Since our previous blog post, we continued to investigate whether or not SpyEye 1.3.x is indeed the result of the ZeuS-SpyEye merger. So far, we realized that the included documentation doesn’t say much about ZeuS. It only compared the behaviors of several options/configurations of the two malware families.
At present, we have only been able to identify three different versions in the wild:
As you can see, these versions are minor releases. Our underground research tells us that some minor bug fixes have been made in these versions though these are typically the same. If you are wondering if the SpyEye Toolkit comes with three control panels (two SpyEye control panels [CN1 and SYN1] and one ZeuS control panel), I can confirm that it does not do so. It only comes with the regular two SpyEye control panels. The database structures of SpyEye and ZeuS were different prior to 1.3.x and are still so. As such, a modification of the ZeuS panel is needed so both can share a single database. ZeuS and SpyEye malware are thus not registering themselves to the same control-and-command (C&C) server in the same way.