Acquiring, installing, configuring and using a sophisticated and powerful data-stealing banking Trojan toolkit like SpyEye may sound difficult and expensive, but it is not.
In fact, the toolkit used to infect and hijack computers into a botnet – collecting banking log-in credentials and other financial information – can now be acquired at little or no cost. It is also easy to set up and use.
At the Tel Aviv offices of the Online Threats Managed Services group of RSA, the security division of EMC, the head of the malware research lab, Etay Maor, demonstrates just how easy it is.
“These Trojans are popular with cyber criminals because they are super-easy to operate,” he told Computer Weekly.
Easy as 1-2-3
Maor, who heads up a team of mainly former Israeli intelligence officers dedicated to deep analysis of financial Trojans, said the malware has three basic elements: an infection point, command and control, and a drop point.
The first element is used to infect computer by tricking users into clicking the executable file in a variety of ways such as drive-by infections, malicious PDFs and infected USB sticks.
The second element enables the cyber criminal to issue instructions to the Trojan.
The third element is used for the collection of information harvested from victims.
The first step is acquiring the Trojan, which is simply a matter of downloading a package from the online malware marketplace.
How to configure the Trojan
Next, the Trojan needs to be configured.
First, simply type in a destination (URL) into the two text files contained in the package. One to tell the Trojan where to send the harvested data and the other where to find the Trojan’s command and control.
Second, tell the Trojan what to do. Again, this is extremely easy. The command and control module has a user interface (UI) that looks like just about any other application many people use on a daily basis. All the options are listed and can be activated by simply clicking in the appropriate checkbox.
With a few clicks, the Trojan can be configured to harvest, among other things, credit card numbers, user login credentials at online banking sites, and capture screenshots every time the mouse is clicked to capture any information entered using a keypad displayed on screen. The latest versions of SpyEye offer this option as a series of moving images, says Maor.
The UI even offers the facility to inject fields into legitimate online banking websites to trick victims into entering additional information to make it even easier for cyber criminals to commit fraud.
With configuration complete, all that remains is to open up the SpyEye builder module in the package, enter an encryption key of your choice to protect data communications with the command and control, and click the “get build” button. This builds the customised Trojan to create the file that can be used to infect victims’ computers, and in few seconds, the would-be cyber criminal is all set.
“The important thing to remember at this point is not to click on the newly created file because you don’t want to infect your own machine,” says Maor.
Demonstration of a Trojan at work
He demonstrates how easy it is to use the Trojan by infecting a test computer and using it to log in to an online banking website especially created for demonstration purposes.
The first thing to notice is that the log-in screen displays an additional field specified in the configuration process that asks for the user’s security code, but that does not appear when the site is viewed using a web browser on a clean machine.
The power of the Trojan is then demonstrated by opening up the log file in the command and control console to display all the details harvested. It is all there in an easily readable format: all the information associated with the test account, such as the account number and user log-in credentials. There is also a link that opens a file containing screenshots of the PIN code entered using on onscreen keypad.
Within minutes the would-be cyber criminal has all the information needed to commit fraud, but this stolen data can be converted into cash without going to any other trouble. There is really no need to do anything more because this information can be sold on for profit, says Maor. Cyber criminal chatrooms and forums are full of adverts offering such credentials for sale. Collecting that information really is as easy as 1-2-3.
In this way, online cyber criminal markets are putting very sophisticated attack tools into the hands of more low-level attackers, a trend that will only increase the number of sophisticated cyber threats faced by organisations around the world on a daily basis as almost anyone can join in. No expertise required.
This was first published in September 2012