14 DAY TRIAL // Security researchers from RSA have confirmed that the SpyEye author is working on a "super trojan" by merging features from ZeuS into his own creation, sometimes by copying entire chunks of code.
When rumors first appeared last year that SpyEye and ZeuS will be merged together, after Slavik gave his source code to Harderman, aka Gribodemon, the security researchers were skeptical.
This is because at the time SpyEye was ZeuS' biggest competitor on the underground market and even featured a "kill ZeuS" option.
However, starting with version 1.3 development builds, the malware began to show signs that the rumors were true and ZeuS features were slowly being ported to SpyEye.
The most important addition from ZeuS so far is the HTML injection engine for Internet Explorer, which is a core component in such banking trojans.
Harderman acknowledged that ZeuS's mechanism was practically copied it in its entirety without any major modifications.
According to the RSA researchers, the main reason why ZeuS' injection component was better is its handling of cached pages.
The old SpyEye mechanism was only capable of injecting code into HTML pages are they were being downloaded from the Internet, however, on repeated visits, the browser loads the page from its cache.
Because of this, SpyEye deleted the cache after every injection to make sure that the page is always downloaded from the server. Meanwhile, ZeuS is capable of injecting rogue code in cached pages, making its mechanism more reliable.
Other features sported by the SpyEye 1.3 version include a new encryption method for the configuration file, an encapsulated executable modular architecture, PE resources and remote process injection.
"RSA believes that the Zeus Trojan may gradually become a relic of the past. Although the old Zeus may still be the subject of new underground upgrades, it will most likely begin fading away as fraudsters turn to SpyEye – a Trojan code offering both technical support and future upgrades," the researchers write.