An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.
Security researchers say the relatively unknown Spy Eye toolkit added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.
The feature, called “Kill Zeus,” apparently removes the Zeus software from the victim’s PC, giving Spy Eye exclusive access to usernames and passwords.
Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own “botnet” — networks of password-stealing programs.
Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules — residents with bank accounts — who then move the cash out of the country.
Sensing an opportunity, a number of similar Trojans have emerged recently, including Filon, Clod and [Bugat], which was discovered just last month.
Spy Eye popped up in Russian cybercrime forums in December, according to Symantec Senior Research Manager Ben Greenbaum.
With its “Kill Zeus” option, Spy Eye is the most aggressive crimeware, however. The software can also steal data as it is transferred back to a Zeus command-and-control server, said Kevin Stevens, a researcher with SecureWorks.
“This author knows that Zeus has a pretty good market, and he’s looking to cut in,” he said.
Turf wars are nothing new to cybercriminals.
Two years ago a malicious program called Storm Worm began attacking servers controlled by a rival known as Srizbi.
And a few years before that, the authors of the Netsky worm programmed their software to remove rival programs Bagle and MyDoom.
Spy Eye sells for about $500 on the black market, about one-fifth the price of premium versions of Zeus. To date, it has not been spotted on many PCs, however.
Still, the Trojan is being developed quickly and has a growing list of features, Greenbaum said. It can, for example, steal cached password information that is automatically filled in by the browser, and back itself up via e-mail.
“This is interesting in its potential, but it’s not currently a widespread threat at all,” he said.
Bot blitz on the horizon
Meanwhile experts a sharp rise in the volume of spam transmitted by bot infected computers is on the card.
The brief global we experienced since the shutdown of Internet Service Provider (ISP) McColo last November is over – and new and more resilient botnets are filling the void.
When hosting providers agreed to cut off McColo, that severed the Srizbi command centre from its legion of zombies (or infected computers) — and this immediately cut in half the volume of e-mail spam flowing across the Internet.
But spam levels are back to 74.6 per cent of all e-mails sent in January, which is about 90 per cent of the spam levels in November, according to a report from security vendor MessageLabs.
“We always knew that when the McColo shutdown happened it wasn’t the end of spam,” says Matt Sergeant, senior anti-spam technologist at MessageLabs, now part of Cupertino, Calif.-based Symantec Corp. “The people making money from this aren’t going to just lie down and stop.”
The security research community won a minor victory when McColo was shutdown.
The Srizbi botnet suffered a technical problem that meant it couldn’t move to another host to talk to its zombies. But now those same spammers have created new botnets, and other existing botnets have become more active.
“The shutdown of McColo was really just a temporary setback for spammers,” says Jim Lippard, director of information security at Global Crossing, a Hamilton, Bermuda-based global telecommunications provider.
“I doubt that anyone is going to rely on a single Web host for their command and control host anymore.”
New botnets won’t be as easily shutdown as Srizbi. Spammers are using new techniques to regain connection with zombies even if their hosting service is shut down.
The recent nasty Windows worm Downadup demonstrated such an ability, though the malware hasn’t been used as a botnet, Lippard says.
It is able to generate domain names that appear random, but are set to match the date the worm lost contact with its host server. That way, controllers of the malware can set up another domain that will talk to the same infected PCs again.
“This way, they’re not relying on a single host or a single domain,” he says. “Things have been made a bit more difficult.”
Botnet rogues gallery
In the wake of the McColo shutdown, the new botnet landscape is currently dominated by a single main player and several botnets that could potentially explode, according to MessageLabs.
The top spammer is now the Mega-D or Ozdok botnet. With 660,000 zombies at its disposal, it is sending out an average of more than 26.5 million spam messages a minute. That makes it the most efficient spamming network around.
Mega-D was somewhat disrupted when its host was shutdown before McColo, Sergeant says. But now it’s back and stronger than before.
“They’ve expanded their botnet even further and they’ve acquired the customers that were using Srizbi,” he says.
Meanwhile, the Srizbi botnet masters are likely behind a new botnet dubbed Xarvester, Sergeant adds. “You can tell because of the way the e-mail headers are constructed, and some other similar patterns in the e-mails being sent.”
Despite being new, Xarvester is already the fourth most-spamming botnet. It has infected 260,000 computers had sends out an average of 3 million messages per minute. It could be a competitor with the Mega-D network if it continues to grow.
With new and tougher botnets looking to recruit an army of zombie computers, it may be up to end users and businesses to be vigilant about keeping their computers clean of infection.
The security research community worked for years before McColo was shut down. Now shutting down an ISP might not even make a dent in spam messages.
Businesses can take some simple steps to ensure they aren’t part of the problem, Lippard says. “If you suddenly see a diverse number of sources on your network hit a URL that it hasn’t before, that should raise a red flag,” he says.
Web filtering services can help weed out Web addresses known to be malicious or unwanted. Many companies use these services to police their corporate network, and they are becoming more important as botnets use Web ports for communication, as opposed to the IRC ports used in the past.
Another port that organizations should be blocking is port 25, Sergeant says. Used for e-mail communications, botnets will be trying to access it directly to send out spam. Legitimate e-mail can be let in through SMTP and exchange servers, or exceptions to the filter.
“Every single e-mail goes out over port 25, so by blocking it, you’re blocking out all botnets,” he says.
Blocking the port is a good piece of advice, Lippard agrees. But it’s not foolproof. Spammers have sometimes adapted by sending out mail on the accepted servers in order to bypass the filter.
“It’s a never ending arms race. For every vulnerability they exploit, there’s a counter-measure, and then another way around the counter-measure,” he says.