April 1, 2010

It’s common for malware writers to taunt one another with petty insults nested within their respective creations. Competing crime groups also often seek to wrest infected machines from one another. A very public turf war between those responsible for maintaining the Netsky and Bagle worms back in 2005, for example, caused a substantial increase in the volume of threats generated by both gangs.

The latest rivalry appears to be budding between the authors of the Zeus Trojan — a crime kit used by a large number of cyber thieves — and “SpyEye,” a relatively new kit on the block that is taking every opportunity to jeer at, undercut and otherwise siphon market share from the mighty Zeus.

Symantec alluded to this in a February blog post that highlighted a key selling point of the SpyEye crimeware kit:  If the malware created with SpyEye lands on a computer that is already infected with Zeus, it will hijack and/or remove the Zeus infection.

Now, just a few months later, the SpyEye author is releasing a new update (v. 1.1) that he claims includes the ability to inject content into Firefox and Internet Explorer browsers, just as Zeus does (this screen shot shows the result of a demo configuration file on the left, which instructs the malware to inject SpyEye and “Zeuskiller”  banner ads into a live Bank of America Web site). It is precisely this injection ability that allows thieves using Zeus to defeat the security tokens that many banks require commercial customers to use for online banking.

The new version comes as the Zeus author is pushing out his own updates (v. 1.4), along with a hefty price tag hike. The old Zeus kit started at around $4,000, while the base price of the newer version is double that. According to research from Atlanta-based security firm SecureWorks, Zeus plug-ins that offer additional functionality raise the price even more. For example:

-Windows7/Vista compatibility module – $2,000
-Backconnect module (lets criminals connect back to victim and make bank transactions through that PC) – $1,500
-Firefox form grabbing (copies out any data entered into a form field, such as a user name and password) – $2,000
-Jabber notification (a form of instant message) – $500
-FTP clients saved credentials grabbing module – $2,000
-VNC module — $10,000 (like GoToMyPC for the bad guys, reportedly no longer being sold/supported)

The SpyEye author declined to be interviewed for this story. But it’s clear from his Flash banner ads reproduced here that he plans to keep up the public relations campaign against Zeus, with a focus on the relatively low price: SpyEye costs just $500 (although the new Firefox injection tool runs an extra $1,000).

SecureWorks has noted that the latest versions of Zeus include anti-piracy technology that uses a hardware-based licensing system that can only be run on one computer. “Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer,” SecureWorks wrote. “This is the first time we have seen this level of control for malware.”

Not to be outdone, the SpyEye author now claims his malware builder also includes a hardware lock, using VMProtect, a Russian commercial software protection package.

20 thoughts on “SpyEye vs. ZeuS Rivalry

  1. AnonymousMike

    Great article as usual.

    Seems like Zeus may only be the tip of the iceberg, in terms of modern malware. I would think these spin off malware kits are only going to make detection through AV products even worse as well. Sounds like a very appropriate time for some new guidance for financial institutions from the FFIEC… not to be a pessimist but this problem only seems like its going to get worse.

  2. M Henri Day

    All the more reason to do one’s banking errands from a Live CD (or equivalent) which is used exclusively for that purpose. The problem lies in making certain that the ISO files which have been burned to the CD are genuine, and haven’t been compromised by malware purveyors. In the event that using Live CDs for banking errands becomes widespread, I suspect these purveyors will devote ever more effort to hacking the websites of Linux distros like Ubuntu, etc, in order to poison the well at its source…


  3. JCitizen

    Prevx makes claims that look like they are capable of controlling the input/output portion of the browser at a kernel level. Supposedly limiting it only to user control.

    I encourage anyone with a high understanding of this to look at the PDF on their web-site and critique their claims.

    So far Prevx can even block me from making screen shots, I have to give the system permission to capture my screen. However I can’t prove whether there is a true bubble around the browser yet.

    I see no other product making claims with this capability; if any of you know of one, I encourage you to respond to this thread.

    I do not work for any company or person; I just hate malware, and criminal cracker gangs to pieces!! X-(

    1. Rob

      I have been told over and over that Rapport by Trusteer “protects” users from man in the browser attacks but I have never been given a good explanation of how it works. The claims seem similar.

      1. JCitizen

        Very interesting! Seems like it has even better reviews than Prevx, at CNET!

        The folks that don’t like Prevx report that removing the malware is what resulted in disaster. I simply don’t use it to remove malware! Mostly it blocks it in the first place.

  4. PhantomTramp

    “The new version comes as the Zeus author is pushing out his own updates (v. 1.4), along with a hefty price tag hike.”

