SpyEye Bot Kit Takes on Zeus

By Matthew Hines  |  Posted 2010-02-09 Print this article Print

The malware toolkit behind the Zeus botnet has become one of the most successful iterations of such a package yet discovered, but that doesn't mean that competitors aren't always on the rise.

According to researchers at Symantec, the newer, more expensive SpyEye botnet kit is starting to grow in popularity as attackers seek out a new platform for more easily and effectively building their zombie armies.

While recognizing that the Zeus bot kit is still "the most established" crimeware kit on the underground economy, SpyEye, which was first observed in Dec. 2009 and retails for roughly $500 on many Russian underground forums, appears to be gaining a bigger audience, said Symantec expert Peter Coogan in a recent blog post.

SpyEye remains nascent and is not yet widely in use, but it has all the hallmarks of an attack that could become a much bigger fish in relatively short order, he said.

"Since it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the observed rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the crimeware toolkits," Coogan said.

Much like Zeus, the SpyEye kit offers aspiring attackers a "builder module" for creating a Trojan executable and a Web-based front end panel for running a command and control center once a botnet has been effectively assembled.

Among the other features that purveyors of the kit are also marketing to potential buyers are key logger capability, an "auto fill" system for credit card modules, daily e-mail backup, and encryption functions. The toolkit even goes so far at to offer custom infection modes for going after machines in different countries.

However, in a nod to the success of Zeus and its massive army of infected machines, the SpyEye kit also offers a "Zeus killer" feature that is meant to allow attackers to steal infected devices away from the prolific botnet.

The feature has yet to be proven effective, but the SpyEye Zeus hijack goes after the same Wininet API used by Zeus for communications and then attempts to intercept requests sent by the zombie machines back to their C&C servers. The tool is also marketed as having the ability to delete Zeus off of infected machines, the expert said.

With updates from its creators arriving on a frequent basis and the anti-Zeus bent to its delivery, the rise of SpyEye could signal the beginning of another significant botnet war, such as those previously waged between Beagle, Netsky and MyDoom, Coogan contends.

"If the use of SpyEye takes off, it could dent Zeus bot herds and lead to retaliation from the creators of the Zeus crimeware toolkit," Coogan said. "This, in turn, could lead to another bot war such as we have seen in the past."

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel