Saturday 6 August 2011

Decode/Encode data send to the gate (SpyEye 1.3.x)

In search of things to do this night, i've looked into how data's was recevied and decoded when SpyEye call the 'gate'
Finaly i've removed the useless shit for keep this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SpyEye 1.3.x Gate Decoder/Encoder</title>
</head>
<body>
<p>Structure example:<br />
  guid=5.1.2600!XYLITOL-F12F085!8065D52C&amp;ver=10345&amp;ie=6.0.2900.5512&amp;os=5.1.2600&amp;ut=Admin&amp;ccrc=615CDC86&amp;md5=598b42846ac8a301ea44a80b397e2056&amp;plg=ccgrabber;customconnector;ftpbc;socks5&amp;plgstat=0;0;0;0&amp;wake=90&amp;stat=online<br>
</p>
<table width="607" border="1">
  <tr>
    <td><form id="Decoder" name="Eye" method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
  <label for="datz">Data: </label>
  <input name="data" type="text" id="datz" value="" size="50" />
  <input type="submit" name="button" id="button" value="Decode" />
</form></td>
  </tr>
  <tr>
    <td>
<?php
error_reporting(E_ALL ^ E_NOTICE ^ E_DEPRECATED);

## decode data from bot
    function DeCode($content)
    {
        $res = '';
        for($i = 0; $i < strlen($content); $i++)
        {
            $num = ord($content[$i]);
            if( $num != 219) $res .= chr($num^219);
        }
        return $res;
    }

    if( !isset($_POST['data']) );
    else $DATA = str_replace(" ","+",$_POST['data']);
    $data = base64_decode($DATA);
    echo "<font color='red'>" . htmlentities(DeCode($data)) . "</font>";

?></td>
  </tr>
</table>
<br>
<table width="607" border="1">
  <tr>
    <td><form id="Encoder" name="Eye2" method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
  <label for="datz2">Data: </label>
  <input name="data2" type="text" id="datz2" value="" size="50" />
  <input type="submit" name="button" id="button" value="Encode" />
</form></td>
  </tr>
  <tr>
    <td>
<?php
## encode data from bot
  function encode($str2)
    {
        $string2 = '';
        for ($i2 = 0; $i2 < strlen($str2); $i2++)
        {
            $num2 = ord($str2[$i2]);
            if ($num2 != 219)
                $string2 .= chr($num2 ^ 219);
        }
        $string2 = str_replace('+', ' ', $string2);
        return base64_encode($string2);
    }

        if( !isset($_POST['data2']) );
    else
    $DATA2 = $_POST['data2'];
    echo "<font color='red'>" . htmlentities(encode($DATA2)) . "</font>";
?></td>
  </tr>
</table>
</body>
</html>

Tested with samples found in the wild and work like a charm


For don't make this post more useless, here is a 'guide' on the SpyEye gate and the data transmission to the C&C http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/

And hey, good guys use also IRC :þ

Sinus scroller & IDLE like in 1999 :þ



random pwnz panels ~





4 comments:

  1. really good stuff man, I hope you have more nights like this :p

    ReplyDelete
  2. Can you post a link for the Spy Eye 1.3 webpanel files? Can't find them anywhere and I wanted to take a look at them. Thanks in advance if you can.

    ReplyDelete
  3. Please contact whith me jabber - darkerwik@jabber.no

    ReplyDelete