[EP_X0FF]

I do not understand why they say it was leaked? Xylitol have you hacked yourself? :)

they mean builder loader source code, so skids can now apply it to their purposes by doing small modifications.

btw Xylitol, you are "infamous French security researcher" :D

and I do not understand damballa author - there is actually big difference between zeus source code leak and spyeye builder loader "leak".

[rkhunter]

I do not understand why they say it was leaked? Xylitol have you hacked yourself? :)

they mean builder loader source code, so skids can now apply it to their purposes by doing small modifications.

btw Xylitol, you are "infamous French security researcher" :D

and I do not understand damballa author - there is actually big difference between zeus source code leak and spyeye builder loader "leak".

Actually, spyeye builder patch source code leak :)
Vuris Bulletin made a mistake and wrote in Twitter that "After Zeus, now the source code of the SpyEye malware kit has leaked too".

[Xylitol]

I crack SpyEye since the version 1.1.39, and i've cracked the version 1.3.45 since months now.
http://xylibox.blogspot.com/2011/06/spyeye-1345.html

It's alot of noise for just a lame WriteProcessMemory (and the released loader don't cover all bytes volontary)
btw yes, Damballa have made alot of mistake on the article.

i alway make SpyEye guys shit bricks ~
virtest hacked: http://xylibox.blogspot.com/2011/08/tra ... alevo.html
cracking SpyEye 1.3.x (generic) http://xylibox.blogspot.com/2011/08/cra ... e-13x.html
Decode data send to the gate (SpyEye 1.3.x) http://xylibox.blogspot.com/2011/08/dec ... e-13x.html
SpyEye 1.3.41: http://xylibox.blogspot.com/2011/06/spy ... -mine.html
SpyEye 1.3.39: http://xylibox.blogspot.com/2011/05/har ... crash.html
etc...

[pigindrin]

I ´ve got a sample of a spyeye 1.3.x. I could identified the C&C but It was difficult to decode it. If anyone can try it, i attached the sample.

[EP_X0FF]

I ´ve got a sample of a spyeye 1.3.x. I could identified the C&C but It was difficult to decode it. If anyone can try it, i attached the sample.

Equal to this.

[pigindrin]

Thk!. I ´ll check it.

[EP_X0FF]

SpyEye v1.3.45

Pass for decrypted config: 25BE418641B337625A12F568DBD3B5A5

Gates:

hxxp://makemeflgood.com/_cp/gate.php;90
hxxp://bkstrdljs.com/_cp/gate.php;90
hxxp://fastslider.com/_cp/gate.php;90

Plugins: customconnector, jazz0_2

Original, unpacked and decrypted config in attach.

Original 15 /42 (35.7%)
http://www.virustotal.com/file-scan/rep ... 1313849148

Unpacked 27/ 43 (62.8%)
http://www.virustotal.com/file-scan/rep ... 1313849321

It's main payload of this (176.28.0.129/index.php?tp=c3fb51075a61edff) BlackHole btw

[rkhunter]

For last sample,
http://www.threatexpert.com/report.aspx ... 939ee14345

[EP_X0FF]

SpyEye v1.3.45

pass for decrypted config: 2AE7FB8E0DFC11730CAF57C47FC18DFF

Gates:

hxxp://hhotelst555.ru/apache.php;300
hxxp://eewtoopqq.ru/wwww.php;300
hxxp://eeopqogagjqoqq.ru/vvvvvv.php;300

Plugins: customconnector, ccgrabber

Original, unpacked and decrypted config in attach.

Payload of Blackhole exploit kit (terwertyss.in/forum.php?tp=927253722888a42f)

Original 2/ 44 (4.5%)
http://www.virustotal.com/file-scan/rep ... 1314092185

Unpacked 28/ 44 (63.6%)
http://www.virustotal.com/file-scan/rep ... 1314092032

[pigindrin]

Hello EP_XOFF, according to your response (page 24), I ´ve checked it and the spyeye version (.exe) is the same. But, I ´ve re-analyzed the sample and it seems the webinject is not the same. Could it be possible?
The C&C to where the malware connects is "263rdasd.com/hfgf/gate.php". Could give me a hand in order to get the webinject? Thanks!