The source code of the notorious SpyEye toolkit has been leaked, fueling speculation that one of the largest criminal malware families could become an even bigger threat.
SpyEye, which surfaced in late 2009 and immediately started to compete against users of the Zeus banking malware toolkits, targets account credentials and other sensitive data. Leaking the SpyEye source code gives security researchers valuable information about the malware and the techniques of the code writers, but it also opens the door for other cybercriminals to create new variants and attack techniques.
It’s anyone’s guess how cybercriminals will respond to the leaked SpyEye code. Since the source code of the Zeus attack toolkit was leaked in March, researchers at Damballa Inc. have been tracking dozens of new Zeus bot operators, said Sean Bodmer, a senior threat intelligence analyst at Damballa. In addition, researchers have discovered merged code, showing malware variants with SpyEye and Zeus characteristics.
“Now that SpyEye has been ousted, it is only a matter of time before this becomes a much larger malware threat than any we have seen to date,” Bodmer wrote in the company blog. “For the next few months, please hold onto your seats people… this ride is about to get very interesting.”
The source of the leaked SpyEye code was a French researcher with a penchant for leaking information that illustrates coding techniques. Bodmer described the leak as a blow to the underground criminal ecosystem. SpyEye was bought and sold on the black market for as much as $10,000. Users of the toolkit could only use it on one machine, but also could subscribe to software updates, making attacks more relevant.
Accompanying the source code is a tutorial, making it easier for anyone to use the toolkit. The crack eliminates attribution, making it more difficult for researchers to use an operator’s name to trace new malware variants to the command-and-control infrastructure, Bodmer said. Most toolkits embed a handle within the malware agent. Damballa has already identified new SpyEye toolkits in use that have an eliminated attribution field.
“In less than 12 hours … cybercriminals are utilizing the silver platter they have been handed,” he said.
Bodmer added that the tutorial allowed him to remove any attribution to the SpyEye builder itself in less than 15 minutes.
The authors of the SpyEye toolkit have been in a battle with researchers. In March, the owners of SpyEye directed their toolkits to target a white hat website using a distributed denial-of-service DDoS plug-in. The targeted website, abuse.ch, provides free feeds of known Zeus and SpyEye command-and-control servers and IP addresses. The lists are used in blacklists to deny communication to those malicious IP addresses and cripple the bots.
A number of security vendors have documented an increase in SpyEye activity in the last six months. It’s estimated that 60% of the SpyEye bots are targeting banks in the United States and 53% are targeting U.K. financial institutions, according to a recent report issued by security vendor Trusteer Inc.