Feeds

Bastard child of SpyEye/ZeuS merger appears online

Malware lovechild monst(e)r/demon

Security for virtualized datacentres

Updated Security researchers have got their hands on the first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits.

Posts on Russian underground forums last year suggested that Slavik/Monstr, the author of ZeuS, was "retiring"1 from cybercrime and handing over the ZeuS source code to Gribodemon/Harderman, the creator of SpyEye. ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition to the scene. Both Zeus and SpyEye are sold commercially as a means to create customised Trojans, typically designed to steal banking login credentials from compromised PCs.

The first fruits of the merged code, SpyEye builder version 1.3.05, illustrates the sophistication of these cybercrime toolkits, Trend Micro reports. The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans.

The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Trusteer, which is yet to receive and examine samples of newest version of the SpyEye, issued a statement on Tuesday stating it was confident its defenses would hold firm.

We ran a complete test of Rapport against thousands of recent SpyEye and Zeus samples, including a few which were pointed out as possibly related to the SpyEye-Zeus merger. They all behaved just like standard SpyEye samples, all were handled properly by Rapport, and none adversely affected Rapport.

Rapport has several mechanism capable of reporting targeted attacks against its files. We haven't seen any newly suspicious activity from these mechanisms.

Optional plug-ins to the new version of SpyEye include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users. "The basic SpyEye package only steals certificates from the cryptographic storage of Windows," writes Loucif Kharouni, a senior threat researcher at Trend Micro. "However, Firefox uses its own certificate storage folder, from which the ffcertgrabber plug-in grabs certificates."

The cybercrime toolkit also includes improved credit-card grabbing functionality, which works by "analysing the POST requests made by the user and checking these against the Luhn algorithm," Trend explains.

The CC grabber plug-ins and anti-rapport option are the main additions to this new and more polished version of SpyEye, which has already entered production. Trend Micro reports that two live servers are using the new version of the malware. ®

1 Several new versions of ZeuS have been released since Slavik supposedly quit last October, some of which have included new functionality. It is unclear who developed the improved code, but one possibility is that the code was put in place by Slavik who, far from having retired, is simply keeping a lower profile. Misdirection and misinformation, after all, are among the main tools of the cybercrime trade.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.