Feeds

Bastard child of SpyEye/ZeuS merger appears online

Malware lovechild monst(e)r/demon

Next gen security for virtualised datacentres

Updated Security researchers have got their hands on the first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits.

Posts on Russian underground forums last year suggested that Slavik/Monstr, the author of ZeuS, was "retiring"1 from cybercrime and handing over the ZeuS source code to Gribodemon/Harderman, the creator of SpyEye. ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition to the scene. Both Zeus and SpyEye are sold commercially as a means to create customised Trojans, typically designed to steal banking login credentials from compromised PCs.

The first fruits of the merged code, SpyEye builder version 1.3.05, illustrates the sophistication of these cybercrime toolkits, Trend Micro reports. The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans.

The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Trusteer, which is yet to receive and examine samples of newest version of the SpyEye, issued a statement on Tuesday stating it was confident its defenses would hold firm.

We ran a complete test of Rapport against thousands of recent SpyEye and Zeus samples, including a few which were pointed out as possibly related to the SpyEye-Zeus merger. They all behaved just like standard SpyEye samples, all were handled properly by Rapport, and none adversely affected Rapport.

Rapport has several mechanism capable of reporting targeted attacks against its files. We haven't seen any newly suspicious activity from these mechanisms.

Optional plug-ins to the new version of SpyEye include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users. "The basic SpyEye package only steals certificates from the cryptographic storage of Windows," writes Loucif Kharouni, a senior threat researcher at Trend Micro. "However, Firefox uses its own certificate storage folder, from which the ffcertgrabber plug-in grabs certificates."

The cybercrime toolkit also includes improved credit-card grabbing functionality, which works by "analysing the POST requests made by the user and checking these against the Luhn algorithm," Trend explains.

The CC grabber plug-ins and anti-rapport option are the main additions to this new and more polished version of SpyEye, which has already entered production. Trend Micro reports that two live servers are using the new version of the malware. ®

1 Several new versions of ZeuS have been released since Slavik supposedly quit last October, some of which have included new functionality. It is unclear who developed the improved code, but one possibility is that the code was put in place by Slavik who, far from having retired, is simply keeping a lower profile. Misdirection and misinformation, after all, are among the main tools of the cybercrime trade.

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.