Tuesday, February 8, 2011

New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3

Via RSA Blog -

The RSA Research Lab has analyzed one of the most recent SpyEye v1.3 variants and has determined beyond doubt that the new hybrid Trojan is in fact already active in the wild. RSA’s researchers were able to reverse engineer the code and assert that it does indeed contain an exact code piece that has long been part of the Zeus Trojan’s sophisticated HTML injection mechanism.

Ever since the initial release of the SpyEye Trojan in December 2009, its coder, who goes by two aliases, “Harderman” and “Gribodemon”, has been working incessantly on upgrading his Trojan, harvesting the fruits of his labor by selling it to fraudsters. Harderman has already released numerous SpyEye versions, often adding unique features which were never used in Trojan codes before it.


Looking back to late October 2010, one can appreciate the surprise factor that marked one of the most significant events recorded in cybercrime history to date: a code merger between the most popular commercially sold Trojan kits – Zeus, and its biggest competitor – SpyEye.

Immediately after the news washed through underground forums and security blogs, fraudsters and security professionals alike turned their attention to Harderman’s announcements. The new owner of both Trojans posted information about his upcoming creation, which he dubbed – “one super Trojan”; a merged code uniting both Trojans and his promise of new features to make it bigger and better than ever.


New Remote Process Injection Method Makes SpyEye Harder to Detect

The SpyEye hybrid now has a new injection mechanism; instead of injecting itself into a target process (for example, into an IE process), SpyEye will inject the embedded EXE into a completely different process, using that process’ memory space and resources. SpyEye loads its embedded (core) executable into that “borrowed” process’ memory space, and then creates a remote thread that will actually execute the loaded code from that location.



And so the perpetual Trojan arms race continues. It appears that the more security features are put in place to protect online banking environments, the further Trojan developers will go in their attempts to infiltrate the systems, compromise security, and better hide their activities within infected computers.

Although one may assume that the new SpyEye hybrid, or super-Trojan if you will, is going to be Harderman’s (and cybercrime’s) main focus going forward, security researchers hold different forecasts concerning the subsequent Zeus and SpyEye versions to come. RSA believes that the Zeus Trojan may gradually become a relic of the past. Although the old Zeus may still be the subject of new underground upgrades, it will most likely begin fading away as fraudsters turn to SpyEye – a Trojan code offering both technical support and future upgrades.

No comments:

Post a Comment