Security researchers are finding more clues of an emerging battle being carried out between the long-running Zeus botnet and newcomer SpyEye, which has been engineered specifically to take over machines that were previously infected by Zeus.
After first noting the growing prevalence of botnet attacks being created with the emerging SpyEye (or EyeBot) kit last week, researchers with AV giant Trend Micro’s TrendLabs group are now comparing the growing tussle for zombie-fied computers to other notable malware throwdowns, including the “worm wars” once waged between the Netsky and MyDoom attacks.
Specifically, the researchers noted that much as in that battle, the aggressor in SpyEye-Zeus is a new attack that actually features many of the same features of the threat that it is seeking to push aside.
As first noted by TrendLabs, the toolkit being used to create SpyEye attacks offers a “Zeus killer” feature that is meant to allow attackers to steal infected devices away from the prolific botnet.
Using the feature, the SpyEye’s Zeus hijack goes after the same Wininet API used by Zeus for communications and then attempts to intercept requests sent by the zombie machines back to their C&C servers. The tool is also marketed as having the ability to delete Zeus off of infected machines.
And while SpyEye/EyeBot, borne of Russian creators, is just starting to spread and encroach on Zeus’ territory, the real battle will ensue when and if the minds behind Zeus (or ZBot) decide to start fighting back, TrendLabs Threat Response Engineer Roland Dela Paz said in a recent blog post.
“EyeBot is still just a ‘newbie,’ but should the ZBot criminal minds choose to respond, there is some potential for a bot war to ensue. However, at this stage, we cannot be certain what if any response, the ZBot criminals are likely to make,” he said. “On the other hand, both EyeBot and ZBot use rootkit technology even though the former behaves more like a backdoor.”
Comparing other similarities, Dela Paz noted that EyeBot’s spyware element exhibits routines similar to Zeus variants, which the expert concedes to be some of the most dangerous keystroke-logging malware seen in recent years in relation to theft of financial and personal data.
The newer botnet also drops a configuration file similar to those Zeus attacks use to monitor for use of e-banking sites.
“EyeBot likewise utilizes rootkit technology to hide its malicious files and processes from affected users, which helps it avoid detection and consequent removal,” he said.
One major difference between the two threats is that EyeBot acts as a server to a graphical user interface (GUI)-based client, which Zeus/Zbot does not. This means that while Zeus variants are typically standalone programs, EyeBot needs to receive commands from a remote attacker to carry out its nefarious tasks.
“What further sets [EyeBot] apart from its more experienced counterpart, however, is its capability to terminate ZBot-instigated processes,” said Dela Paz.
Unless the same people running Zeus are behind EyeBot, and even if they are, something tells me that with the sheer number of Zbot infected devices still out there and people counting on those to help them make money, we may soon have a fight on our hands.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
