Spyeye and Zeus are used for stealing information such as banking creds,login details,etc when a user is infected.





A look at spyeye







Sample Name: us1(Packed with the UPX, I unpacked the executable with UPX, so I don’t have to do it manually :)



Quick look at the disassembly shows some interesting names: smss.exe,csrss.exe,services.exe, usxxxxxxx.exe

I placed breakpoints on functions i wanted to see

- CreateFile

- WriteFile( malware will also create an encrypted config file, used for contacting the bot controller)

- WriteProcessmemory

- VirtualAlloc( allocating memory from the process)

DeleteFile( used for deleting the original sample)





DeleteFile( used for deleting the original sample)



Malware creates a new exe in a hidden folder (“uxxxxx”)



the original malware will copy itself to the folder for persistant reasons maybe..?

Deleting the original sample

Creating the config file





Creating the config file







Opening in the config file in notepad( visible strings: knocker.dll, sock5.dll,config.dat,webinjects.txt, maincps.txt, collectors.txt)









Call to CreateProcess to launch exe







Quick look in IDA, shows its the same binary. The beginning of program, the string “usxxxx”(the name of our second payload) is pushed on the stack, and a function with series of memsets are called. String compare is also used for checking at certain offsets of the binary. I think it spyeye does this so the second exe can run differently

A virtualallocEx, and writeproccess memory was called to allocate memory and write to the new process. Moving straight to the connection initiation, we see spyeye requesting DNS for domains below





ZEUS

Zeus uses the same techniques as spyeye

- Dropping a copied exe into a random folder, deleting the original exe

- Injection into other processes

- Creates config file for the Command and control server

- Attempting connections to C&C

Past samples of spyeye used to delete zeus on compromised PCs, but I didn’t see that in this sample, would have been cool to see it.