Last month, I published evidence suggesting that future development of the ZeuS banking Trojan was being merged with that of the up-and-coming SpyEye Trojan. Since then, a flood of new research has been published about SpyEye, including a new Web site that helps track the location of SpyEye control networks worldwide.

Roman Hüssy, the curator of Zeustracker — a site that has spotlighted ZeuS activity around the globe since early 2009 — late last week launched SpyEye Tracker, a sister service designed to help Internet service providers keep tabs on miscreants using SpyEye (take care with the IP address links listed at this service, because they can lead to live, malicious files).

Hüssy said he’s not convinced that the SpyEye crimeware kit will usurp the mighty ZeuS. “Why should they give up something which works and pay for a new tool?” he said in an online chat with KrebsOnSecurity.com. Instead, Hüssy said he’s launching the new tracking service to help prevent that shift.

“To stay on the secure side I’ve decided to do some effort that SpyEye will not get [to be] the next ‘ZeuS’ Trojan,” he said. “My goal is to put SpyEye into the spotlight before it becomes a ‘big’ threat like ZeuS was in the past.”

For the moment, ZeuS still far outnumbers SpyEye: Hüssy’s new tracker is following about 25 distinct botnets created with SpyEye, versus roughly 100 ZeuS-related botnets with resources online.

Security researchers at anti-bot company Damballa last week published an in-depth look at the worldwide distribution of SpyEye, noting that if there were a SpyEye Olympics, ISPs in Ukraine easily would take home the gold for hosting malicious control networks.

In addition, the SANS Institute has published a lengthy white paper detailing some of the code similarities and interaction between ZeuS and SpyEye. Also, Trend Micro last month released the second half of a two-part analysis on how computer crooks use the SpyEye Web interface.

There are several cybersecurity policy issues on Capitol Hill that are worth keeping an eye on. Lawmakers in the Senate have introduced a measure that would call for trade restrictions against countries identified as hacker havens. Another proposal is meeting resistance from academics who worry about the effect of the bill’s mandatory certification programs for cyber security professionals.

As reported by The Hill newspaper, Senators Orrin Hatch (R-Utah) and Kirsten Gillibrand (D-NY) have introduced The International Cybercrime Reporting and Cooperation Act, a bill that would penalize foreign countries that fail to crack down on cyber criminals operating within their borders.

According to The Hill, the measure would:

“…charge the White House with the responsibility of identifying countries that pose cyber threats, which the president would have to present to Congress in an annual report. Those states would then have to develop plans of action to combat cybercrimes or risk cuts to their U.S. export dollars, foreign-direct investment funds and trade assistance grants, the lawmakers explained.”

More here.

This is a nice – if hard to measure and enforce – idea. I have often argued that it is remarkable that the United States includes measures to cut down on software piracy in its trade policies with other nations, and yet it does nothing to mandate more action on cybercrime. I applaud this effort, but if lawmakers are really serious about cracking down on places that appear overly tolerant of cybercrime activity, perhaps they should start by looking a little closer to home.

In other news, one of the world’s largest and oldest educational and scientific computing groups says it is “deeply troubled” by mandatory training provisions included in The Cybersecurity Act, a bill proposed by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). The bill is aimed at protecting critical U.S. network infrastructure against cybersecurity threats, but it includes language making it illegal for anyone to offer cybersecurity services to any federal agency or system without being certified and licensed as such under a program to be determined by the Commerce Department.

In a letter sent to the lawmakers this week, the U.S. Association for Computing Machinery and the Computing Research Association said the bill the measure emphasizes training in narrow techniques rather than an education in holistic systems design. The group charged that, as written, the bill would…

“…require a complex, untested, and mandatory certification regime for public and private employers almost immediately after a National Academies study is conducted to determine — and it has not yet been determined — whether such a program would even be feasible. It is premature to mandate the creation of a massive new certification program without the benefit of a careful, deliberate Academies study that examines both the feasibility and side effects of any such program.”

Gene Spafford, a professor of computer science at Purdue University and one of the signatories to the letter, said the certification requirements as spelled out in the bill would have far-reaching implications for the way colleges and universities teach security across the country.

“Microsoft has invested more than a billion dollars in producing much better security, look at how often they find flaws in their stuff. Google is know for hiring the brightest people and being very concerned about security, and look at what happened in China,” Spafford told Krebs on Security. “So, setting a regime to require that everybody be certified in something we don’t know how to do and is changing almost monthly is a dangerous approach. It’s not only costly, but it’s dangerous in the sense that you will have groups setting certification standards based on what they teach, not on what is likely good practice.”

Spafford said the requirements would undoubtedly be a boon to companies that offer training courses, but that his organization has seen no evidence that a group of people with any particular certification produce better computer code.

“Given that a lot of code in use right now is produced offshore, that’s where some of the international aspects come in,” he said. “So trying to require certifications, seems like a good idea on the surface, but we’ve discussed [this] in several ways for many years, and our conclusion is we’re just not ready yet.”

Alan Paller, director of research for the SANS Institute, an organization that offers security training and certification, compared the market for today’s software and network engineers to the early 1900s, before physicians had to be licensed.

“The country didn’t like fact that doctors could teach anything they wanted and that people had no idea what they were getting in a doctor,” Paller said. “In 1915, they set up national board of medical examiners that said schools can teach anything they want but graduates have to show they can practice these methods in medicine, and the states said if don’t have a medical degree you can’t practice medicine. It’s kind of the same situation with computers now: Most of the people who say they know security don’t have a clue. They don’t know the best practices, heck, they don’t even know what TCP is. Security experts need to have the skills it takes to harden systems and make them harder to break into, and to protect systems with monitoring and do system forensics, [Technicians need to] have to have the common basics, and then some specializations. It’s foolish for academics to claim that there is no standard, because that’s exactly what they said in medicine 100 years ago, and they killed a lot of people.”

Got strong opinions about these and/or other cybersecurity policy proceedings? Sound off in the comments below.

Updated, Mar. 25, 9:25 a.m. ET, to include comment from Paller.

There is perhaps no greater compliment than to have your most esteemed peers recommend your work.  I am now blogging from the RSA Conference in San Francisco, and over the past two days krebsonsecurity.com has received two peer recognition awards, one from the SANS Institute – among the nation’s top security research and training groups – and another from the Security Bloggers Network, an organization that has sought to recognize blogs that provide valuable content on computer security issues.

The SANS Institute polled 75 cybersecurity journalists and asked them to rank the top peers in their field. True to form, I showed up late to the awards ceremony on Tuesday, and Alan Paller, director of research for SANS, called me up on stage and said I’d received twice as many votes as the next guy in the contest, Robert McMillan, a reporter whose work is almost certainly the most widely syndicated and quoted of virtually anyone in this industry. Likewise, I am proud to have shared this honor with reporters whose work I recommend and admire, including USA Today’s Byron Acohido, Wired.com’s Kim Zetter, as well as Dan Goodin from The Register.

In related news, the delegates who were party to the Security Bloggers Awards at RSA this year picked krebsonsecurity.com as the top “non-technical security blog.” Somehow, I managed to show up late for this as well. Again, it was wonderful to have been nominated alongside security bloggers such as Taosecurity’s Richard Bejtlich, and security curmudgeon-in-chief Bruce Schneier.