With the once-pricey malware kit now available cheap-or even free-to cyber-criminals, experts predict an explosion in SpyEye variants
The source code for the
SpyEye Trojan has been released, raising the possibility that one of the most
prevalent Trojans in the wild could become an even bigger threat.
The leak was the work of a
French researcher called Xyliton, part of the RED (Reverse Engineers Dream)
Crew, who released a tutorial to crack a copy of SpyEye builder 1.3.45, Sean
Bodmer, a senior threat intelligence analyst at Damballa, wrote Aug. 11 on The Day Before Zero blog
"leak" is important because it illustrates the coding techniques used
by the authors of SpyEye, the Gribo-Demon's team, Bodmer said.
SpyEye first was detected in
late 2009, right about when the Zeus banking Trojan was dominating the malware
landscape. Both malware families targeted account credentials and other
sensitive data to steal money from user bank accounts. SpyEye and Zeus were
also both available on underground markets as software builders, or toolkits,
that other less-savvy
could use to launch new attack campaigns. SpyEye builder
kits were sold on the black market for as much as $10,000, according to
"SpyEye has been on
everyone's priority list of threat discussions for quite some time, and is now
going to become an even more pervasive threat," Bodmer said.
Zeus functionality and code
started appearing in the SpyEye malware kit in early 2011, prompting security
experts to speculate the developers
had combined efforts
and that new development for Zeus would cease. That
has not turned out to be the case as there's been some work on Zeus since the
code merger. Zeus
was leaked in March, making it possible for anyone to modify
the source code and create even more powerful Zeus variants.
"Damballa labs has been
tracking dozens of new Zeus bot operators since the leak earlier this year, and
now that SpyEye has been outed, it is only a matter of time before this becomes
a much larger malware threat than any we have seen to date," Bodmer said.
SpyEye activity has been
growing in recent months, with 60 percent of SpyEye bots targeting banks in the
United States and 53 percent targeting financial institutions in the United
Kingdom, according to a recent report from Trusteer.
The RED Crew tutorial
provided instructions on how to crack the hardware identification scheme on
SpyEye builder 1.3.45 to lock the software to a specific hardware device.
People who bought the toolkit could use it only on one machine, according to
Bodmer, who said it was possible to crack the VMProtect tool used on the
builder in less than 15 minutes with the tutorial.
With VMProtect broken, the
builder could be traded freely among criminals and not be limited to only one
machine per purchased copy. SpyEye variants created by using the cracked
toolkit would be missing an attribution field in the code. Damballa has already
identified new builders with the eliminated field selling for as low as $95 on
the black market.
"Reverse Engineering is
nothing new, but putting in the hands of babes one of the most powerful
cyber-threats today, 'for free', is something that will mean even more
sleepless nights for security administrators," Bodmer said, calling the
tutorial a "silver platter" for cyber-criminals.
SpyEye developers have
already released version 1.3.48 of the builder and newer versions are in the
works, Bodmer said. The tutorial is not expected to work on later versions and
the team behind the malware toolkit will be building in more protections to
make it harder to crack, according to Bodmer. However, considering how
expensive the builder is, many criminals will continue using the older and
cheaper version of the toolkit to develop their campaigns, Bodmer predicted.
There's some good news for
security researchers, too, as they can now begin hunting for security
vulnerabilities in SpyEye, in the same manner that cyber-criminals look for
bugs in legitimate software to exploit. Security vendors will also be able to
create signatures to detect SpyEye variants, Bodmer said. There are also sites
that identify command-and-control servers used by the Trojan that companies can
download to blacklist