In association with heise online

10 February 2010, 14:57

Spy versus spy

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Symantec Logo Botnet toolkit ZeuS, popular among criminal elements, is facing competition from 'SpyEye'. According to analysis by Symantec, the latest version of SpyEye, thought to originate in Russia, even includes an option to eliminate any ZeuS bots encountered from infected PCs The toolkit allows users to individualise their bots – prior to running the build process the user can select a key for encrypted communications and a path to a command and control server.

Symantec's analysis makes clear just how easy it now is for criminals to spy on other users. SpyEye includes a form grabber for reading web form content, including user names and passwords entered automatically by browsers on some web pages. SpyEye can also read POP3 email traffic, FTP traffic and website login data.

The bot is distributed to victims by several techniques, such as email. The command and control server allows data to be collected from, and additional files containing malware to be uploaded to, the bots via a user-friendly interface. Although modern toolkits may make it easy for less technically accomplished criminals, there are still some pitfalls. In mid 2009, one 100,000-bot ZeuS botnet destroyed itself, possibly as the result of an operating error.

SpyEye, which is available from underground forums, also competes with ZeuS on price. ZeuS sells for between $400 and $700, SpyEye can be picked up for $500. Malware authors have long competed for control of Windows systems. Whilst worms first started to fight it out in 2004, a struggle for the largest botnet, involving a number of malware authors, was first observed in 2007. Recently bot herders running Srizbi, Mega-D, Rustock, Pushdo and the storm worm have been fighting over the largest slice of the spam pie. ZeuS and SpyEye, by contrast, are pure data stealers with no native functionality for sending spam.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-926839
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit