The source code for a patch that strips protection from the builder so the SpyEye malware development kit can be disassembled is now publicly available thanks to Xyliton and the Reverse Engineers Dream Crew (RED Crew). At face value, this is great news because it helps the security industry understand and combat SpyEye, but there is also a down side.
Opening the secrets of the software will help security researchers combat the threat, but it also exposes the source code to other malware developers who can now adapt and morph SpyEye into a new, more insidious threat. Just as the security industry unveils and defangs SpyEye, new SpyEye variants will appear that continue to thwart efforts to block it.
A blog post from Damballa Labs declares, “SpyEye has been on everyone’s priority list of threat discussions for quite some time, and is now going to become an even more pervasive threat. The same thing happened when the Zeus kit source code was released in March 2011.”
Breaking into the source code is great news for the security research and anti-malware communities. The best way to develop effective defenses for SpyEye attacks is to understand the inner workings of the malware development kit itself, and be able to identify unique aspects of SpyEye threats so they can be blocked.
Unfortunately, because the crack for the patch to get to the SpyEye source code has been released to the public, its use is not limited to ethical security researchers. Purchasing the SpyEye malware development kit bundle costs about $10,000, but now would-be cyber criminals can keep their cash and set up shop for free by finding a leaked copy of the SpyEye malware kit and using this crack.
The Damballa blog post warns, “Reverse Engineering is nothing new, but putting in the hands of babes one of the most powerful cyber threats today, ‘for free’, is something that will mean even more sleepless nights for security administrators.”
Sean Bodmer, Senior Threat Intelligence Analyst for Damballa, explains, “Damballa labs has been tracking dozens of new Zeus bot operators since the leak earlier this year, and now that SpyEye has been outed it is only a matter of time before this becomes a much larger malware threat than any we have seen to date.”
Bodmer sums up, “So for the next few months, please hold onto your seats people… this ride is about to get very interesting.”