Feeds

Bastard child of SpyEye/ZeuS merger appears online

Malware lovechild monst(e)r/demon

Protecting against web application threats using SSL

Updated Security researchers have got their hands on the first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits.

Posts on Russian underground forums last year suggested that Slavik/Monstr, the author of ZeuS, was "retiring"1 from cybercrime and handing over the ZeuS source code to Gribodemon/Harderman, the creator of SpyEye. ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition to the scene. Both Zeus and SpyEye are sold commercially as a means to create customised Trojans, typically designed to steal banking login credentials from compromised PCs.

The first fruits of the merged code, SpyEye builder version 1.3.05, illustrates the sophistication of these cybercrime toolkits, Trend Micro reports. The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans.

The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Trusteer, which is yet to receive and examine samples of newest version of the SpyEye, issued a statement on Tuesday stating it was confident its defenses would hold firm.

We ran a complete test of Rapport against thousands of recent SpyEye and Zeus samples, including a few which were pointed out as possibly related to the SpyEye-Zeus merger. They all behaved just like standard SpyEye samples, all were handled properly by Rapport, and none adversely affected Rapport.

Rapport has several mechanism capable of reporting targeted attacks against its files. We haven't seen any newly suspicious activity from these mechanisms.

Optional plug-ins to the new version of SpyEye include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users. "The basic SpyEye package only steals certificates from the cryptographic storage of Windows," writes Loucif Kharouni, a senior threat researcher at Trend Micro. "However, Firefox uses its own certificate storage folder, from which the ffcertgrabber plug-in grabs certificates."

The cybercrime toolkit also includes improved credit-card grabbing functionality, which works by "analysing the POST requests made by the user and checking these against the Luhn algorithm," Trend explains.

The CC grabber plug-ins and anti-rapport option are the main additions to this new and more polished version of SpyEye, which has already entered production. Trend Micro reports that two live servers are using the new version of the malware. ®

1 Several new versions of ZeuS have been released since Slavik supposedly quit last October, some of which have included new functionality. It is unclear who developed the improved code, but one possibility is that the code was put in place by Slavik who, far from having retired, is simply keeping a lower profile. Misdirection and misinformation, after all, are among the main tools of the cybercrime trade.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.