Everyone is talking about the SpyEye Trojan, the info stealer malware that gained all the attention after the author of ZeuS left the underground market and sold ZeuS sources to the SpyEye team
. We already wrote about SpyEye last year
, when we focused on the threat claiming that it could potentially become one of the top password stealing threats. Now that the SpyEye authors have access to all of ZeuS source code, SpyEye is becoming the main kit available for sale in the underground with even more efficient coding with some additional ZeuS based technologies
Let's have a closer look at the new variants of SpyEye.
The SpyEye dropper comes in a UPX packed executable. After unpacking the first layer, we are lucky as we could already get to the SpyEye code. Actually, we have some samples which make use of highly-obfuscated decryption code, used for a second stage decryption loop
. This second stage decryption loop make uses of its own routine able to get function addresses by parsing library export tables. The function is using name hashes instead of plain-text names. The hash is calculated by an ADD/ROL loop.