SpyEye Trojan Code Leak Likely to Promote Rapid Proliferation

With the once-pricey malware kit now available cheap-or even free-to cyber-criminals, experts predict an explosion in SpyEye variants

The source code for the SpyEye Trojan has been released, raising the possibility that one of the most prevalent Trojans in the wild could become an even bigger threat.

The leak was the work of a French researcher called Xyliton, part of the RED (Reverse Engineers Dream) Crew, who released a tutorial to crack a copy of SpyEye builder 1.3.45, Sean Bodmer, a senior threat intelligence analyst at Damballa, wrote Aug. 11 on The Day Before Zero blog. This "leak" is important because it illustrates the coding techniques used by the authors of SpyEye, the Gribo-Demon's team, Bodmer said.

SpyEye first was detected in late 2009, right about when the Zeus banking Trojan was dominating the malware landscape. Both malware families targeted account credentials and other sensitive data to steal money from user bank accounts. SpyEye and Zeus were also both available on underground markets as software builders, or toolkits, that other less-savvy cyber-criminals could use to launch new attack campaigns. SpyEye builder kits were sold on the black market for as much as $10,000, according to researchers.

"SpyEye has been on everyone's priority list of threat discussions for quite some time, and is now going to become an even more pervasive threat," Bodmer said.

Zeus functionality and code started appearing in the SpyEye malware kit in early 2011, prompting security experts to speculate the developers had combined efforts and that new development for Zeus would cease. That has not turned out to be the case as there's been some work on Zeus since the code merger. Zeus source code was leaked in March, making it possible for anyone to modify the source code and create even more powerful Zeus variants.

"Damballa labs has been tracking dozens of new Zeus bot operators since the leak earlier this year, and now that SpyEye has been outed, it is only a matter of time before this becomes a much larger malware threat than any we have seen to date," Bodmer said.

SpyEye activity has been growing in recent months, with 60 percent of SpyEye bots targeting banks in the United States and 53 percent targeting financial institutions in the United Kingdom, according to a recent report from Trusteer.

The RED Crew tutorial provided instructions on how to crack the hardware identification scheme on SpyEye builder 1.3.45 to lock the software to a specific hardware device. People who bought the toolkit could use it only on one machine, according to Bodmer, who said it was possible to crack the VMProtect tool used on the builder in less than 15 minutes with the tutorial.

With VMProtect broken, the builder could be traded freely among criminals and not be limited to only one machine per purchased copy. SpyEye variants created by using the cracked toolkit would be missing an attribution field in the code. Damballa has already identified new builders with the eliminated field selling for as low as $95 on the black market.

"Reverse Engineering is nothing new, but putting in the hands of babes one of the most powerful cyber-threats today, 'for free', is something that will mean even more sleepless nights for security administrators," Bodmer said, calling the tutorial a "silver platter" for cyber-criminals.

SpyEye developers have already released version 1.3.48 of the builder and newer versions are in the works, Bodmer said. The tutorial is not expected to work on later versions and the team behind the malware toolkit will be building in more protections to make it harder to crack, according to Bodmer. However, considering how expensive the builder is, many criminals will continue using the older and cheaper version of the toolkit to develop their campaigns, Bodmer predicted.

There's some good news for security researchers, too, as they can now begin hunting for security vulnerabilities in SpyEye, in the same manner that cyber-criminals look for bugs in legitimate software to exploit. Security vendors will also be able to create signatures to detect SpyEye variants, Bodmer said. There are also sites that identify command-and-control servers used by the Trojan that companies can download to blacklist SpyEye traffic.