SpyEye Trojan Source Code Leaked

wiredmikey writes "The SpyEye malware kit has long been both the bane of unsuspecting victims and a boon for cyber-criminals. Now, according to security researchers, the situation may have taken a turn for the worse. The SpyEye Builder patch source code for release 1.3.45 was leaked by the Reverse Engineers Dream Crew (RED Crew) recently after a crew member was able to locate a copy of SpyEye Builder 1.3.45 and create a tutorial that enables a reader with SpyEye Builder to crack the hardware identification."

Re:

[AnotherScratchMonkey]

It means it's now available to script kiddies.

Re:

[kidgenius]

as opposed to whom? Didn't these script kiddies have this script before as well?

Re:

[AnotherScratchMonkey]

According to the article, the code was only available for purchase before.

Re:

[Riceballsan]

Now it's available to 13 year old script kiddies living in their mothers basement, before it was only available to script kiddies with thousands of dollars to invest.

Re:

[Grishnakh]

What's wrong with that? With the source code to this malware now publicly-available, then it should be trivial for any systems vulnerable to it to be patched quickly, as it'll be obvious exactly what attack vectors it uses.

This sounds like good news, not bad news.

Re:

[zget]

Yes, it's really trivial to patch human stupidity, which nowadays leads to most malware infections.

Re:

[Grishnakh]

Please explain exactly how "human stupidity" leads to malware infections. I'm sure I can come up with a simple technical solution for every one.

Re:

[dgatwood]

Please explain exactly how "human stupidity" leads to malware infections.

User is presented with a web site banner ad for a fake antivirus product. User downloads the antivirus product and installs it. User gets hosed.

I'm sure I can come up with a simple technical solution for every one.

Good luck with that. (BTW, solutions that bring with them a host of other problems, e.g. walled gardens, don't count, as they aren't simple.)

Re:

[Grishnakh]

User is presented with a web site banner ad for a fake antivirus product. User downloads the antivirus product and installs it. User gets hosed.
Good luck with that. (BTW, solutions that bring with them a host of other problems, e.g. walled gardens, don't count, as they aren't simple.)

I can think one method: a blacklist. The OS should have a standardized method for software installation (like apt-get or yum). When installing something, the installer checks with the OS vendor's site to get the most updated

Re:

[dissy]

I can think one method: a blacklist.

You mean an antivirus program?

Re:

[Grishnakh]

Sort of, but it has to be tied into the OS so that you can't easily install software without going through this check. Since this would seem to require a standardized way of installing software (instead of individual programs just doing whatever they want, which seems to be the norm on one popular OS), it would work a lot better if it were done by the OS vendor itself, rather than being added on by some 3rd-party vendor.

To me, the whole idea of a 3rd-party antivirus program seems wrong. If there's a need

Re:

[X0563511]

Blacklists are trivial to get around. There's all sorts of things you can do to avoid signature matching. Look up a polymorphic virus, it's the same idea.

Re:

[newcastlejon]

It's easy:

Blah blah blah administrator blah blah would you like blah blah... .
*Clicks No*

Or:

Yadda yadda type password...
Sure, whatever...
*types password*

And bish bash bosh, you've got the electronic clap [wikipedia.org].

Re:

[Grishnakh]

Sorry, you're not making much sense here. For some window to come up asking for your password, some software (i.e. malware) has to already have been installed on your system. How'd that get there?

Re:

[Grishnakh]

You're still making no sense at all. When does a web browser pop up a window asking for your root password? Never. When does an OS do such a thing, prompted by some 3rd-party malware? Never.

If you have some kind of specific instance you can describe in detail, let's hear it, but let's dispense with this vagueness.

Re:

[CSMoran]

You're still making no sense at all. When does a web browser pop up a window asking for your root password? Never. When does an OS do such a thing, prompted by some 3rd-party malware? Never.

You and I know that. Now ask yourself, does a clueless user know that?

Re:

[BosstonesOwn]

Just throwing this out there but doesn't OS X and Linux both require a password installing software from a downloaded package ? as well as windows when running as a non admin user ?

And we all run as non admin users right ?

I think you doubt the "want it now" factor.

I know quite a few occasions when a savvy user was faked into clicking the close button on a browser window and the browser launched an escalation attack and injected it's own app and infected the system.

Re:

[X0563511]

Do you use windows (newer than XP?) UAC satisfies his first prompt. Do you use any modern Linux distro that uses a graphical sudo frontend? Then you just satisfied the second.

Those are common ways for things in userspace (eg DancingPigs.exe or .sh) to ask for privilege escalation. Which the user will most likely provide, because they want their Dancing Pigs.

Re:

[Grishnakh]

I know quite a few occasions when a savvy user was faked into clicking the close button on a browser window and the browser launched an escalation attack and injected it's own app and infected the system.

Ok, and how exactly does that work? Some kind of malicious Javascript or something? That seems like it'd be a pretty easy thing to prevent on the browser side.

