Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    This entry is a follow-up to my blog post last week in which I noted some significant changes that have been made to SpyEye 1.3.4.x. Further observation revealed other modifications that made me think we are getting closer to the merger of the SpyEye and ZeuS botnets.

    This SpyEye version comes with a Gate, a CN1 and a SYN1 installer.

    This installer page creates the gate.php used for POST requests between the bots and the CN1 control panel. These bots send specific information such as IP address, location, OS, and the like about the infected system to the CN1 panel. The gate.php code functions similar to previous versions though one can easily see certain improvements. In this version, the gate.php file can now access the database by itself. In previous versions, doing so would require the config.php to retrieve the necessary information (e.g., domain/IP address, user name, and password) from the database. The new gate.php file does not require data from external files, as all of the information it needs is already in the file or it only uses functions.

    Look at the following comparison of code snippets from versions 1.3..0.5 and 1.3.4.x of the gate.php file:

    I also noticed that SpyEye 1.3.4.x has a Jabber Notifier like previous ZeuS builders, which allowed bot masters to more efficiently steal banking credentials than letting data go through a control panel. This is an improvement, as previous SpyEye versions only allowed access to data via a control panel.

    Let us take a look at the jabberclass.php file of ZeuS

    Do you see the same thing? The said code looks like it was simply cut and pasted onto SpyEye’s Jabber Notifier from that of ZeuS. I can assure you that I did not use the same screenshots for the figures.

    The only difference between the two is that the gate.php code of ZeuS calls jabberclass.php while that of SpyEye does not. SpyEye already has the equivalent of the jabberclass.php file included in its gate.php code, making it unnecessary to include a separate file just for Jabber notifications. SpyEye also uses a plug-in called jabbernotifier.dll in its config file.

    As previously stated, the ZeuS-SpyEye merger indeed seems to be on its way.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Dino

      Then SpyEye and ZeuS sending the captured info throught jabber without any encryption? has anybody verified this?

    • anonymous

      the ZeuS-SpyEye merger indeed seems to be on its way <= This a stupid idea… You and more blogs are selling this idea, and SpyEye only is updating his stuff…


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice