Source code for SpyEye trojan leaked onto forums and filesharing services

According to Sean Bodmer, a senior threat researcher with Damballa, one of the most dangerous Swiss Army knives in malware is now available to billions.

Bodmer says that the SpyEye builder patch source code (release 1.3.45) was leaked by French security researcher Xyliton, who are part of the RED - Reverse Engineers Dream - coding crew.

The source code, he says in his latest security posting, allows a savvy coder to crack the hardware identification system seen on SpyEye that normally locks it to a specific computer.

“ This leak is important as it illustrates the coding techniques of Gribo-Demon’s team (the authors of SpyEye) and also deals another blow to the underground criminal ecosystem”, he says, adding that it is also something of double-edged sword.

This is due, he asserts, to the fact that security researchers can now begin bug hunting for vulnerabilities in main code of SpyEye, which is a good things, he says, if you have the SpyEye software development kit and know which application programming interfaces are available and capable of being accessed/exploited for defensive purposes.

This approach, he notes, also helps IT security firms better understand the techniques and methods behind the latest release of SpyEye.

The patching/cracking process, meanwhile, says Bodmer, also ‘zeros out’ the operator’s name, as well as making the attribution of the coder that builds the malware – a process that organisations such as Gribo-Demon – for less experienced cybercriminals.

The big question, the Dambala senior threat researcher asks, is what premium features will the author of SpyEye offer commercial customers in order to get them coming back for newer and better versions of the malware.

“With this leak and the leak of the Zeus source in March 2011 - leaked apparently by Slavik himself, the original steward of Zeus - this now puts one of the world’s largest botnet criminal enterprises at risk to all sorts of horizontal and vertical attacks by world governments, law enforcement, security vendors, and even other criminals desiring to increase their monetary footprint across the internet”, he says.

SpyEye, he notes has been on everyone’s priority list of threat discussions for quite some time, and is now going to become an even more pervasive threat.

“The same thing happened when the Zeus kit source code was released in March 2011. Damballa labs has been tracking dozens of new Zeus bot operators since the leak earlier this year, and now that SpyEye has been ousted it is only a matter of time before this becomes a much larger malware threat than any we have seen to date”, he says.

“So for the next few months, please hold onto your seats people… this ride is about to get very interesting.”

What’s Hot on Infosecurity Magazine?