[rkhunter]

SpyEye was much more widely spread on black market than for example TDL.

Oh, I know and this is one of the reason that SpyEye guys were identificated and are defendants of ZBot-botnet "taken down" story.

[360Tencent]

http://blogs.mcafee.com/mcafee-labs/lat ... nd-cheaper

[kevinfisher]

Hi,

Any one has a sample of this?
https://www.virustotal.com/file/99da9cc ... /analysis/
a) name: Artemis!D0BBB116666C
b) SHA256: 99da9ccef2a9d110a0059c56bb9c2a11cfe0c68c8ef00251befc27f6d26d56d7

Thanks!

[hx1997]

Hi,

Any one has a sample of this?
https://www.virustotal.com/file/99da9cc ... /analysis/
a) name: Artemis!D0BBB116666C
b) SHA256: 99da9ccef2a9d110a0059c56bb9c2a11cfe0c68c8ef00251befc27f6d26d56d7

Thanks!

Hi, 99da9ccef2a9d110a0059c56bb9c2a11cfe0c68c8ef00251befc27f6d26d56d7 in attach.

[markusg]

https://www.virustotal.com/file/8a46e0c ... /analysis/

[Albus]

https://www.virustotal.com/file/8a46e0c ... /analysis/

Decrypted config is attached.
Password is "infected"

[Flamef]

Found a video,how to unpack Spyeye and seemed interesting http://www.youtube.com/watch?v=ns7fQhSN ... tu.be&hd=1 .
It says that config password can be found in the Explorer.exe(where spyeye injects its code),is this possible?If yes,i guess you must be experienced in order accomplish it.
I just read somewhere,that Spyeye hooks several APIS,including HttpSendRequestA.It hooks HttpSendRequestA in order to monitor visited URLs and search engine queries,as well as to steal credentials for any websites user logs into,right?
By the way,is there any effective way to determine the purpose of hooked API's?For example why does Spyeye hooks InternetWriteFile etc?
Other way than debugging it?

[rkhunter]

I just read somewhere,that Spyeye hooks several APIS,including HttpSendRequestA.It hooks HttpSendRequestA in order to monitor visited URLs and search engine queries,as well as to steal credentials for any websites user logs into,right?

http://artemonsecurity.blogspot.com/201 ... -tool.html

[EP_X0FF]

It says that config password can be found in the Explorer.exe(where spyeye injects its code),is this possible?

Yes.

If yes,i guess you must be experienced in order accomplish it.

No.

I just read somewhere,that Spyeye hooks several APIS,including HttpSendRequestA.It hooks HttpSendRequestA in order to monitor visited URLs and search engine queries,as well as to steal credentials for any websites user logs into,right?

Yes.

By the way,is there any effective way to determine the purpose of hooked API's?

RE + live analysis + network activity analysis. There are no easy ways.

For example why does Spyeye hooks InternetWriteFile etc?

It grab login info and cookies for websites to let SpyEye plugins modify request headers before sending request. So before calling real InternetWriteFile params of this routine passed to SpyEye plugins that have Callback_ChangePostRequest function. Of course plugin must support this callback.

[360Tencent]

http://blog.gdatasoftware.com/blog/arti ... -name.html

SHA256: show in "an interesting spyeye build"

and maybe kaspersky also found it

http://www.securelist.com/en/blog/208193513/Big_Brother