Professionalism in the Underground
It’s no secret to those who study illicit (shadow) economies that things change rapidly in order to meet supply and demand. Profit (regardless of how you define it) remains supreme; loss the enemy. This is true in all markets legal or illegal with cybercriminal markets being no exception. Take botnets for example. The market for botnets changes at amazing rate. The purpose, style, functionality, models for acquisition (do I rent or do I own?), size, and effectiveness are dynamic and evolving. Often advanced marketing campaigns (some more formal than others) are employed which showcase the botnet (and author’s) vision and dedication to their products. Many times in the course of these marketing campaigns information such as:
- Service Level Agreements
- Technical Assistance Centers (TAC)
- Price guarantees
- Competitive Analysis Intelligence
Winds of Change: ZeuS and SpyEye
No better example of this comes to mind than that of the infamous ZeuS botnet also known as the Zeus banking Trojan (Zbot, PRG, Wsnpoem, Gorhax and Kneber). Not long ago what initially looked like a hostile takeover involving the authors of the SpyEye Trojan and the authors of the ZeuS banking Trojan was underway. The upstart authors of the SpyEye Trojan made international headlines in 2010 when it was discovered that the Trojan had the capability of automatically searching for and removing ZeuS from compromised hosts before installing itself. The team behind SpyEye (called the ‘ZeuS Killer’ by its author) also made sweeping allegations regarding the inefficiencies of their competitor while touting their strengths. Then something odd occurred. The underground forums rang like cathedral bells when it was made known that a Russian hacker known by the handles “Slavik” and “Monstr” had no future plans for maintaining the now ubiquitous crimeware kit. Instead, according to numerous hacker forums and IRC channels the author decided to transfer the original source code of his Trojan to the authors of the SpyEye Trojan.
Figure1a: Spyeye Advertisement
Figure1b: Spyeye Advertisement
Figure 1c: Spyeye Advertisement
Figure 1d: Spyeye Advertisement
A Possible New Variant of ZeuS?
That this sort of activity is occurring in the underground is occurring is not surprising but it does make me wonder whether or not the authors of ZeuS sold to only one buyer. I believe that they did not based on the following information gather from open sources:
Figure2: New ZeuS Variant
Figure 3: New ZeuS Variant
Figure 4: New ZeuS Variant
Figure 5: New ZeuS Variant
The advent of this new variant may partially explain the uptick in activity that we and our peers are seeing our research. You’ll not that in Figure 5 which is a data graph provided by abuse.ch Zeus Tracker, that there appears to be an uptick in ZeuS activity beginning right about the same time when this latest variant was made public. In speaking with researchers in Latin America, and Europe this correlates with the data we at HP DVLabs have collected. You’ll note that in Figures 6 and 7 respectively that the light green bar represents unique source IP addresses while the light blue represents unique destination IP addresses.
Figure 6: abuse.ch Zeus Tracker Statistics for February and March 2011
Figure 7: ZeuS Botnet Command and Control Phone Home RequestFigure 7 depicts a phone home attempt (indicative of a backdoor C&C model) made by a compromised host infected with the ZeuS Trojan (botnet). What is interesting to note is the valley occurred between March 13 through the 15 of 2011 as that correlates with the alleged ‘transition’ period of ZeuS source code from ‘Slavik’ to ‘Harderman’, author of the SpyEye Trojan (botnet).
Figure 8: Spyeye Botnet Command and Control Phone Home Request
Similarly Figure 8 depicts a phone home attempt (indicative of a backdoor C&C model) made by a compromised host infected with the SpyEye Trojan (botnet). Note the uptick comparable uptick in activity that closely parallels that seen in our research and that of our peers. As mentioned earlier in this blog, SpyEye is a cleverly crafted mobilized Trojan that has the ability to among other things to:
- Enumerate target hosts for the presence of ZeuS and remove it prior to installing itself
- Monitor keystrokes
- Record username / password combinations
- Harvest credit card numbers
- Upload all acquired data
- Once it has concluded harvesting the data to remote servers for storage and collection
As it stands we will continue to monitor ZeuS’s evolution in concert with SpyEye and independent of it as our findings demonstrate that it remains alive and well. This latest variant of ZeuS is being offered for approximately $5500.00 USD payable via a number of means. We predict continued growth and the potential for expansion with respect to this botnet and will monitor its activity moving forward.