[real-eyes] Re: SpyEye vs. ZeuS Rivalry
- From: "Reginald George" <sgeorge@xxxxxxxxx>
- To: <real-eyes@xxxxxxxxxxxxx>
- Date: Thu, 1 Apr 2010 18:13:24 -0500
Can't someone send these idiots straight to prison where they belong? I
guess not yet.
----- Original Message -----
From: "Steve" <kcpadfoot@xxxxxxxxx>
To: <real-eyes@xxxxxxxxxxxxx>
Sent: Thursday, April 01, 2010 1:13 PM
Subject: [real-eyes] SpyEye vs. ZeuS Rivalry
I think some will find this interesting. It shows two different malware
authors fighting against each other and competing against each other in
the market for malware sales.
Steve
The following is from:
Krebs On Security
http://www.krebsonsecurity.com/
SpyEye vs. ZeuS Rivalry
It’s common for malware writers to taunt one another with petty insults
nested within
their respective creations. Competing crime groups also often seek to
wrest infected
machines from one another. A very public turf war between those
responsible for maintaining
the
Netsky
and
Bagle
worms back in 2005, for example, caused a substantial increase in the
volume of
threats generated by both gangs.
The latest rivalry appears to be budding between the authors of the
Zeus Trojan
— a crime kit used by a large number of cyber thieves — and “SpyEye,” a
relatively
new kit on the block that is taking every opportunity to jeer at,
undercut and otherwise
siphon market share from the mighty Zeus.
Symantec alluded to this in
a February blog post
that highlighted a key selling point of the SpyEye crimeware kit: If the
malware
created with SpyEye lands on a computer that is already infected with
Zeus, it will
hijack and/or remove the Zeus infection.
spyeyeshot
Now, just a few months later, the SpyEye author is releasing a new
update (v. 1.1)
that he claims includes the ability to inject content into
Firefox and
Internet Explorer
browsers, just as Zeus does (this screen shot shows the result of a demo
configuration
file on the left, which instructs the malware to inject SpyEye and
“Zeuskiller”
banner ads into a live Bank of America Web site). It is precisely this
injection
ability that allows thieves using Zeus to
defeat
the
security tokens
that many banks require commercial customers to use for online banking.
The new version comes as the Zeus author is pushing out his own updates
(v. 1.4),
along with a hefty price tag hike. The old Zeus kit started at around
$4,000, while
the base price of the newer version is double that. According to
research
from Atlanta-based security firm
SecureWorks
, Zeus plug-ins that offer additional functionality raise the price even
more. For
example:
-Windows7/Vista compatibility module – $2,000
-Backconnect module (lets criminals connect back to victim and make bank
transactions
through that PC) – $1,500
-Firefox form grabbing (copies out any data entered into a form field,
such as a
user name and password) – $2,000
-Jabber notification (a form of instant message) – $500
-FTP clients saved credentials grabbing module – $2,000
-VNC module — $10,000 (like GoToMyPC for the bad guys, reportedly no
longer being
sold/supported)
The SpyEye author declined to be interviewed for this story. But it’s
clear from
his Flash banner ads reproduced here that he plans to keep up the public
relations
campaign against Zeus, with a focus on the relatively low price: SpyEye
costs just
$500 (although the new Firefox injection tool runs an extra $1,000).
SecureWorks has noted that the latest versions of Zeus include
anti-piracy technology
that uses a hardware-based licensing system that can only be run on one
computer.
“Once you run it, you get a code from the specific computer, and then
the author
gives you a key just for that computer,” SecureWorks wrote. “This is the
first time
we have seen this level of control for malware.”
Not to be outdone, the SpyEye author now claims his malware builder also
includes
a hardware lock, using
VMProtect
, a Russian commercial software protection package.
This entry was posted on Thursday, April 1st, 2010 at 10:17 am
To subscribe or to leave the list, or to set other subscription options, go
to www.freelists.org/list/real-eyes
To subscribe or to leave the list, or to set other subscription options, go to
www.freelists.org/list/real-eyes
Other related posts:
