SpyEye rips off users and films them in the process
Security experts at Kaspersky have discovered a new version of the online banking trojan SpyEye which truly lives up to its name – it includes a plugin which observes victims using their own webcams.
A file called flashcamcontrol.dll modifies Flash Player settings on the infected system so that selected web sites are permitted to access the camera and microphone without requesting confirmation. According to Kaspersky, the web sites in question are German banking web sites.
When a user visits one of these web sites, SpyEye embeds a Flash applet in the HTML code. It then uses Real Time Messaging Protocol to send the recorded video, with audio, to a server controlled by the botnet herder. What purpose this serves is not clear; Kaspersky security expert Dmitry Tarakanov believes that it may be part of a more wide-ranging attack. It could, for example, allow the attacker to record telephone calls from the bank requesting the user to confirm his or her PIN.
Flash Player provides developers with an interface for accessing the camera and microphone. Normally, the first time a web site tries to use this functionality, Flash asks the user whether to permit this level of access. The SpyEye plugin modifies the Flash settings on the infected computer so that the user is no longer asked this question.
Kaspersky, which has been analysing SpyEye versions since the beginning of this year, has so far identified 35 plugins for the malware, which are used to add extra functionality on the fly. By contrast, actual bot development appears to have ceased – according to the report, there have been no further updates since version 1.3.48, released last autumn.
See also:
- 23-year-old hacker accessed 200,000 PayPal accounts, a report from The H.
- Microsoft brings the fight to SpyEye, a report from The H.
(fab)