622

principe.exe: 37/43 >> 86.0%
http://www.virustotal.com/file-scan/rep ... 1317710743

spyeye100.exe: 35/41 >> 85.4%
http://www.virustotal.com/file-scan/rep ... 1317710790

ambler.exe: 39/43 >> 90.7%
http://www.virustotal.com/file-scan/rep ... 1317710821
Attachments
pwd: xylibox
(394.47 KiB) Downloaded 60 times
 #8954  by sugipula
 Tue Oct 04, 2011 3:57 pm
I have a question maybe you can answer me.
I saw how you can send custom data to the gate using your encoder , then POST.

My question is , is it possible to do the same thing to collector?
If you have IP:PORT of collector , is it possible to submit fake data?
If yes , how?

PS : Also , where can I get more spyeye samples?
 #8955  by wacked
 Tue Oct 04, 2011 5:21 pm
It is perfectly possible but the collector uses a different protocol.
The only information (I could find) about it is here.
So you have the reverse-engineer the protocol yourself.

@Xylitol: As far as I see it there should be no reason why it shouldn't. There is no change in neither PR_Read, nor PR_Write.

Also, has anybody any information about the ActiveAZ plugin?
  • 1
  • 25
  • 26
  • 27
  • 28
  • 29
  • 42