10:57 pm (UTC-7) | by Loucif Kharouni (Senior Threat Researcher)
This entry is a follow-up to my blog post last week in which I noted some significant changes that have been made to SpyEye 1.3.4.x. Further observation revealed other modifications that made me think we are getting closer to the merger of the SpyEye and ZeuS botnets.
This SpyEye version comes with a Gate, a CN1 and a SYN1 installer.
This installer page creates the gate.php used for POST requests between the bots and the CN1 control panel. These bots send specific information such as IP address, location, OS, and the like about the infected system to the CN1 panel. The gate.php code functions similar to previous versions though one can easily see certain improvements. In this version, the gate.php file can now access the database by itself. In previous versions, doing so would require the config.php to retrieve the necessary information (e.g., domain/IP address, user name, and password) from the database. The new gate.php file does not require data from external files, as all of the information it needs is already in the file or it only uses functions.
Look at the following comparison of code snippets from versions 1.3..0.5 and 1.3.4.x of the gate.php file:
I also noticed that SpyEye 1.3.4.x has a Jabber Notifier like previous ZeuS builders, which allowed bot masters to more efficiently steal banking credentials than letting data go through a control panel. This is an improvement, as previous SpyEye versions only allowed access to data via a control panel.
Let us take a look at the jabberclass.php file of ZeuS 184.108.40.206:
Do you see the same thing? The said code looks like it was simply cut and pasted onto SpyEye’s Jabber Notifier from that of ZeuS. I can assure you that I did not use the same screenshots for the figures.
The only difference between the two is that the gate.php code of ZeuS 220.127.116.11 calls jabberclass.php while that of SpyEye does not. SpyEye already has the equivalent of the jabberclass.php file included in its gate.php code, making it unnecessary to include a separate file just for Jabber notifications. SpyEye also uses a plug-in called jabbernotifier.dll in its config file.
As previously stated, the ZeuS-SpyEye merger indeed seems to be on its way.
Share this article