Malware merger shows cyber crime business model

30 Nov 2010

News that two malware families have decided to pool their resources shows how much of an organised business cyber crime has become, Trend Micro has said.

The deal involves two of the most notorious botnet kits, ZeuS and SpyEye, which the security firm reckons are responsible for the majority of all stolen information online. ZeuS has been linked to several cases of online banking fraud.

Last month, reports emerged that the author of ZeuS, who goes by the online names of Slavik or Monstr, had gone underground and had given his toolkit’s source code to the SpyEye author (known as Gribodemon or Harderman).

Ironically, there was also some animosity between the creators of both. SpyEye’s creator claimed his code was better than ZeuS’ and in some cases, SpyEye would search to overwrite a malware infection that had been created with the ZeuS toolkit (as reported by Brian Krebs).

Security analysts have speculated that the deal could lead to a new breed of super-botnet kit. “What’s more disconcerting is that this deal shows how much of a business this is. You’re not dealing with amateurs. These two kits are responsible, I would say, for the majority of stolen information online,” said Robert McArdle, manager of Trend Micro’s EMEA threat research team.

McArdle recently investigated one of the many kits built using SpyEye and found it contained more than 28Gb of stolen data, including credit card details and banking passwords.

Cost of SpyEye

SpyEye was at the lower end of the market and could be bought for between US$100 and $200. According to McArdle, prices for ZeuS in some cases reached up to US$10,000.

He said the ZeuS developer would most likely concentrate on writing highly customised malware, which would make it much more difficult to detect by antivirus software. “In my opinion, the Zeus author wanted to stay with his high-paying clients, so he essentially sold off his code to the SpyEye author. Maybe money changed hands between them, though we’ll never know,” McArdle told Siliconrepublic.

There are thousands of botnets that have been developed using either SpyEye or ZeuS, McArdle said. Once built, they’re successful at sitting in the background and stealing banking information or even Facebook login details. “They don’t just use traditional keylogging; they intercept information by sitting in the browser and waiting for you to log on, then hijack the entire session.”

Cyber crime gangs that steal money from banks tend to be different to those targeting social networks, which are mainly looking for ways to spread malware, McArdle said.

With social networking scams, they send emails with malicious links to the victim’s friends. Because it comes from a trusted source, the person receiving the email is much more likely to open it, which in fact directs them to a site hosting malware which then infects their machine. “People are more tuned in to being suspicious about links sent by email, but it’s easier to use social engineering on sites like Facebook,” said McArdle.

Gordon Smith was a contributor to Silicon Republic