Reports are emerging from the UK that authorities have arrested three individuals in connection with the SpyEye botnet. Unfortunately, these appear to be bit players rather than the brains behind the SpyEye malware platform, and will have virtually no impact on the threat of SpyEye in general.
Arresting these guys is a bit like making a drug bust of the thug selling dime bags on the corner while the real drug kingpin sips piña coladas in a villa on the beach in Costa Rica. The arrest might temporarily stop drugs from being sold on that particular block in that particular neighborhood, but have virtually no impact on drug trafficking as a whole. Another thug will be standing on that same corner selling the same dime bags tomorrow.
Fred Touchette, senior security analyst with AppRiver, agrees with the drug dealer / drug lord analogy, but adds that even relatively trivial arrests such as these send a message that law enforcement is not going to tolerate such activity, and that it has the skills and capabilities to track down the attackers.
AppRiver's Troy Gill concurs with Touchette's opinion that the arrests send a message. He points out that the arrests still disrupt criminal activity on some level, and let other would-be script kiddies know that there is risk involved with cybercrime. Gill also notes that information gathered from these low-level players might contribute to the greater goal of tracking down the SpyEye source.
Vikram Thakur, principle security response manager for Symantec, commented, "Perhaps a more accurate analogy would be the arrest of someone who uses a gun to commit a crime, while the source that individual obtained the gun from remains free," adding "Regardless of the analogy, these individuals were caught stealing money from multiple banks. My assumption is that this involved a substantial monetary loss, since it warranted an investigation by law enforcement officials that appears to have lasted more than three months."
Thakur notes that individuals who are directly affected by botnets or malware attacks are primarily interested in simply catching the perpetrators of their particular crime. They aren't necessarily concerned with the big picture of whether or not law enforcement manages to track down and prosecute the source of the tool that was used.
McAfee's Dave Marcus has a more ominous take on the big picture, though. Marcus agrees that the individuals arrested are essentially script kiddies, but says that even if authorities arrested the authors of the SpyEye malware toolkit it would have little impact on the overall threat of SpyEye. Marcus notes "The code is out there, and will continue to be developed."
Is it good news that UK authorities put a stop to the criminal activity of these three individuals? Absolutely. But, ultimately it means little in the grand scheme of malware attacks.