SpyEye first appeared in December, according to Coogan, but new iterations have appeared regularly since then. It displays many similarities to Zeus, including a builder module for creating trojan malware, and a web control panel for controlling the botnet. Version 1.0 .7 contains a module called 'Kill Zeus'.
Although Symantec has yet to verify the activity of the module, it appears to use the same Windows Internet (Wininet) application programming interface that Zeus uses to communicate with its command-and-control server. Wininet is a standard API offered by Microsoft for FTP and HTTP communications.
"The new Kill Zeus feature is optional during the trojan build process, but it supposedly goes as far as allowing you to delete Zeus from an infected system – meaning only SpyEye should remain running on the compromised system," Coogan said.
In 2007, the Srizbi worm was found to uninstall competing spam malware being spread by opposing malware distributing the Storm botnet. The Netsky worm also tried to uninstall rival bots Bagle and MyDoom, while the author of the Bagle malware included text inside the malware's source code in 2004. "Hey,Netsky, f**k off you b*tch, don't ruine our bussiness, wanna start a war?"[sic], it said.
Such messages, and the apparent evolution of anti-malware code within botnet clients to the point where they are now optional, chargeable modules, indicates the level of commercial sophistication adopted by the blackhat underground that creates this code.
SpyEye activity is minimal at present, according to Coogan, who adds that it might grow in the future if it takes more share away from Zeus.
Zeus, which can be used to control a victim's computer in many different ways, was recently controlled via a command-and-control server located on Amazon's Elastic Computing Cloud (EC2).