In late October of this year, it was reported that the “rivalry” between the ZeuS and SpyEye malware families was ending with a merger of the two families. It was reported that ZeuS author Slavik or Monstr has gone underground and has given his toolkit’s source code to SpyEye author Gribodemon or Harderman.
This has prompted a lot of speculation about what will come next. Many researchers are waiting for a new malware family that will combine the features of SpyEye and ZeuS.
Based on our underground research, we discovered that SpyEye’s development ground to a halt. One feature of SpyEye will be included in future versions of ZeuS to add features that are not part of the latter’s “core” functionality (e.g., more sophisticated information theft routines). SpyEye uses plug-ins that can be added after the main toolkit has been purchased. In contrast, ZeuS previously used modules that had to be included when the toolkit was sold. Newer ZeuS versions will use plug-ins, much like SpyEye currently does. If a cybercriminal wants to add a new feature to his existing SpyEye toolkit, all he has to do for SpyEye and future ZeuS versions is to purchase a new plug-in. This previously required ZeuS users to purchase a new version.
For now, however, SpyEye and ZeuS remain separate malware families. Whether the merger pushes through or not, however, SpyEye is still growing as a threat. According to the information gathered by the Trend Micro™ Smart Protection Network™, the number of SpyEye infections has grown since July of this year to as much as 20 times to date.
What about ZeuS’ author? We have heard rumors that he is not really retiring. He will instead create new malware (either ZeuS or entirely new families) that he will then primarily sell to high-value clients. When we do see these variants, will they be more targeted in terms of infection routine? And what are the chances that we will be able to determine that they actually came from the ZeuS author? Only time will tell.
Since news of this “merger” first came out, many security analysts rushed to gather intelligence on SpyEye. In anticipation, Gribodemon went through many underground forums and deleted his posts to cover up what he has been doing.
Trend Micro and the rest of the security industry are ready to respond to this threat. One of the more public signs of this is Roman Hüssy, the administrator of the respected ZeuS Tracker, who has opened the SpyEye Tracker, which fulfills the same function for SpyEye. This will aid both law enforcement agencies and security companies in taking down and investigating SpyEye command-and-control (C&C) servers. We at Trend Micro are also proactively monitoring the SpyEye threat and will continuously work hard to protect our product users.