Feeds

Bastard child of SpyEye/ZeuS merger appears online

Malware lovechild monst(e)r/demon

Using blade systems to cut costs and sharpen efficiencies

Updated Security researchers have got their hands on the first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits.

Posts on Russian underground forums last year suggested that Slavik/Monstr, the author of ZeuS, was "retiring"1 from cybercrime and handing over the ZeuS source code to Gribodemon/Harderman, the creator of SpyEye. ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition to the scene. Both Zeus and SpyEye are sold commercially as a means to create customised Trojans, typically designed to steal banking login credentials from compromised PCs.

The first fruits of the merged code, SpyEye builder version 1.3.05, illustrates the sophistication of these cybercrime toolkits, Trend Micro reports. The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans.

The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Trusteer, which is yet to receive and examine samples of newest version of the SpyEye, issued a statement on Tuesday stating it was confident its defenses would hold firm.

We ran a complete test of Rapport against thousands of recent SpyEye and Zeus samples, including a few which were pointed out as possibly related to the SpyEye-Zeus merger. They all behaved just like standard SpyEye samples, all were handled properly by Rapport, and none adversely affected Rapport.

Rapport has several mechanism capable of reporting targeted attacks against its files. We haven't seen any newly suspicious activity from these mechanisms.

Optional plug-ins to the new version of SpyEye include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users. "The basic SpyEye package only steals certificates from the cryptographic storage of Windows," writes Loucif Kharouni, a senior threat researcher at Trend Micro. "However, Firefox uses its own certificate storage folder, from which the ffcertgrabber plug-in grabs certificates."

The cybercrime toolkit also includes improved credit-card grabbing functionality, which works by "analysing the POST requests made by the user and checking these against the Luhn algorithm," Trend explains.

The CC grabber plug-ins and anti-rapport option are the main additions to this new and more polished version of SpyEye, which has already entered production. Trend Micro reports that two live servers are using the new version of the malware. ®

1 Several new versions of ZeuS have been released since Slavik supposedly quit last October, some of which have included new functionality. It is unclear who developed the improved code, but one possibility is that the code was put in place by Slavik who, far from having retired, is simply keeping a lower profile. Misdirection and misinformation, after all, are among the main tools of the cybercrime trade.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.