Re:

[geekprime]

It's called the dancing bunnies problem

http://www.google.com/search?q=dancing+bunnies+problem [google.com]

Re:

[Lumpy]

Hello? this was FOR script kiddies, it was DESIGNED for script kiddies. Script kiddies have had all along.
it.
Now joe schmoe script kiddie that does not have any money at all because he blows it all on Monster and Twizzlers in his mom's basement can now have

Re:

[Hsien-Ko]

It means it's coming to Linux

Re:WTF

[flappinbooger]

...does any of this mean? Can we get summaries that aren't the first paragraph of TFA? Can we get an explanation of what the hell TFA is talking about and why we should care?

Sheesh.

Spy Eye is a pretty well known and powerful RAT/Bot tool on level with the venerable Zeus. The real non-backdoored copies are (generally) all for-pay.

This is a licensed for-pay malware/crimeware toolkit. The source code is leaked and there is a CRACK for the builder. This is key. Now it's easier for the freeloaders and skiddies to get at and CUSTOMIZE this high level malware tool, making it harder to detect.

This means things are going to get more interesting (re: worse) before they get better.

The 'hacker" scene is like .001% real coder and 99.999% script kiddie and leach. This makes powerful tools available to many more people than before.

Re:

[cm017510]

Thanks for that.

Re:

[Hatta]

That's the power of open source.

Re:

[flappinbooger]

That is true, having SpyEye wide open like this will help security researchers and white hats just as much as the skiddies and black hats. TFA mentions as such.

The department?

[Anonymous Coward]

from the without-the-consent-of-major-league-baseball dept.

really? that's the best phrase you came up with?

Re:

[Anonymous Coward]

It's from the Simpsons episode "Brother's Little Helper."

*TWELVE YEAR OLD SPOILER WARNING*

Major League Baseball is found to be spying on Americans with spy satellites.

Re:

[kmoser]

Believe it or not, the phrase was around long before the Simpsons parodied it.

More info

[Anonymous Coward]

From ComputerWorld [computerworld.com]: "SpyEye is a particularly nasty piece of malicious software: it can harvest credentials for online accounts and also initiate transactions as a person is logged into their account, literally making it possible to watch their bank balance drop by the second."

The malware kit is normally sold to criminals, with each sold copy protected by an encryption scheme of some kind. This encryption scheme was cracked and the source code also released, so anyone can now freely compile the software. The malware also uses a botnet to perform transactions using compromised banking credentials. It's not clear if the hack also enables one to setup or control the botnet aspect. However, one could presumably make use of the capability to directly initiate transactions on the victim's computer.

And to think I just got all my online accounts linked together to make my life easier!

Re:

[flappinbooger]

maybe start looking for the builder on hacker forums like HF and opensc. There are many, and this is such big news it shouldn't take you long to find it.

I'd run it in a VM or sandboxed or on a "disposable" computer. You are playing with fire, watch out so you don't get burned. 50-50 odds get owned by DLing someone ELSES deployment of SpyEye. lol.

To truly deploy this is actually sorta involved, I know for Zeus you hafta run a web server to gather all the data and do C+C. A simple RAT with a few dozen bots

Re:

[kelemvor4]

Because we don't have enough script kiddies in anonymous and lulz-sec running around breaking stuff as fast as they can already. Just awesome.

I think lulzsec got arrested a week or two ago, not that your point is any less valid.

Re:

[GameboyRMH]

No, they think they arrested the spokesman but they arrested some dude who was framed by the spokesman. But the real spokesman (Topiary) has since had all his personal info released online so he's probably hiding in the woods right now.

on the good side

[kwikrick]

with the source code out, it should be easy to plug the security holes that the spyware uses, and it should be easy to generate hashes and heuristics for virus scanners to detect spyware on infected computers. In theory anyway.

Re:

[NotQuiteInsane]

... Or make variants of the spyware which avoid said heuristics.

Sir, I'd like you to meet my friend, the double-edged sword...

Re:

[Anonymous Coward]

"No shit, everything is a double-edged sword. Even a single-edged sword is a double-edged sword. Because on the one hand it's sharp but on the other hand it's dull....a single-edged sword is a double-edged sword."
--Louis C. K.

Re:

[Em Adespoton]

It's not even that... the source code for a tool that patches the tool that BUILDS SpyEye trojans has been *released*.

It's amazing how the internet resembles that children's whispering game, considering we're dealing with text that supposedly doesn't change. I feel like I could write "I bought ice cream on Craigslist" on my blog and eventually see it posted to Slashdot as "Foreign terrorist creams Craig Ferguson." -- and yes, neither of these are news for nerds (well, maybe the first one).

This is a good thing

[Candyban]

They should do this more often.
It is not that they will get sued for copyright infringement or revealing trade secrets ...

If all malware were put freely on the internet, wouldn't that dry up some of the revenue streams for the authors? Sure, you will briefly see a spike in derivatives, but I believe the way to combat covert actions is not by covert counter-actions, but by bringing it all in the open.

When you consider this to be a battle, there are a number of things which would make sense:

1) Choose your ba