Saturday 30 October 2010

SpyEye Builder v1.1.39: Inside the Ressource file


Since i like SpyEye i've tryed to make a working unpacked version.
But i sucks for unpacking stuff, and more when i need to fix the code :'(
so, if someone is good... contact me :)


Like ZeuS, SpyEye is protected by VM Protect And seem compiled with Visual C++ 8.0 (Visual Studio 2005)
 So when unpacked (API's not fixed) i've played with the ressource file, here is the stuff:


DIALOG - 102
102 DIALOGEX 0, 0, 513, 362
STYLE DS_FIXEDSYS | DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_APPWINDOW
CAPTION "SpyEye Builder v1.0.6"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 8, "MS Shell Dlg"
{
}
The caption says "SpyEye Builder v1.0.6" but the version is v1.1.39, gribodemon (Author of SpyEye) seem a lazyyy guys.. :)

VERSION INFO - 1
1 VERSIONINFO
FILEVERSION 1,0,0,1
PRODUCTVERSION 1,0,0,1
FILEOS 0x4
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
BLOCK "040904e4"
{
VALUE "CompanyName", "SpyEye Corp."
VALUE "FileDescription", "Builder for SpyEye bot"
VALUE "FileVersion", "1.0.0.1"
VALUE "InternalName", "builder.exe"
VALUE "LegalCopyright", "(c) SpyEye Corp.. All rights reserved."
VALUE "OriginalFilename", "builder.exe"
VALUE "ProductName", "TODO: SpyEye"
VALUE "ProductVersion", "1.0.0.1"
}
}

BLOCK "VarFileInfo"
{
VALUE "Translation", 0x0409 0x04E4
}
}
So it's the version 1.0.0.1 now ? :)

Images file:

BCK.PNG:



INFECTED.PNG




LINE.GIF:



MEDIC.PNG:




SPYLOGO.PNG:







UP.PNG:




PNGFIX.JS:
/*
Correctly handle PNG transparency in Win IE 5.5 & 6.

http://homepage.ntlworld.com/bobosola. Updated 18-Jan-2006.

Use in <HEAD> with DEFER keyword wrapped in conditional comments:
<!--[if lt IE 7]>
<script defer type="text/javascript" src="pngfix.js"></script>
<![endif]-->

*/

var arVersion = navigator.appVersion.split("MSIE")
var version = parseFloat(arVersion[1])
if ((version >= 5.5) && (document.body.filters))
{
   for(var i=0; i<document.images.length; i++)
   {
      var img = document.images[i]
      var imgName = img.src.toUpperCase()
      if (imgName.substring(imgName.length-3, imgName.length) == "PNG")
      {
         var imgID = (img.id) ? "id='" + img.id + "' " : ""
         var imgClass = (img.className) ? "class='" + img.className + "' " : ""
         var imgTitle = (img.title) ? "title='" + img.title + "' " : "title='" + img.alt + "' "
         var imgStyle = "display:inline-block;" + img.style.cssText
         if (img.align == "left") imgStyle = "float:left;" + imgStyle
         if (img.align == "right") imgStyle = "float:right;" + imgStyle
         if (img.parentElement.href) imgStyle = "cursor:hand;" + imgStyle
         var strNewHTML = "<span " + imgID + imgClass + imgTitle
         + " style=\"" + "width:" + img.width + "px; height:" + img.height + "px;" + imgStyle + ";"
         + "filter:progid:DXImageTransform.Microsoft.AlphaImageLoader"
         + "(src=\'" + img.src + "\', sizingMethod='scale');\"></span>"
         img.outerHTML = strNewHTML
         i = i-1
      }
   }
}

STYLE.CSS:
a:link {
        color: rgb(0,64,192);
}
a:visited {
        color: rgb(128,128,128);
}
a:active {
        color: rgb(0,192,128);
}
body {
    font-family: Verdana;
    font-size: 10px;
    background-image: url('bck.png');
}
input, textarea {

    border: 1px;

    border-color: gray;

    border-style: solid;

    font-family: Verdana;

    font-size: 10px;

}

table {

        font-family: Verdana;
        color: rgb(102,102,102);
        font-size: 10px;
        border: 0;
}
h1 {
        font-family: Verdana;
        color: rgb(102,102,102);
        font-size: 24 px;
        margin: 0px, 0px, 0px, 0px;
        padding: 0px, 0px, 0px, 0px;
        font-weight: normal;
}
h2 {
        font-family: Verdana;
        color: rgb(102,102,102);
        font-size: 16 px;
        margin: 0px, 0px, 0px, 0px;
        padding: 0px, 0px, 0px, 0px;
        font-weight: normal;
}
h3 {
        font-family: Verdana;
        color: rgb(102,102,102);
        font-size: 12 px;
        margin: 0px, 0px, 0px, 0px;
        padding: 0px, 0px, 0px, 0px;
        font-weight: normal;
}
.comment {
        font-family: Verdana;
        color: rgb(128,128,128);
        font-size: 10px;
        margin: 0;
        padding: 0;
        font-weight: normal;
}
.error {
        font-family: Verdana;
        font-weight: bold;
        color: RGB(255, 0, 0);
        font-size: 10px;
}
.warning {
        font-family: Verdana;
        font-weight: bold;
        color: RGB(225, 225, 0);
        font-size: 10px;
}
.ok {
        font-family: Verdana;
        font-weight: bold;
        color: RGB(0, 225, 0);
        font-size: 10px;
}
.disabled {
    color: #BBBB33;
}
.div_main {
    background-color: #F7F7F7;
    width: 740px;
    border: solid 1px black;
    padding: 10px;
    margin: 0px;
}
.div_smmain {
    background-color: #F7F7F7;
    width: 500px;
    border: solid 1px black;
    padding: 10px;
    margin: 0px;
}
.div_beta {
    position: absolute;
    top: 0px;
    right: 0px;
}

