Surge of SpyEye attacks begins, as free, cheap hacking toolkits circulate

By Byron Acohido, USA TODAY 22Aug2011, p1B

SEATTLE — The odds that a cybergang will stealthily turn your PC into a bot this summer and use it to carry out all manner of cyberattacks just notched notably higher.

That’s the upshot of a premier hacker’s toolkit, called SpyEye, recently being made accessible to cybercriminals of all stripes.

Security analysts anticipate a surge in SpyEye attacks the rest of this year.

“Every level of criminal, from the lowest to the highest rungs, can now use one of the deadliest Swiss Army knife hacking toolkits in the world,” say Sean Bodmer, senior threat intelligence analyst and network security firm Damballa.


It’s been about a week since the keys to acessing SpyEye were publicly disclosed. So far 14 cyber rings have taken advantage, using SpyEye to send commands to tens of thousands of infected PCs in the U.S. and Europe, according to Damballa research findings.

In the first six months of the year, SpyEye was being used by 29 elite gangs that collectively commanded at least 2.2 million infected PCs worldwide. SpyEye normally sells for up to $10,000. But as of last week the latest, most potent version of SpyEye could be acquired for just $95, says Bodmer.

Advances in  cyber larceny

How this sudden discounting came to be — and the resultant security implications — highlight how complex  and dynamic larceny on the Web has become over the past few years.

SpyEye surfaced in late 2009 as a bigger, badder rival to ZueS, then the premier hacker’s toolkit.  SpyEye quickly surpassed ZeuS. By the end of 2010, it had evolved into a pricey, user-friendly software program, sold, updated and copyrighted, much like any legit business application.

Click here to see LW’s  profile of  ZueS creator A-Z

For a base price of $6,000, SpyEye put a sophisticated Internet-based management tool into the hands of the buyer. Optional plug-in programs pushed the price to $10,000.

Using SpyEye a criminal can issue commands to networks of thousands of bots. SpyEye-run botnets have proven to be unstoppable. Criminals use them to deliver spam scams pitching fake drugs or worthless antivirus programs, conduct hacktivists attacks and booby-trap legit websites with infections that create more bots.

What’s more, SpyEye may be best known for enabling thieves to orchestrate the systematic siphoning of cash from the online banking accounts of consumers and small organizations. Transactions security firm Trusteer has documented SpyEye-orchestrated banking account heists in action. SpyEye:

  • Waits for the account holder to log into his or her online banking account.
  • Collects the user’s balance figure, and determines whether the account is ripe for theft.
  • Initiates money transfers invisibly, the victim sees nothing.
  • Transfers funds into a mule account, set up and controlled by the thief to receive cash transfers.
  • Erases any evidence of the fraudulent transfer.
  • Adds back the stolen amount to the official account balance, as if nothing is amiss.

“SpyEye is very dynamic and versatile,” says Amit Klein, Trusteer’s chief technical officer. “We see it pushing new builds to the field on a weekly basis. These frequent updates enable SpyEye to be more elusive and less detectable.”

Perpetual arms race

In early August, a French researcher, using the online handle Xyliton and said to be  part of the Red (Reverse Engineers Dream) Crew,  discovered how to crack open SpyEye’s licensing key, which unlocks the software for full use, complete with a tutorial. In cracking SpyEye’s key,  Xyliton disabled a feature that requires licensed users to designate a name to their copy of the toolkit in an attribution field. Good-guy researchers use this attribution field to keep track of which crime rings are actively using SpyEye. Xyliton then published his findings on the Internet.

Skilled hackers quickly created simple programs to access full versions of SpyEye and began selling them for around $100, says Damballa’s Bodmer.

Because of how the crack was carried out, the free and discounted versions of SpyEye recently put to use in attacks are much harder to distinguish, says Bodmer. “Not only is the toolkit now free or very cheap, but attributing usage to a specific criminal operator has becoming significantly more difficult,” he says.

A debate in tech security circles has ensued as to whether Xyliton’s disclosure did more harm than good. Some experts argue that tech security companies now have more detail about how cutting-edge hacking tools work, which should help with detection and filtering.


“White hats may now gain insight into the workings of (SpyEye), but this will not be the end of the perpetual arms race,” says Etay Maor, cybercrime specialist at RSA, The Security Division of EMC.

Maor predicts that SpyEye’s creators will fix the cracked licensing key, improve the core toolkit and push out new advancements.

Others worry that botnets have been widely used this summer to conduct intensive Google searches — known as Google hacking or Google dorking — as part of campaigns to locate, then mass infect, more than 8 million web pages published by smaller online merchants and professional firms. The PC of anyone who navigates to one of these infected small business pages gets turned into a bot.

“Google hacking is often the first step to perform reconnaissance,” says Rob Rachwald, strategy director at security firm Imperva. “It’s very likely that SpyEye will be used for Google hacking, and leveraging SpyEye is imminent.”

A hint of SpyEye’s coming surge pattern  can be gleaned from the similar public disclosure of ZeuS coding last May,  which drew the tech security community’s attention.  RSA recorded  a 66% increase in  ZueS usage in the ensuing months.

“It is very likely we will  see yet another spike following SpyEye’s leak,” says Maor. ” We also have to keep in mind that more Trojan attacks are launched  because fraudsters can now buy Trojans priced per variant, without purchasing the whole kit, accounting for an increasing number of  ‘small-timers’.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone