SpyEye Trojan Source Code Leaked

← Back to Stories (view on slashdot.org)

SpyEye Trojan Source Code Leaked

Posted by Soulskill on Monday August 15, 2011 @10:05AM from the without-the-consent-of-major-league-baseball dept.

wiredmikey writes "The SpyEye malware kit has long been both the bane of unsuspecting victims and a boon for cyber-criminals. Now, according to security researchers, the situation may have taken a turn for the worse. The SpyEye Builder patch source code for release 1.3.45 was leaked by the Reverse Engineers Dream Crew (RED Crew) recently after a crew member was able to locate a copy of SpyEye Builder 1.3.45 and create a tutorial that enables a reader with SpyEye Builder to crack the hardware identification."

55 comments

Min score:

Reason:

Sort:

WTF by Anonymous Coward · 2011-08-15 10:09 · Score: 0, Troll

...does any of this mean? Can we get summaries that aren't the first paragraph of TFA? Can we get an explanation of what the hell TFA is talking about and why we should care?
Sheesh.
1. Re:WTF by AnotherScratchMonkey · 2011-08-15 10:36 · Score: 1
  
  It means it's now available to script kiddies.
2. Re:WTF by kidgenius · 2011-08-15 10:47 · Score: 1
  
  as opposed to whom? Didn't these script kiddies have this script before as well?
3. Re:WTF by Hsien-Ko · 2011-08-15 10:49 · Score: 1
  
  It means it's coming to Linux
4. Re:WTF by Grishnakh · 2011-08-15 10:50 · Score: 1
  
  What's wrong with that? With the source code to this malware now publicly-available, then it should be trivial for any systems vulnerable to it to be patched quickly, as it'll be obvious exactly what attack vectors it uses.
  This sounds like good news, not bad news.
5. Re:WTF by Lumpy · 2011-08-15 10:51 · Score: 2
  
  Hello? this was FOR script kiddies, it was DESIGNED for script kiddies. Script kiddies have had all along.
  it.
  Now joe schmoe script kiddie that does not have any money at all because he blows it all on Monster and Twizzlers in his mom's basement can now have
  
  --
  Do not look at laser with remaining good eye.
6. Re:WTF by flappinbooger · 2011-08-15 10:55 · Score: 4, Informative
  
  ...does any of this mean? Can we get summaries that aren't the first paragraph of TFA? Can we get an explanation of what the hell TFA is talking about and why we should care?
  Sheesh.
  Spy Eye is a pretty well known and powerful RAT/Bot tool on level with the venerable Zeus. The real non-backdoored copies are (generally) all for-pay.
  
  This is a licensed for-pay malware/crimeware toolkit. The source code is leaked and there is a CRACK for the builder. This is key. Now it's easier for the freeloaders and skiddies to get at and CUSTOMIZE this high level malware tool, making it harder to detect.
  
  This means things are going to get more interesting (re: worse) before they get better.
  
  The 'hacker" scene is like .001% real coder and 99.999% script kiddie and leach. This makes powerful tools available to many more people than before.
  
  --
  Flappinbooger isn't my real name
7. Re:WTF by AnotherScratchMonkey · 2011-08-15 10:55 · Score: 1
  
  According to the article, the code was only available for purchase before.
8. Re:WTF by cm017510 · 2011-08-15 11:05 · Score: 1
  
  Thanks for that.
9. Re:WTF by zget · 2011-08-15 11:13 · Score: 2
  
  Yes, it's really trivial to patch human stupidity, which nowadays leads to most malware infections.
  
  --
  Google+ vs. Facebook, and why Google+ will fail
10. Re:WTF by Grishnakh · 2011-08-15 11:40 · Score: 1
  
  Please explain exactly how "human stupidity" leads to malware infections. I'm sure I can come up with a simple technical solution for every one.
11. Re:WTF by dgatwood · 2011-08-15 11:56 · Score: 2
  
  Please explain exactly how "human stupidity" leads to malware infections.
  User is presented with a web site banner ad for a fake antivirus product. User downloads the antivirus product and installs it. User gets hosed.
  
  I'm sure I can come up with a simple technical solution for every one.
  Good luck with that. (BTW, solutions that bring with them a host of other problems, e.g. walled gardens, don't count, as they aren't simple.)
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
12. Re:WTF by newcastlejon · 2011-08-15 11:57 · Score: 1
  
  It's easy:
  Blah blah blah administrator blah blah would you like blah blah... .
  *Clicks No*
  Or:
  Yadda yadda type password...
  Sure, whatever...
  *types password*
  And bish bash bosh, you've got the electronic clap.
  
  --
  If God forks the Universe every time you roll a die, he'd better have a damned good memory.
13. Re:WTF by Riceballsan · 2011-08-15 12:18 · Score: 1
  
  Now it's available to 13 year old script kiddies living in their mothers basement, before it was only available to script kiddies with thousands of dollars to invest.
14. Re:WTF by Hatta · 2011-08-15 12:45 · Score: 1
  
  That's the power of open source.
  
  --
  Give me Classic Slashdot or give me death!
15. Re:WTF by flappinbooger · 2011-08-15 12:55 · Score: 1
  
  That is true, having SpyEye wide open like this will help security researchers and white hats just as much as the skiddies and black hats. TFA mentions as such.
  
  --
  Flappinbooger isn't my real name
16. Re:WTF by Grishnakh · 2011-08-15 13:54 · Score: 1
  
  User is presented with a web site banner ad for a fake antivirus product. User downloads the antivirus product and installs it. User gets hosed.
  Good luck with that. (BTW, solutions that bring with them a host of other problems, e.g. walled gardens, don't count, as they aren't simple.)
  I can think one method: a blacklist. The OS should have a standardized method for software installation (like apt-get or yum). When installing something, the installer checks with the OS vendor's site to get the most updated blacklist, and checks that the software being installed isn't on it. For better security, this check should use some kind of signature so simply renaming files or whatever doesn't get around it. Obviously, this is a reactive approach rather than proactive, but it would still make it fairly pointless to go to the trouble of setting up a website and making fake antivirus (or other) software, as they'd get put on the blacklist quickly and wouldn't get very many successful infections before they needed to change things enough to get around the blacklist, until the blacklist is updated again. These malware purveyors need a large number of infections for their work to be profitable, and if the reward is too little for the amount of effort needed, they won't bother.
  Obviously, a whitelist would be more secure, but that's basically the same thing as a "walled garden" as you mentioned, and has a lot of other problems (namely, it'd create a monetary barrier of entry to anyone trying to distribute software, whether free or not, as the OS vendor would undoubtedly charge to get on the whitelist; it'd also make it a pain to create your own software, custom in-house software, etc.).
  So what other methods these days lead to malware infections, or is that pretty much the only one left? This one really isn't that bad, as it requires a fair amount of effort for the user to get himself infected: he has to go to a new website, click on something to download a file, and then click on something allowing it to be run. I haven't used IE lately, but haven't they made it so you can't just run executables when you download them (i.e., you must first download them someplace, and then go execute them from a file manager)? That's a pretty far cry from simply clicking on something that you don't even know will install software on your system, which is what used to happen years and years ago.
17. Re:WTF by Grishnakh · 2011-08-15 13:56 · Score: 1
  
  Sorry, you're not making much sense here. For some window to come up asking for your password, some software (i.e. malware) has to already have been installed on your system. How'd that get there?
18. Re:WTF by dissy · 2011-08-15 14:20 · Score: 1
  
  I can think one method: a blacklist.
  You mean an antivirus program?
19. Re:WTF by Anonymous Coward · 2011-08-15 14:24 · Score: 0
  
  Sorry, you're not making much sense here. For some window to come up asking for your password, some software (i.e. malware) has to already have been installed on your system. How'd that get there?
  They call that a "web browser" or, in some cases, an "operating system".
  FYI those things tend to come pre-installed on computers these days.
20. Re:WTF by geekprime · 2011-08-15 14:30 · Score: 2
  
  It's called the dancing bunnies problem
  http://www.google.com/search?q=dancing+bunnies+problem
21. Re:WTF by Grishnakh · 2011-08-15 15:10 · Score: 1
  
  Sort of, but it has to be tied into the OS so that you can't easily install software without going through this check. Since this would seem to require a standardized way of installing software (instead of individual programs just doing whatever they want, which seems to be the norm on one popular OS), it would work a lot better if it were done by the OS vendor itself, rather than being added on by some 3rd-party vendor.
  To me, the whole idea of a 3rd-party antivirus program seems wrong. If there's a need for security add-ons to prevent programs from misbehaving, that seems to be the job of the OS, and if a 3rd party product needs to be added on to fix a basic problem with the OS, there's something seriously wrong. This doesn't mean that add-ons aren't useful sometimes; several Linux distros include AppArmor, for instance, which helps to prevent pre-existing vulnerabilities in installed software from being exploited by limiting what that software is allowed to do on the system. But AppArmor (while made by a different team) is packaged and included as part of the OS by the distro so that it's properly integrated; it's not installed after-the-fact by users.
22. Re:WTF by Grishnakh · 2011-08-15 15:12 · Score: 1
  
  You're still making no sense at all. When does a web browser pop up a window asking for your root password? Never. When does an OS do such a thing, prompted by some 3rd-party malware? Never.
  If you have some kind of specific instance you can describe in detail, let's hear it, but let's dispense with this vagueness.
23. Re:WTF by CSMoran · 2011-08-15 20:01 · Score: 1
  
  You're still making no sense at all. When does a web browser pop up a window asking for your root password? Never. When does an OS do such a thing, prompted by some 3rd-party malware? Never.
  You and I know that. Now ask yourself, does a clueless user know that?
  
  --
  Every end has half a stick.
24. Re:WTF by Anonymous Coward · 2011-08-15 21:01 · Score: 0
  
  When does a web browser pop up a window asking for your root password?
  I dunno, it's always popping all this annoying shit up in my face any time I want to do anything. I just click on shit until it goes away. Password? Hell I see it asking for that all the time. If you could tell me how to just turn that thing off entirely I'd be happy.
25. Re:WTF by X0563511 · 2011-08-16 01:27 · Score: 1
  
  Blacklists are trivial to get around. There's all sorts of things you can do to avoid signature matching. Look up a polymorphic virus, it's the same idea.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
26. Re:WTF by BosstonesOwn · 2011-08-16 01:28 · Score: 2
  
  Just throwing this out there but doesn't OS X and Linux both require a password installing software from a downloaded package ? as well as windows when running as a non admin user ?
  And we all run as non admin users right ?
  I think you doubt the "want it now" factor.
  I know quite a few occasions when a savvy user was faked into clicking the close button on a browser window and the browser launched an escalation attack and injected it's own app and infected the system.
  
  --
  This package Does Not Contain a Winner
27. Re:WTF by X0563511 · 2011-08-16 01:29 · Score: 1
  
  Do you use windows (newer than XP?) UAC satisfies his first prompt. Do you use any modern Linux distro that uses a graphical sudo frontend? Then you just satisfied the second.
  Those are common ways for things in userspace (eg DancingPigs.exe or .sh) to ask for privilege escalation. Which the user will most likely provide, because they want their Dancing Pigs.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
28. Re:WTF by Grishnakh · 2011-08-16 06:52 · Score: 1
  
  I know quite a few occasions when a savvy user was faked into clicking the close button on a browser window and the browser launched an escalation attack and injected it's own app and infected the system.
  Ok, and how exactly does that work? Some kind of malicious Javascript or something? That seems like it'd be a pretty easy thing to prevent on the browser side.
The department? by Anonymous Coward · 2011-08-15 10:11 · Score: 1

from the without-the-consent-of-major-league-baseball dept.
really? that's the best phrase you came up with?
1. Re:The department? by Anonymous Coward · 2011-08-15 10:19 · Score: 2, Informative
  
  It's from the Simpsons episode "Brother's Little Helper."
  *TWELVE YEAR OLD SPOILER WARNING*
  Major League Baseball is found to be spying on Americans with spy satellites.
2. Re:The department? by kmoser · 2011-08-15 22:34 · Score: 2
  
  Believe it or not, the phrase was around long before the Simpsons parodied it.
That's ok - because SpyEye's kept up on AND by Anonymous Coward · 2011-08-15 10:20 · Score: 0

It's quite blockable in HOSTS files &/or Firewalls (software OR hardware router types) -> https://spyeyetracker.abuse.ch/monitor.php
APK
P.S.=> They create variants? Those will be tracked as well as to their botnet C&C servers... simple!
... apk
Ah...no by Anonymous Coward · 2011-08-15 10:53 · Score: 0

The author of the original blog post that laid out the hardware ID crack completely refuted Damballa's post. If you read his original post, it's very clear that he didn't post the source code or anything close to it. He just showed how to crack the HWID. Not the same thing by a long shot.
More info by Anonymous Coward · 2011-08-15 11:04 · Score: 3, Informative

From ComputerWorld: "SpyEye is a particularly nasty piece of malicious software: it can harvest credentials for online accounts and also initiate transactions as a person is logged into their account, literally making it possible to watch their bank balance drop by the second."
The malware kit is normally sold to criminals, with each sold copy protected by an encryption scheme of some kind. This encryption scheme was cracked and the source code also released, so anyone can now freely compile the software. The malware also uses a botnet to perform transactions using compromised banking credentials. It's not clear if the hack also enables one to setup or control the botnet aspect. However, one could presumably make use of the capability to directly initiate transactions on the victim's computer.
And to think I just got all my online accounts linked together to make my life easier!
1. Re:More info by Anonymous Coward · 2011-08-15 12:48 · Score: 0
  
  "And to think I just got all my online accounts linked together to make my life easier!"
  I wonder how many people are thinking that very thought...
  Coincidence?
  *hoorya for drunk post!*
Derp by Anonymous Coward · 2011-08-15 11:27 · Score: 0

Download is here
http://forum.potsec.net/showthread.php?3-SpyEye-Source-Code-is-Leaked
1. Re:Derp by Anonymous Coward · 2011-08-15 11:44 · Score: 0
  
  how do you compile it?
2. Re:Derp by flappinbooger · 2011-08-15 12:50 · Score: 1
  
  maybe start looking for the builder on hacker forums like HF and opensc. There are many, and this is such big news it shouldn't take you long to find it.
  
  I'd run it in a VM or sandboxed or on a "disposable" computer. You are playing with fire, watch out so you don't get burned. 50-50 odds get owned by DLing someone ELSES deployment of SpyEye. lol.
  
  To truly deploy this is actually sorta involved, I know for Zeus you hafta run a web server to gather all the data and do C+C. A simple RAT with a few dozen bots is easy peasy, that's just messing with noIP and opening some ports, these crimeware tools are a CAMPAIGN. With Zeus and SE you are intending on stealing people's money on a large scale.
  
  Remember kids, don't hack from your own IP address, your dad will get pissed when the FBI comes.
  
  --
  Flappinbooger isn't my real name
3. Re:Derp by Anonymous Coward · 2011-08-15 14:08 · Score: 0
  
  If you are going to teach a wannabe script kiddie how to be a script kiddie, please try to use proper spelling. Your post hurt my brain...
  Besides, if it's good, running it in a VM or chrooted (if windows supports that yet) won't help the slightest. Maybe if you setup a small network with a bunch of computers, make sure it's disconnected from any external network (for your sake and others'), play around with it, and then wipe all computers used. That way, you can re-use the HDDs for the next piece of software you want to use, and you become more familiar with setting up a good testing environment too.
  And if you have to tell someone "you don't hack across the state lines, you'll get nailed by the FBI" (the movie Hackers), they deserve to be caught. Seriously...
4. Re:Derp by logjon · 2011-08-17 03:28 · Score: 0
  
  Besides, if it's good, running it in a VM or chrooted (if windows supports that yet) won't help the slightest.
  Stupidest thing I've read on slashdot in months.
  
  --
  The stories and info posted here are artistic works of fiction and falsehood.
  Only fools would take it as fact.
Wonderful by zerox030366 · 2011-08-15 13:58 · Score: 0

Because we don't have enough script kiddies in anonymous and lulz-sec running around breaking stuff as fast as they can already. Just awesome.
1. Re:Wonderful by kelemvor4 · 2011-08-15 16:49 · Score: 1
  
  Because we don't have enough script kiddies in anonymous and lulz-sec running around breaking stuff as fast as they can already. Just awesome.
  I think lulzsec got arrested a week or two ago, not that your point is any less valid.
2. Re:Wonderful by GameboyRMH · 2011-08-16 02:57 · Score: 1
  
  No, they think they arrested the spokesman but they arrested some dude who was framed by the spokesman. But the real spokesman (Topiary) has since had all his personal info released online so he's probably hiding in the woods right now.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
Why was my post "modded down"? by Anonymous Coward · 2011-08-15 14:35 · Score: 0

It was meant for the "general good". I'd like a technical justification offered @ least on WHY it was 'downward modded' (thanks).
* The "general good" being information on stopping this SpyEye botnet from infesting you in the 1st place, by blocking it @ the HOSTS file OR firewall level (prefereably both local to your own system, & hopefully @ DNS server layers/levels too @ ISP/BSP's also via DNSBL's on THEIR parts, like Norton DNS does for example - which IS what makes IT, outstanding!)
APK
P.S.=> Of course, there are those who don't WANT others to KNOW about that site (the makers of this botnet mainly), & I've also made my share of enemies out there online as well (dolts I've floored on technical issues & they're obviously still "stinging" from the "bitter taste of defeat" @ having to eat their own erroneous words flavored with it, lol, @ MY hands)!
However? Well, so far here?? That's just speculation (but, IF I don't get a SOLID explain on the downmod? Then, I can only assume I am 100% correct on my "speculations" above))...
... apk
1. Re:Why was my post "modded down"? by Anonymous Coward · 2011-08-15 17:23 · Score: 0
  
  You are 100% correct on your speculations, you don't need to wait for anyone to confirm that. Try not be so weird all the time.
on the good side by kwikrick · 2011-08-15 19:21 · Score: 3, Insightful

with the source code out, it should be easy to plug the security holes that the spyware uses, and it should be easy to generate hashes and heuristics for virus scanners to detect spyware on infected computers. In theory anyway.

--
assignment != equality != identity
1. Re:on the good side by NotQuiteInsane · 2011-08-16 02:03 · Score: 2
  
  ... Or make variants of the spyware which avoid said heuristics.
  Sir, I'd like you to meet my friend, the double-edged sword...
2. Re:on the good side by Anonymous Coward · 2011-08-16 02:19 · Score: 1
  
  "No shit, everything is a double-edged sword. Even a single-edged sword is a double-edged sword. Because on the one hand it's sharp but on the other hand it's dull....a single-edged sword is a double-edged sword."
  --Louis C. K.
3. Re:on the good side by Anonymous Coward · 2011-08-16 02:21 · Score: 0
  
  I for one am glad the source code is out in the open. At least we know what we're facing, even if it allows for people (who probably already know how to write trojans) to write more trojans.
Disprove what I wrote by Anonymous Coward · 2011-08-15 21:31 · Score: 0

In my init. post then here -> http://it.slashdot.org/comments.pl?sid=2380830&cid=37100334 because there is NOTHING "weird" about that, only facts & useful ones @ that!
(And, the fact is, IS that it lists the botnet C&C servers that SpyEye uses, which CAN BE BLOCKED @ the HOSTS file OR Firewall level (in software &/or hardware router firewall levels)).
* That's USEFUL INFORMATION others here can gain by... period!