104 (seem the interface):
<HTML>
<HEAD>
    <link href="style.css" type=text/css rel=stylesheet>
</HEAD>
<BODY ID=CbuilderDlg >
<center>
<div id="div_main" class="div_main">
    <img src="spylogo.png" width="474px" height="100px" alt="SpyEye logo" title="SpyEye logo" />
   
    <hr size='1' color='#CCC'>
   
    <table cellspacing="0" cellpadding="0" border="0" width='100%'>
        <tr>
        <td width="250px">Path to the main control panel:</td>
        <td><input id=tPathToMainControlPanel type=text style="width:450px" value="http://www.yourbotnet.cn/spyeye/main/gate.php" /></td>
        </tr>
        <tr>
        <tr>
        <td width="250px"><i>Alternative path to the main control panel</i>:</td>
        <td><input id=tPathToMainControlPanel2 type=text style="width:450px" value="http://www.yourbotnet2.cn/spyeye/main/gate.php" /></td>
        </tr>
        <tr>
        <td width="250px">Path to the <b>SpyEye Collector</b>:</td>
        <td><input id=tPathToFormgrabberControlPanel type=text style="width:450px" value="1.2.3.4:443" /></td>
        </tr>
        <tr>
        <td width="250px"><b>Encryption key</b>:</td>
        <td><input id=tEncryptionKey type=text style="width:300px" value="Your Enc. Key" /></td>
        </tr>
        <tr>
        <td width="250px">Connector interval <i>(sec)</i>:</td>
        <td><input id=tConnectorInterval type=text style="width:50px" value="300" /></td>
        </tr>
        <tr>
        <td width="250px">Compress build by <b>UPX v3.04w</b>:</td>
        <td><input id=cUPX type=checkbox style="border:0px" /></td>
        </tr>
        <tr>
        <td width="250px">Kill <b>Zeus</b>:</td>
        <td><input id=cKillZeus type=checkbox style="border:0px" /></td>
        </tr>
        <tr>
        <td width="250px">Clear cookies every startup <i>(IE, FF)</i>:</td>
        <td><input id=cClearCookies type=checkbox style="border:0px" /></td>
        </tr>
        <tr>
        <td width="250px"><b>WebInjects.txt</b> <i>(Zeus format)</i>:</td>
        <td><input type="file" id="tWebInjects" style="width:400px;"></td>
        </tr>
        <tr>
        <td colspan="2" align=center>...</td>
        </tr>
        <tr>
        <td width="250px"><b>Screenshots.txt</b>:</td>
        <td><input type="file" id="tScreenshots" style="width:400px;"></td>
        </tr>
        <tr>
        <td colspan="2" align=center>...</td>
        </tr>
        <tr>
        <td width="250px"><b>Plugin #1</b> <i>DLL</i:</td>
        <td><input type="file" id="tPlugin1" style="width:400px;"></td>
        </tr>
        <tr>
        <td width="250px"><b>Plugin #2</b> <i>DLL</i:</td>
        <td><input type="file" id="tPlugin2" style="width:400px;"></td>
        </tr>
        <tr>
        <td width="250px"><b>Plugin #3</b> <i>DLL</i:</td>
        <td><input type="file" id="tPlugin3" style="width:400px;"></td>
        </tr>
    </table>
    <br>
   
    <table cellspacing="0" cellpadding="0" border="0" width='100%'>
    <tr>
        <td><img id="bLoadConfig" src="up.png" alt="Load config" title="Load config from settings.ini" /></td>
        <td align=center><input type=button value="Make config & get build" id=bMakeBuild /></td>
    </tr>
    </table>
   
    <!--<br><div id=dBuildResult style="text-align:left" ></div>-->
    <br><div id=dBuildButton style="text-align:center" ></div>
   
    <hr size='1' color='#CCC'>
   
    <script language=javascript>
    function recheckInfected() {
        document.getElementById('bCheckInfected').click();
        alert('Check autorun by msconfig.exe or smth, and, remove files of bot manually (if you need it)');
    }
    </script>
    <input type=hidden onclick="setTimeout('recheckInfected();', 3000);" id=bRecheckInfected />
   
    <input type=button value="Are you infected by SpyEye?" id=bCheckInfected />
    <div id="dInfectedResult"></div>
</div>
</center>
</BODY>
</HTML>


Packed builder: 1,71 Mb (1 794 048 bytes)
Unpacked builder: 4,07 Mb (4 272 128 bytes)
--
Packed version (VT Result): 12/ 43 (27.9%) - Submission date: 2010-10-30
Detected by most of all by "Trojan"
Unpacked version(VT Result): 9/ 43 (20.9%) - Submission date: 2010-10-30
Detected by most of all by "Suspicious"

No comments:

Post a Comment