Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests. The move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber crook.
Underground forums are abuzz with rumors that the ZeuS author — a Russian hacker variously known by the monikers “Slavik” and “Monstr” — is no longer planning to maintain the original commercial crimeware kit.
According to numerous hacker forums, the source code for ZeuS recently was transferred to the developer of the SpyEye Trojan, a rival malware maker who drew attention to himself by dubbing his creation the “ZeuS Killer.” The upstart banking Trojan author constantly claimed that his bot creation kit bested ZeuS in functionality and form (SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself).
In an era when it has become a truism to say that malicious hackers seek riches over renown, the SpyEye author — a coder known as either “Harderman” and “Gribodemon” on different forums — appears to have sought both, boasting on numerous forums about the greatness of his malware, using flashy logos to promote it (see below), and granting an interview with security researchers about the riches it will bring him. Although the ZeuS author chose to license his botnet creation kit to private groups through multiple intermediaries, the SpyEye creator has peddled his kit directly to buyers via online forums and instant messages.
But — very recently — the public rivalry died down, and forum members on different sites where Harderman maintained a presence began complaining that they could no longer reach him for support issues. In an Oct. 11 message to one of the UnderWeb’s most exclusive hacker forums, Harderman can be seen breaking the news to fellow forum members. A screen shot of that message is below, followed by a translated version of it:
I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore, he removed the source code from his [computer], he doesn’t sell [it], and has no relationship to it. He also doesn’t conduct any business on the Internet and in a few days his contact [information] will not be active.
He asked me to pass on that he was happy to work with everyone. If you have any unresolved issues remaining [there is a] request to get in touch with him as soon as possible.
All clients who bought the software from Slavik will be serviced from me on the same conditions as previously. [I] request that [you] come directly to me regarding all issues.
Thanks to everyone for [your] attention!
In another conversation, Harderman says existing ZeuS clients will get a 30 percent discount on SpyEye, and that the two malware families will soon be “merged into one powerful Trojan.”
At the same time, Harderman has been busy changing his nicknames and contact information, and asking various online crime forum administrators to remove many of his previous posts about SpyEye, such as the deletions seen in the screen shots to right and below, taken from two different hacker forums.
Experts say all this commotion about ZeuS is natural and unsurprising, and that even criminal economies have market corrections — usually aimed at distancing the herd from threats that manage to make front page headlines. The planned assimilation of ZeuS coincides with a massive international law enforcement push to arrest a number of individuals responsible for using Zeus in hundreds of high-dollar e-banking heists from U.S. and U.K. businesses. The FBI says the password-stealing ZeuS Trojan played a central role in enabling the theft of more than $70 million from nearly 400 organizations in the United States over the last several years.
Steve Santorelli, director of global outreach for Team Cymru, an organization that monitors underground economy activity, said his group has been predicting this change for months now.
“Each time you have a group or piece of malware that starts to get near the level of heat or public attention that ZeuS has gotten over the past year, it’s inevitable that the bad guys are going to transition to something that’s not on everyone’s radar,” Santorelli said.
Security firm Trusteer has warned that the recent industry focus on Zeus is making it easier for other Trojans, like Bugat, SpyEye, and Carberp which are less wide spread but equally sophisticated, to avoid detection.
“We are in an arms race with criminals,” said Trusteer CEO Mickey Boodaei. “Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye which are just as deadly and quietly expanding their footprint across the internet.”
In response to urging from other members on the exclusive forum who apparently want fewer hackers to be able to afford the kit, Harderman acknowledges that he may have to dramatically increase — perhaps even double — the price of SpyEye, to several thousand dollars per license.
In exchange, the malware developer says he will overhaul the kit to include the best of both ZeuS and SpyEye. Specifically, Harderman says he wants to turn the guts of the Trojan into a rootkit, and to build additional functionality on top, in the form of modular plug-ins. “We have a bunch of work on the way!” he promises in one online posting.
Interested buyers can probably expect the amalgamated software to contain some undocumented features. One of the more fascinating threads that survived the recent Harderman posting purge on the web forums comes from the Russian language board “DamageLab.org”, which chronicles an incident earlier this year in which fellow hackers managed to “crack” the technology the author uses to prevent SpyEye buyers from making unauthorized copies of the software.
Using the handle Gribodemon here, the software developer scoffed, saying he had secretly built in a backdoor that would allow him to seize remote control over PCs infected with his bot. “Ah, yes. I forgot to mention that in the ‘leaked’ version there is still a backdoor which I have now activated,” Gribodemon wrote. “Thank you, rogue, for the completion of my botnet.”