| Spy eye exploit kit has been developed using php and mysql and is easy to deploy. All is required is a working domain and php, mysql environment. The toolkit contains the database structure which may be imported. Deployment is very few easy steps which makes it for use for a person with very less programming knowledge but a lot of malicious intensions. Spy eye exploit kit is a very good example of how malware creation for financial loss is becoming easy day by day for attackers. Spy eye bot keeps track of the web pages visited by the user on the infected system and sends this information to thelocation where Spy eye’s web panel has been deployed. Similarly it sends the data grabbed from web forms. For the purpose of this write up Spy eye exploit kit successfully deployed and analyzed in controlled environment. Following is the screenshot of bot builder, here a bot may be created with a malicious domain address which usually the address of the domain where spyeye exploit kit has been deployed by the attacker and which is acting as a C&C, Encryption key, Zeus killing feature etc.  Following is the screenshot of main module of the exploit kit. It shows statistics about the bot infected system. How many bots are online, to ban a bot system and through this webpanel bot may be instructed to some task by defining a task in Create task for loader section. 
Following is the screenshots of form grabbing module where stats and data may be seen about the visited WebPages from the infected system. 
Insight into the Spy eye bot functioning is required to understand the whole working of exploit kit. A bot is created with lab domain name and executed in the controlled environment.Upon execution bot started communicating with the C&C using HTTP.Following system changes observed on the system:
File System Changes:
C:\cleansweep.exe
C:\cleansweep.exe\cleansweep.exe
C:\cleansweep.exe\config.binNote: Spy eye bot has rootkit functionality so these files are not found executing nor found used as handle. Registry Changes: It creates the registry to start itself at every system startup:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cleansweep.exe = "C:\cleansweep.exe\cleansweep.exe"
It creates mutex _CLEANSWEEP_ to ensure only one instance ofmalware is running on the system. This mutex is found in process space of explorer.exe and svchost.exe Upon infection malware communicates with C&C and send information about the infected system in form of HTTP Get request. It sends user name, computer name, status of the bot etc. to the C&C. This information is used by the C&C to create stats, track bots and to issue commands. Following is the screenshot showing such get request from the infected machine in the controlled environment:
Following is the screenshot of grabbed data from web forms being sent from the infected machine to C&C.
Following is the snapshot of the bank webpage information being sent to C&C. it has been highlighted:
Apart from the spy eye bot sample created in the lab so many samples are seen in the wild. Following is the activity of one such sample with md5 sum 6b09c3f5fb0b101eed283116e7b3cfcb which is analyzed In the lab. It was communicating with C&C web panel on undefined.datagroup.ua.The activities of the malware found to be similar to the activities of the sample created in the lab. But this sample created the mutex with name _SPYNET_.It was meant to communicate with 93.183.203.75 for which it sent the DNS query for microsoft-spynet.com which is a malicious domain and has been created by the C&C owner and not Microsoft owned domain. Reverse lookup of the IP 93.183.203.75 shows the domain as undefined.datagroup.ua. 
Apart from the above mentioned acivities bot communicates with the C&C by regularly pinging 93.183.203.75 on port 9090.
| 
