Follow:

You have been re-routed to the Trojan:Win32/EyeStye.N write up because Trojan%3aWin32%2fEyeStye.N has been renamed to Trojan:Win32/EyeStye.N
 

Trojan:Win32/EyeStye.N


Trojan:Win32/EyeStye.N is a trojan that logs keystrokes, monitors Internet activity and steals certain log on credentials, then sends the captured data to a remote attacker for financial gain. The trojan may download additional malware, lower web browser security and use a rootkit to hide its malicious activity.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

This trojan attempts to steal sensitive and confidential information from affected users to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

Additional remediation instructions for Trojan:Win32/EyeStye.N

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

 

Threat behavior

Trojan:Win32/EyeStye.N is a trojan that logs keystrokes, monitors Internet activity and steals certain log on credentials, then sends the captured data to a remote attacker for financial gain. The trojan may download additional malware, lower web browser security and use a rootkit to hide its malicious activity.
Installation
The trojan may be installed by other malware such as TrojanDropper:Win32/EyeStye, TrojanDownloader:Win32/Bredolab,TrojanDownloader:Win32/Waledac and Backdoor:Win32/Kelihos. When run, the trojan creates a unique mutex to ensure only one instance of the trojan executes. In the wild, we have observed the trojan using the following mutexes:
  • settingstravell
  • SystemBoot
  • SystemSrv
  • Global\__Recycle__
  • Global\LateFix
  • Global\LocksNA
  • Global\Skype
  • Global\SPYNET
  • Global\SystemMo
  • Global\SysMsg
  • Global\system1
  • Global\SystemService
  • Global\TaskExp
  • Global\WindowsServices
  • zXeRY3a_PtW|00000000
Trojan:Win32/EyeStye.N creates the following files on an affected computer:
 
  • c:\recycle.bin\recycle.bin.exe
  • c:\recycle.bin\config.bin
  • c:\rcss.bin\rcss.bin.exe
  • c:\rcss.bin\config.bin
  • c:\poooooooasi\<random name>.exe
  • c:\montes\montes.exe
  • c:\montes\config.bin
  • c:\system.bin\<random name>.exe
  • c:\system.bin\config.bin
  • c:\systemtools\<random name>.exe
  • C:\recycle.bin\<random name>.exe
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/EyeStye.N executes, it may inject code into running processes, including the following, for example:

  • cmd.exe
  • DRWEB32.EXE
  • explorer.exe
  • lsass.exe
  • svchost.exe
  • winlogon.exe
  • wmiprvse.exe
Payload

Uses stealth techniques
Win32/EyeStye employs a user-mode rootkit that hooks the following low-level APIs to hide its malicious files, directory and registry data:

  • NtQueryDirectoryFile
  • NtVdmControl
  • NtEnumerateValueKey
  • NtSetInformationFile

Steals login credentials
When a user visits certain Internet banking sites and enters log on credentials, Trojan:Win32/EyeStye.N captures the credentials using a technique known as "form grabbing". The trojan hooks several system APIs to capture log on information, such as online banking credentials, web form data and keystrokes. Win32/EyeStye.N hooks the following APIs:

  • TranslateMessage
  • NtResumeThread
  • LdrLoadDll
  • InternetCloseHandle
  • HttpSendRequestA
  • HttpSendRequestW
  • PR_Write
  • send
  • CryptEncrypt
  • PFXImportCertStore
  • InternetQueryOptionA
  • HttpOpenRequestA
  • HttpAddRequestHeadersA
  • HttpQueryInfoA
  • InternetReadFile
  • InternetQueryDataAvailable
  • InternetWriteFile
  • InternetReadFileExA 

By hooking the APIs mentioned above, the trojan can also inject malicious code into existing and new processes. This behavior assists the trojan to monitor the loading of DLLs and manipulate the information sent and received through the Internet. The trojan attempts to send captured data via HTTP POST to a remote server for collection by an attacker for financial gain. In the wild, we have observed this trojan connecting to one of the following remote servers:

