Slashdot Mirror
SpyEye Trojan Source Code Leaked
wiredmikey writes "The SpyEye malware kit has long been both the bane of unsuspecting victims and a boon for cyber-criminals. Now, according to security researchers, the situation may have taken a turn for the worse. The SpyEye Builder patch source code for release 1.3.45 was leaked by the Reverse Engineers Dream Crew (RED Crew) recently after a crew member was able to locate a copy of SpyEye Builder 1.3.45 and create a tutorial that enables a reader with SpyEye Builder to crack the hardware identification."
from the without-the-consent-of-major-league-baseball dept.
really? that's the best phrase you came up with?
It means it's now available to script kiddies.
as opposed to whom? Didn't these script kiddies have this script before as well?
It means it's coming to Linux
What's wrong with that? With the source code to this malware now publicly-available, then it should be trivial for any systems vulnerable to it to be patched quickly, as it'll be obvious exactly what attack vectors it uses.
This sounds like good news, not bad news.
Hello? this was FOR script kiddies, it was DESIGNED for script kiddies. Script kiddies have had all along.
it.
Now joe schmoe script kiddie that does not have any money at all because he blows it all on Monster and Twizzlers in his mom's basement can now have
Do not look at laser with remaining good eye.
...does any of this mean? Can we get summaries that aren't the first paragraph of TFA? Can we get an explanation of what the hell TFA is talking about and why we should care?
Sheesh.
Spy Eye is a pretty well known and powerful RAT/Bot tool on level with the venerable Zeus. The real non-backdoored copies are (generally) all for-pay.
.001% real coder and 99.999% script kiddie and leach. This makes powerful tools available to many more people than before.
This is a licensed for-pay malware/crimeware toolkit. The source code is leaked and there is a CRACK for the builder. This is key. Now it's easier for the freeloaders and skiddies to get at and CUSTOMIZE this high level malware tool, making it harder to detect.
This means things are going to get more interesting (re: worse) before they get better.
The 'hacker" scene is like
Flappinbooger isn't my real name
According to the article, the code was only available for purchase before.
From ComputerWorld: "SpyEye is a particularly nasty piece of malicious software: it can harvest credentials for online accounts and also initiate transactions as a person is logged into their account, literally making it possible to watch their bank balance drop by the second."
The malware kit is normally sold to criminals, with each sold copy protected by an encryption scheme of some kind. This encryption scheme was cracked and the source code also released, so anyone can now freely compile the software. The malware also uses a botnet to perform transactions using compromised banking credentials. It's not clear if the hack also enables one to setup or control the botnet aspect. However, one could presumably make use of the capability to directly initiate transactions on the victim's computer.
And to think I just got all my online accounts linked together to make my life easier!
Thanks for that.
Yes, it's really trivial to patch human stupidity, which nowadays leads to most malware infections.
Google+ vs. Facebook, and why Google+ will fail
Please explain exactly how "human stupidity" leads to malware infections. I'm sure I can come up with a simple technical solution for every one.
User is presented with a web site banner ad for a fake antivirus product. User downloads the antivirus product and installs it. User gets hosed.
Good luck with that. (BTW, solutions that bring with them a host of other problems, e.g. walled gardens, don't count, as they aren't simple.)
Check out my sci-fi/humor trilogy at PatriotsBooks.
It's easy:
Blah blah blah administrator blah blah would you like blah blah... .
*Clicks No*
Or:
Yadda yadda type password...
Sure, whatever...
*types password*
And bish bash bosh, you've got the electronic clap.
If God forks the Universe every time you roll a die, he'd better have a damned good memory.
Now it's available to 13 year old script kiddies living in their mothers basement, before it was only available to script kiddies with thousands of dollars to invest.
That's the power of open source.
Give me Classic Slashdot or give me death!
maybe start looking for the builder on hacker forums like HF and opensc. There are many, and this is such big news it shouldn't take you long to find it.
I'd run it in a VM or sandboxed or on a "disposable" computer. You are playing with fire, watch out so you don't get burned. 50-50 odds get owned by DLing someone ELSES deployment of SpyEye. lol.
To truly deploy this is actually sorta involved, I know for Zeus you hafta run a web server to gather all the data and do C+C. A simple RAT with a few dozen bots is easy peasy, that's just messing with noIP and opening some ports, these crimeware tools are a CAMPAIGN. With Zeus and SE you are intending on stealing people's money on a large scale.
Remember kids, don't hack from your own IP address, your dad will get pissed when the FBI comes.
Flappinbooger isn't my real name
That is true, having SpyEye wide open like this will help security researchers and white hats just as much as the skiddies and black hats. TFA mentions as such.
Flappinbooger isn't my real name
User is presented with a web site banner ad for a fake antivirus product. User downloads the antivirus product and installs it. User gets hosed.
Good luck with that. (BTW, solutions that bring with them a host of other problems, e.g. walled gardens, don't count, as they aren't simple.)
I can think one method: a blacklist. The OS should have a standardized method for software installation (like apt-get or yum). When installing something, the installer checks with the OS vendor's site to get the most updated blacklist, and checks that the software being installed isn't on it. For better security, this check should use some kind of signature so simply renaming files or whatever doesn't get around it. Obviously, this is a reactive approach rather than proactive, but it would still make it fairly pointless to go to the trouble of setting up a website and making fake antivirus (or other) software, as they'd get put on the blacklist quickly and wouldn't get very many successful infections before they needed to change things enough to get around the blacklist, until the blacklist is updated again. These malware purveyors need a large number of infections for their work to be profitable, and if the reward is too little for the amount of effort needed, they won't bother.
Obviously, a whitelist would be more secure, but that's basically the same thing as a "walled garden" as you mentioned, and has a lot of other problems (namely, it'd create a monetary barrier of entry to anyone trying to distribute software, whether free or not, as the OS vendor would undoubtedly charge to get on the whitelist; it'd also make it a pain to create your own software, custom in-house software, etc.).
So what other methods these days lead to malware infections, or is that pretty much the only one left? This one really isn't that bad, as it requires a fair amount of effort for the user to get himself infected: he has to go to a new website, click on something to download a file, and then click on something allowing it to be run. I haven't used IE lately, but haven't they made it so you can't just run executables when you download them (i.e., you must first download them someplace, and then go execute them from a file manager)? That's a pretty far cry from simply clicking on something that you don't even know will install software on your system, which is what used to happen years and years ago.
Sorry, you're not making much sense here. For some window to come up asking for your password, some software (i.e. malware) has to already have been installed on your system. How'd that get there?
I can think one method: a blacklist.
You mean an antivirus program?
It's called the dancing bunnies problem
http://www.google.com/search?q=dancing+bunnies+problem
Sort of, but it has to be tied into the OS so that you can't easily install software without going through this check. Since this would seem to require a standardized way of installing software (instead of individual programs just doing whatever they want, which seems to be the norm on one popular OS), it would work a lot better if it were done by the OS vendor itself, rather than being added on by some 3rd-party vendor.
To me, the whole idea of a 3rd-party antivirus program seems wrong. If there's a need for security add-ons to prevent programs from misbehaving, that seems to be the job of the OS, and if a 3rd party product needs to be added on to fix a basic problem with the OS, there's something seriously wrong. This doesn't mean that add-ons aren't useful sometimes; several Linux distros include AppArmor, for instance, which helps to prevent pre-existing vulnerabilities in installed software from being exploited by limiting what that software is allowed to do on the system. But AppArmor (while made by a different team) is packaged and included as part of the OS by the distro so that it's properly integrated; it's not installed after-the-fact by users.
You're still making no sense at all. When does a web browser pop up a window asking for your root password? Never. When does an OS do such a thing, prompted by some 3rd-party malware? Never.
If you have some kind of specific instance you can describe in detail, let's hear it, but let's dispense with this vagueness.
Because we don't have enough script kiddies in anonymous and lulz-sec running around breaking stuff as fast as they can already. Just awesome.