"You are 100% correct on your speculations, you don't need to wait for anyone to confirm that." - by Anonymous Coward OBVIOUSLY A BOTNET MASTER HIMSELF on Tuesday August 16, @01:23AM (#37103512)
Thank you then for confirming my speculations then for me... now, go away you TROLLING botnet master... ok? Try to do something useful to the general human condition instead of being a scumbag...
APK
P.S.=> An application of... "ReVeRsE-PsYcHoLoGy" - 4 off-topic trolls like you (who clearly demonstrate ALL THEY HAVE, is effete down-moderations in retaliation vs. myself):

".emit eht lla driew os eb ton yrT" - by Anonymous Coward ANOTHER "ne'er-do-well" /. OFF-TOPIC TROLL on Sunday July 10, @06:32AM (#36710070)
"???"
Uhm... Could we get a translation of that off-topic "troll-speak/trolllanguage" of yours, please?
---
* And, you're an off-topic troll - no questions asked...SEE MY SUBJECT LINE ABOVE!
("ReVeRsE-PsYcHoLoGy", for trolls - Courtesy of this code by "yours truly" in less than 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever 'trollspeak/trolllanguage' gibberish occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
... apk
No, SpyEye Trojan Source Code *NOT* Leaked by Anonymous Coward · 2011-08-15 22:29 · Score: 0

*picard-facepalm.jpg*
Holy fuck, I do not believe how many people have commented on and reblogged this story while failing basic Reading Comprehension 101.
The source code for the SpyEye trojan has NOT been leaked.
The source code for a >>a tool that patches the binary executable of the SpyEye trojan has been leaked.
Good Job by k4f · 2011-08-15 23:47 · Score: 0

“Over the last 18 months, SpyEye has made a lot of headlines, especially when it was revealed that the development team behind the malware was effectively merging it with that of the older Zeus code,”
Re:No, SpyEye Trojan Source Code *NOT* Leaked by Em+Adespoton · 2011-08-16 04:02 · Score: 1

It's not even that... the source code for a tool that patches the tool that BUILDS SpyEye trojans has been *released*.
It's amazing how the internet resembles that children's whispering game, considering we're dealing with text that supposedly doesn't change. I feel like I could write "I bought ice cream on Craigslist" on my blog and eventually see it posted to Slashdot as "Foreign terrorist creams Craig Ferguson." -- and yes, neither of these are news for nerds (well, maybe the first one).
This is a good thing by Candyban · 2011-08-16 23:24 · Score: 1

They should do this more often.
It is not that they will get sued for copyright infringement or revealing trade secrets ...
If all malware were put freely on the internet, wouldn't that dry up some of the revenue streams for the authors? Sure, you will briefly see a spike in derivatives, but I believe the way to combat covert actions is not by covert counter-actions, but by bringing it all in the open.
When you consider this to be a battle, there are a number of things which would make sense:
1) Choose your battleground where you have a tactical advantage. Draw them in the open as "we" are more numerous and have more firepower.
2) Disrupt their supply lines by removing incentives to start writing malware. When they are selling their malware, buy one copy and provide it for free. This will remove a lot of their demand as they will have to start charging more and increase their exposure (larger money transactions will stand out more) or drive them deeper underground which makes them harder to find and buy from.
3) Increase your defences by making genuine software more secure and harder to exploit. "We" are making progress in this area.
4) Decrease their firepower by implementing more control on the ISP level. This may be dangerous as there might be "civilian casualties" but spam zombies are easily identified. Remove zombie hosts from the network. Remove ISPs who do not take action on the zombies from the network. Reduce bandwidth from countries who do not take action on the ISPs. This will have an added bonus that it will also disrupt some of their revenue streams. What is the point of raising a botnet army when you cannot do anything with it?
5) Demoralise their troops by taking legal action. Seize their spoils of war (assets) and their freedom (PoW).
6) Moralise your own troops by increasing incentives to write good code and identify problems. Have them rated like their financial health and increase/decrease tax rates accordingly as would interest rates. This will give incentives to write secure code rather than rush something out the door. When problems arise, security holes are patched as quickly as they are discovered and it allows companies to pay security researchers for their effort. It may even convince some of the black hatters (mercenaries) to switch sides as it becomes more profitable.