  • 188.72.201.213
  • 195.88.191.44
  • 212.150.164.200
  • 213.155.31.136
  • 46.166.131.160
  • 46.4.73.27
  • 74.50.98.160
  • 80.91.191.228
  • 95.168.178.220
  • adbuleoncacc.info
  • alunionylogen.ru
  • analservice.eu
  • aniani.info/cp
  • bannedcellebs.biz
  • bezdarniki.com
  • burgermannnn7719.biz
  • californication.co.cc
  • domonisteriosters.info
  • eyesecurr657444.net
  • frandiss.ru
  • fullfreepoker.eu
  • gallopusik.ru
  • globallaty.ru
  • gone4awalk.co.cc
  • heartmusicjojo.co.cc
  • host-checkker.net
  • lenuki.ru/forum
  • musictherealsouldx.ru
  • nowtorrent.ru
  • raz7pi7zop.com
  • strflproject.com
  • totdisseny.net
  • webawoke.com
  • wefwef34.cz.cc
  • youarelucky.ru

The trojan attempts to access log on pages of popular websites such as "facebook.com" to capture the password of users of infected systems. While sending captured data, it may include the following other information:

  • Bot GUID - unique identifier associated with the trojan
  • Trojan:Win32/EyeStye.N version
  • User name and privilege
  • Computer name
  • Volume serial number
  • Process name associated with captured data
  • Name of hooked API function (for example PR_Write)
  • Captured raw data
  • Keys logged (keystrokes)
  • Other information specific to computer locale such as:
    • Local time and time zone
    • Operating system language, version and service pack
    • Web browser(s) used and version
Lowers browser security
The trojan modifies registry data that lowers security settings in Internet Explorer Internet Zones and also allows the browser to access data sources across domains.
 
In the following subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1409"
To data: "3"
 
In the following subkeys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
Sets value: "1406"
With data: "0"
 

Trojan:Win32/Eystye.N makes the following changes to the registry to disable the SmartScreen Filter in Internet Explorer:

In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "EnabledV8"
With data: "0"

The trojan modifies other registry data to ensure that Internet Explorer launches in online mode:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "GlobalUserOffline"
With data: "0"

Download updates and arbitrary files
Trojan:Win32/EyeStye.N attempts to connect to one of the servers previously mentioned and await commands from a remote attacker. Commands could include instructing the trojan to download arbitrary files that can include updates of the trojan. Successfully downloaded executable files are saved as the following and then run:

<Current directory>\<file name>.exe\<file name>upd.exe

Trojan:Win32/EyeStye.N  may also update a configuration file stored in ZIP archive file format as the following:

<Current directory>\<file name>.exe \config.bin

The trojan communicates via a mutexes named "__<MUTEXNAME>_UNINSTALL__" and "__<MUTEX NAME>_RELOADCFG__" to instruct existing instances of malicious code in memory to "reload data", "uninstall", (and other actions) from the new configuration file. This allows the trojan and associated components access to a new remote server. 

Analysis by Tim Liu and Zarestel Ferrer


Symptoms

System changes
The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    c:\recycle.bin\recycle.bin.exe
    c:\recycle.bin\config.bin
    c:\rcss.bin\rcss.bin.exe
    c:\rcss.bin\config.bin
    c:\poooooooasi\<random name>.exe
    c:\montes\montes.exe
    c:\montes\config.bin
    c:\system.bin\<random name>.exe
    c:\system.bin\config.bin
    c:\systemtools\<random name>.exe
    C:\recycle.bin\<random name>.exe

Prevention


Alert level: Severe
First detected by definition: 1.103.286.0
Latest detected by definition: 1.185.3495.0 and higher
First detected on: Apr 22, 2011
This entry was first published on: Mar 09, 2011
This entry was updated on: Nov 10, 2011

This threat is also detected as:
No known aliases