Friday, June 29, 2012

Operation High Roller - How to block SpyEye and Zeus

Recently McAfee detected together with Guardian Analytics a massive online bank fraud. According to the analysis report (Dissecing Operation High Roller) published by McAfee, modified Zeus and SpyEye trojans were used to steal money (around 60M Euro) from corporate bank accounts. A list of MD5 for samples used in the fraud can be found here.

Some key facts: 

  • SpyEye and Zeus are known for years. Zeus first appeard in 2007, SpyEye in 2009. Lot of technical analysis exists which describe their internals.
  • SpyEye nor Zeus use any 0-day exploits to infected systems.
  • According to the McAffee report the modifications include new modules to bypass two-factor physical authentication, rootkits to prevent AV detections and lot of serverside automation.
Some Joe Sandbox 6.0.0 analysis reports (cookbook detect e-Banking trojan):

According to our analysis the three samples listed above work successfully on XP, Vista, W7 and W7 x64.

One of the key for identifying / detecting successfully Zeus and SpyEye is the process injection and hooking behavior. It starts with a code or PE file injection into explorer.exe:


Instead of creating a remote thread (which may lead to detection by a HIPS) a frequently called function (NtClose) is overwritten with a call-stub which redirects execution to the previously injected payload:


Right after the payload starts from the trusted explorer.exe context and injects into other system processes by using the same technique:


Once the victim starts browsing for doing online banking the trojan injects itself into the browser to finally execute its payload (redirect money to a foreign bank account):


The described code injection attack is not new and is being used for a long time. Therefore it is well detected by HIPS and AVs. The more it is surprising that the trojan was that successful. Inside the report "Dissecing Operation High Roller" we could not found any information about installed AV, HIPS and other protection software on the victims systems.

To demonstrate how easy it is to protect a system from beeing infected, we developped a simple device driver. Checkout the following Joe Sandbox report to understand what the driver is doing:

Explorer Protect Report

The driver hooks NtWriteVirtualMemory. NtWriteVirtualMemory is called by WriteProcessMemory which is used to inject code into a foreign process. The driver terminates all processes which try to call WriteProcessMemory with explorer.exe as a target:

The following report shows the executing of a High Roller sample right after the protection drive has been loaded:

High Roller Sample with Explorer Protect

The source code of the driver you find here.