    I thought competition was supposed to help lower prices! It appears that Mr. Zeus is using Microsoft’s business model.

    But, after thinking about it, I guess it did not turn out too badly for Microsoft…

    The Tramp

  5. Phoenix

    Now if they would just start shooting each other…

  6. Patrick

    “-VNC module — $10,000 (like GoToMyPC for the bad guys, reportedly no longer being sold/supported)”

    VNC is remote desktop protocol that is used by a number of open source remote control products. There are number of supported GPL licensed tools that support VNC, including TightVNC, RealVNC, and UltraVNC.

    It’s not strictly used by bad guys – I use it heavily inside my company to remotely access all sorts of systems that don’t support the proprietary GotoMyPC or Remote Desktop programs.

    1. JCitizen

      TightVNC isn’t tight enough for me and my clients. If I were good at configuring it, that would probably not be the case.

      I use LogMeIn for it’s simplicity and safety for my clients.

      I do not work for any certain person or company; is just hate criminal web activity; and I hate it to pieces!!

    2. Ben K

      No one said that VNC was strictly used for malicious purposes…

  7. afed

    “-VNC module — $10,000 (like GoToMyPC for the bad guys, reportedly no longer being sold/supported)”

    That could be read to mean that VNC is strictly used for malicious purposes.

    1. thewonder

      I work with VNC regularly for work. We only use it to access terminals locally. For remote access we use a gateway based product called netsupport. VNC does have configurable encryption – but not the easiest to set up for most end users. It also requires a forwarded port in the firewall to the destination machine (assuming there is a firewall.) Logmein, webex and other gateway based products (where the client machine initiates a connection to a gateway server and remote users would access the clients through this server) are the best IMO as they have built in encryption and no open ports in the firewall (as the connection is initiated from the target machine).

      I have noticed many antivirus programs will flag VNC because of its potential misuse. I think thats a good thing – cause if the antivirus flags it and you don’t know what it is – its likely not doing you much good.

      1. JCitizen

        We used it, but more and more restrictively all the time. Finally we ended up with only the largest office technician having permission to run it. That was where the internet gateway was. This way we could VNC remote dialup offices and still keep it on a firewall DMZ of sorts. But as far as internal LAN remote control, only he could perform it.

        It got so bad even the help desk people in the state capitol couldn’t use it on the whole enterprise. Nobody had the skill to configure it to meet HIPAA regulations I suspect. Or at least that was the way our CIO interpreted it.

        I’d say we had a pretty smart CIO!

  8. muthii

    I prefer to use NX to remote into my network as it is more secure than VNC, and logmein for the windows machines.

    1. JCitizen

      I’d be interested in claims that it was more secure, from someone not connected to the FOSS people who developed it.

      I see roughly 27,000 downloads on it compared to 1,220,000 plus or minus on Logmein.

      I roll with experience, until I see technical proof otherwise.

      Also I got to wonder just how easy is it to deploy to totally incompetent users such as my clients. My solutions needs little knowledge on the part of the deployment target.

  9. PhantomTramp

    I use UltraVnc SC (Single Click) for remote help desk type stuff. The small portable executable “backward connects” to me w/ the viewer in listening mode (on my pc). I do the port fowarding on my end and can even turn it off if I want.

    Servers, well, they are handled differently.

    The Tramp

  10. hackbridges

    I love zeus botnet. I have used it for 4months now and it has earned me not less than $1500 each month. It is great for income generation espercially when you have big victims who have large amounts in their credit card. 😀 I am looking forward to target paypal and liberty reserve users very soon. 😀

  11. ifinitymind aka k1ll3rTr0j4N

    let me tell you what this crooks hunting, they hunt banks which has availability to make wire transfer without any phone confirmation.. they hunt those bank accounts or everything what doesn’t requiere any phone call confirmation, and which is instant payment..SO i recommend all you felaz, use bank account which asking for your phone call confirmation or you bank accounts which you have that mini usb and generates every 10-15seconds new key for approving the transaction.. You will be safe at least u wont loose any money from your bank account…

  12. ifinitymind aka k1ll3rTr0j4N

    becarefull what websites your visiting, because the zeus hunters attacking the big websites which has daily 10-50k and up.. visitors.. so you visit the web, you got infected, just becarefull and watch your step on surfing online, because you gonna get it badly and you will regret from zeus/spyeye hunters.. By the way the most hunted countries are USa/Uk/Spain/Germany/france/Switzerland/Norway/Sweden/Denmark , countries which are addicted to internet and good financialy…

Comments are closed.