The recently released SpyEye banking malware is continuing to affect computers across the world and is also proving to be more difficult to detect and remove from infected Windows PCs according to researchers from EMC’s RSA Security Division.
SpyEye has been around for over a year now and is the successor to the Zeus banking malware. SpyEye emerged after the creator of Zeus, known as Slavik, stopped developing it. However, another person, known as Harderman, took over the project according to Uri Rivner of RSA.
SpyEye is a kit that is sold to other online criminals and is very easy to use. In addition to that, an individual also needs to have very high technical prowess in order to conduct a successful attack. A potential cybercriminal that purchases the kit can use the graphical interface to set up a “drop-zone”, which is a server designed to receive stolen online banking credentials. SpyEye also has configuration files customized for attacking most online banking websites.
The malware can inject extra fields over a bank’s web page that ask for information such as a user’s credit card number and pin, aside from their username and password. These extra fields appear seamlessly on the legitimate website but are actually fake and export the entered information to the server in the drop-zone.
In addition to that, people are usually unlikely to notice that they have been infected by SpyEye. According to Rivner, “Getting infected is very, very easy.” One way you can get infected is by visiting a website that has been tampered with by a hacker. The site will contain a 1×1 pixel that pulls JavaScript from a different server and starts testing to see if your computer has unpatched software. The United States Treasury website was modified like this last year in order to deliver the Zeus trojan.
SpyEye uses a lot of tricks in order to stay concealed. It will inject itself in DLLs that are legitimate and can also delete its own installation files, making it extremely volatile and incredibly hard to find. Microsoft announced on Wednesday that it was updating its Malicious Software Removal Tool to detect malware in the SpyEye family.
While this move is definitely good for users, the MSRT may have a harder time. According to Chief Security Strategist for RSA Jason Rader, full-featured antivirus security suites often miss new variants of SpyEye, which takes an average of 45 days to add detect for fresh variants. In addition, the MSRT can also only detect malware if it is actually running on the machine and can’t prevent a Window’s computer from being infected by SpyEye, something some antivirus suites may be able to prevent.
Source: Network World – SpyEye malware continues to plague computers