Back in October 2011, we began to remove Eyestye variants using the Malicious Software Removal Tool (MSRT) in an effort to prevent the proliferation of this botnet. Today, we published a detailed MMPC Threat Report on this family. The report provides an in-depth analysis of how Win32/EyeStye works and the telemetry we have on its activity in 2011 and early 2012.
Win32/EyeStye is a family of trojans that attempt to steal sensitive data, such as logon credentials, from banking websites and other online properties. EyeStye does not spread on its own by default; instead, it is typically distributed using spam email messages and social engineering. In its effort to steal data, EyeStye lowers your browser’s security settings, making it possible to obtain online banking user names and passwords, credit card numbers, social security numbers, and other data. It then sends all its gathered information back to the operator.
The report examines the functionality of the bot: how it’s created, what it does to an infected computer, how it steals users’ data, and so on. It also discusses where this botnet has been the most prevalent, that is, what countries are most affected according to our data.