Following ZeuS, SpyEye Source Code is Leaked to the Public

The SpyEye malware kit has long been both the bane of unsuspecting victims and a boon for cyber-criminals. Now, according to security firm Damballa, the situation may have taken a turn for the worse.

According to Damballa, SpyEye Builder patch source code for release 1.3.45 was leaked by the Reverse Engineers Dream Crew (RED Crew) last week after a crew member was able to locate a copy of SpyEye Builder 1.3.45 and create a tutorial that enables a reader with SpyEye Builder to crack the hardware identification.

For researchers, this represents a double-edged sword, Damballa’s Sean Bodmer explained. While it means security researchers can use the crack for the SpyEye builder tool, which generates the SpyEye malware, to start hunting for bugs, it also means the malware’s authors will be forced to step their game up.

“It is beneficial to researchers for this exact version 1.3.45, but this will only make newer versions harder to crack with enhanced security mechanisms,” Bodmer, a senior threat intelligence analyst at Damballa, told SecurityWeek. “To top it off, the SpyEye author team has already released 1.3.48 and has newer versions in-development.”

The leak also means the tool is widely available to script kiddies, and is now being sold online for as little as $95 “for those not seasoned enough” to compile the code, he added. In a blog post, Bodmer noted the leak throws a monkey-wrench into the operations of the Gribo-Demon crew behind SpyEye. It is now much cheaper, he blogged, for aspiring criminals to find a leaked version of the builder and use the RED Crew tutorial to break its embedded security and launch their own version of SpyEye.

“The ability to identify the builder teams by name which has been located in the SpyEye malware itself since 1.3.x,” he told SecurityWeek. “Now that the crack is out, paid customers or other cyber-criminals can now strip out that attribution of the handle in the malware (that runs on the host). This increases difficulty of attribution to the operator or campaign group. This is going to make SpyEye 1.3.x more widely used as this version leverages the best of Zeus and SpyEye combined... completely free if you know what you're doing and at most $95 now if you want to buy a 'potentially backdoored' pre-compiled builder.”

The fact that SpyEye has plagued victims around the world is not in doubt. In April, police in the U.K. arrested a handful of people in connection with a bank fraud operation that used SpyEye to steal money and banking information. Three months later, security vendor Trusteer analyzed SpyEye command and control centers and reported that 60 percent of SpyEye bots target financial institutions in the US. Additionally, 53 percent were observed targeting banks in the U.K., while 31 percent painted a bull’s-eye on banks in Canada.

Related Resource: Summer 2011 Device Developers' Security Report

Related Reading: Advanced Fraud Threats in Mobile Environments

“Over the last 18 months, SpyEye has made a lot of headlines, especially when it was revealed that the development team behind the malware was effectively merging it with that of the older Zeus code,” Trusteer CEO Mickey Boodaei blogged July 26. “Right from the very beginning, SpyEye has been a highly aggressive Trojan - it is also interesting to note that early versions of the malware included a feature to remove Zeus from an infected host machine…The ability to react fast to SpyEye's changes in pattern is, we believe, key to an effective fraud prevention architecture against this dangerous toolkit.”

Related: Zeus Source Code Leaked: Is This Really a Game Changer?