SpyEye, the most advanced and dangerous malware kit today, has been incorporating functionality of the Zeus malware builder kit since early 2011. Today, for the first time, SpyEye builder patch source code (for release 1.3.45) was leaked by an infamous French security researcher named Xylitol, part of the Reverse Engineers Dream Crew (RED Crew). He was able to locate a copy of SpyEye builder 1.3.45 and created a walkthrough/tutorial that enables the reader (once in possession of SpyEye builder) to crack the hardware identification (HWID) which has been secured using VMProtect (a licensing tool that locks an installation of software to a particular physical device). This leak is important as it illustrates the coding techniques of Gribo-Demon’s team (the authors of SpyEye) and also deals another blow to the underground criminal ecosystem.

But it is a double-edged sword.

1. Now that a patch/crack for the SpyEye builder (the tool that generates the SpyEye malware) has been released along with source for the HWID crack, security researchers can now begin bug hunting for vulnerabilities in the authors work. This is a good thing, especially if you have the SpyEye SDK and know which APIs are available and capable of being accessed/exploited for defensive purposes. This approach also helps security firms better understand the techniques and methods behind the latest release of SpyEye.

2. The patching/HWID cracking process also ‘zeros out’ the operator’s name. This makes attribution of the actual “smith” difficult (the author who builds the malware, aka ‘the black smith’) as well as any customers of Gribo-Demon, who builds binaries for lower rung criminals, like the three that were arrested earlier this year, http://www.eweek.com/c/a/Security/SpyEye-Arrests-Dont-Touch-HighLevel-Trojan-Developers-176886/

As you can see below, on the top left hand side of the window, there is the handle [harderman] which is where one would commonly find the handle of the customer of the author team. The crack released by Xyliton actually zero’s out the field to [] so there can be no attribution to the actual operator beyond following the bread-crumbs of the command-and-control (CnC) infrastructure and then pump-and-dumping the remote CnC server allowing for more formal attribution.

The source, and the ability to ‘zero out’ the builder’s name is already being seen in binaries as of today, 8/11/2011. So, in less than 12 hours, the world of cyber criminals are utilizing the silver platter they have been handed.

The steps for the walkthrough are listed here on a blog titled XyliBox – http://Xylibox.blogspot.com/2011/08/cracking-spyeye-13x.html. This does not link to the source, but illustrates the capability if you know where to look. The walkthrough is hard enough to keep newbs from getting into trouble, but just enough information for any seasoned security professional or criminal to get started – for good or for evil. As you can see in the below window, by using the walkthrough (which I have done for research purposes) it illustrates the ease (took me less than 15 minutes) in which a proficient coder can remove any attribution to the SpyEye builder itself, which typically embeds the handle, like [harderman], within the malware agent.

With the leak of the patch/crack and code, and a walkthrough that cracks Gribo-Demon’s primary income engine, what will he offer next as a way to get his current and future customers coming back for newer and better versions of his code? With this leak and the leak of the Zeus source in March 2011 (leaked apparently by Slavik himself, the original steward of Zeus), this now puts one of the world’s largest botnet criminal enterprises at risk to all sorts of horizontal and vertical attacks by world governments, law enforcement, security vendors, and even other criminals desiring to increase their monetary footprint across the Internet. The code itself is not anything unexpected as far as talent of the SpyEye author team, but this could mean a ‘monkey-wrench’ has been thrown into the Darkunderground (Gribo-Demon’s crew) and their business of selling SpyEye builders – now anyone can crack the latest version and begin releasing newer versions with newer features. At over $10,000 (USD or WMZ) for the bundle, it is now easier and cheaper for criminals to find a leaked version and use this walkthrough to break the embedded security of the builder and start their own enterprise.

The patch was written by the RED Crew (whose handles are seen below in a code sample), who worked diligently to disseminate the patch for anyone who has the actual builder. Once the builder is in hand, the aspiring criminal can begin tearing apart SpyEye. The RED Crew have their own SpyEye kit along with several other security groups who are working diligently to find holes in this threat. Reverse Engineering is nothing new, but putting in the hands of babes one of the most powerful cyber threats today, ‘for free’, is something that will mean even more sleepless nights for security administrators.

SpyEye has been on everyone’s priority list of threat discussions for quite some time, and is now going to become an even more pervasive threat. The same thing happened when the Zeus kit source code was released in March 2011. Damballa labs has been tracking dozens of new Zeus bot operators since the leak earlier this year, and now that SpyEye has been ousted it is only a matter of time before this becomes a much larger malware threat than any we have seen to date. So for the next few months, please hold onto your seats people… this ride is about to get very interesting.

— Sean Bodmer, Senior Threat Intelligence Analyst

Tags: Command-and-Control, malware, malware analysis, spyeye, Zeus

This entry was posted on Thursday, August 11th, 2011 at 4:37 pm and is filed under Industry Commentary, Threat Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.