I think lulzsec got arrested a week or two ago, not that your point is any less valid.
with the source code out, it should be easy to plug the security holes that the spyware uses, and it should be easy to generate hashes and heuristics for virus scanners to detect spyware on infected computers. In theory anyway.
assignment != equality != identity
You're still making no sense at all. When does a web browser pop up a window asking for your root password? Never. When does an OS do such a thing, prompted by some 3rd-party malware? Never.
You and I know that. Now ask yourself, does a clueless user know that?
Every end has half a stick.
Blacklists are trivial to get around. There's all sorts of things you can do to avoid signature matching. Look up a polymorphic virus, it's the same idea.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Just throwing this out there but doesn't OS X and Linux both require a password installing software from a downloaded package ? as well as windows when running as a non admin user ?
And we all run as non admin users right ?
I think you doubt the "want it now" factor.
I know quite a few occasions when a savvy user was faked into clicking the close button on a browser window and the browser launched an escalation attack and injected it's own app and infected the system.
This package Does Not Contain a Winner
Do you use windows (newer than XP?) UAC satisfies his first prompt. Do you use any modern Linux distro that uses a graphical sudo frontend? Then you just satisfied the second.
Those are common ways for things in userspace (eg DancingPigs.exe or .sh) to ask for privilege escalation. Which the user will most likely provide, because they want their Dancing Pigs.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
No, they think they arrested the spokesman but they arrested some dude who was framed by the spokesman. But the real spokesman (Topiary) has since had all his personal info released online so he's probably hiding in the woods right now.
"When information is power, privacy is freedom" - Jah-Wren Ryel
It's not even that... the source code for a tool that patches the tool that BUILDS SpyEye trojans has been *released*.
It's amazing how the internet resembles that children's whispering game, considering we're dealing with text that supposedly doesn't change. I feel like I could write "I bought ice cream on Craigslist" on my blog and eventually see it posted to Slashdot as "Foreign terrorist creams Craig Ferguson." -- and yes, neither of these are news for nerds (well, maybe the first one).
I know quite a few occasions when a savvy user was faked into clicking the close button on a browser window and the browser launched an escalation attack and injected it's own app and infected the system.
Ok, and how exactly does that work? Some kind of malicious Javascript or something? That seems like it'd be a pretty easy thing to prevent on the browser side.
They should do this more often. ...
It is not that they will get sued for copyright infringement or revealing trade secrets
If all malware were put freely on the internet, wouldn't that dry up some of the revenue streams for the authors? Sure, you will briefly see a spike in derivatives, but I believe the way to combat covert actions is not by covert counter-actions, but by bringing it all in the open.
When you consider this to be a battle, there are a number of things which would make sense:
1) Choose your battleground where you have a tactical advantage. Draw them in the open as "we" are more numerous and have more firepower.
2) Disrupt their supply lines by removing incentives to start writing malware. When they are selling their malware, buy one copy and provide it for free. This will remove a lot of their demand as they will have to start charging more and increase their exposure (larger money transactions will stand out more) or drive them deeper underground which makes them harder to find and buy from.
3) Increase your defences by making genuine software more secure and harder to exploit. "We" are making progress in this area.
4) Decrease their firepower by implementing more control on the ISP level. This may be dangerous as there might be "civilian casualties" but spam zombies are easily identified. Remove zombie hosts from the network. Remove ISPs who do not take action on the zombies from the network. Reduce bandwidth from countries who do not take action on the ISPs. This will have an added bonus that it will also disrupt some of their revenue streams. What is the point of raising a botnet army when you cannot do anything with it?
5) Demoralise their troops by taking legal action. Seize their spoils of war (assets) and their freedom (PoW).
6) Moralise your own troops by increasing incentives to write good code and identify problems. Have them rated like their financial health and increase/decrease tax rates accordingly as would interest rates. This will give incentives to write secure code rather than rush something out the door. When problems arise, security holes are patched as quickly as they are discovered and it allows companies to pay security researchers for their effort. It may even convince some of the black hatters (mercenaries) to switch sides as it becomes more profitable.