WHITEPAPER | July 1, 2012

Reversal and Analysis of the Zeus and SpyEye Banking Trojans

Although the core functionality of SpyEye is similar to its main rival Zeus, SpyEye incorporates many advanced tricks to hide its presence on the local system. This document includes a deep technical analysis of the bot’s advanced hooking and injection mechanisms, as well as its core functionality used to hijack and steal user information.

Zeus is an advanced piece of malware, so getting it to a reversible state was not a trivial exercise since it incorporates multiple layers of custom, portable, executable encryption. IOActive reverse engineers stripped each encryption layer and rebuilt the executable to allow for proper disassembly. Once Zeus was in an unpacked state, consultants identified additional roadblocks including non-existent import address tables, obfuscated string tables, and relocated code. Zeus included many methods to hinder reverse engineering.Launch PDF