Everyone knows that the first year of marriage can be a tough one -around three percent of them end in the first 12 months. Looks like the same can be true of malware marriages, with the union of the Zeus and SpyEye Trojan now in question.
Just one year after news broke that the Zeus and SpyEye Trojan families had merged, virus experts say there’s reason to question whether the union is still intact.
Researchers at Microsoft and Kaspersky Lab told Threatpost that, although there’s clearly evidence that code was shared between the two malware families, the rumored merger of Zeus and SpyEye never took place. In fact, the two botnets continue as separate entities, with some researchers wondering if they are even controlled by the same individuals or criminal groups.
Zeus and SpyEye were the two main families of botnet software, with SpyEye playing the role of upstart competitor to the more established Zeus. For a while, the competition for online hosts was intense, with both malware families adding features to remove the other on systems they infected.
That rivalry seemed to end in October, 2010, when researchers observed what appeared to be a merger of the two crime kits, around the same time that the author of the Zeus botnet decided to release the malware code as an open source repository. Those reports were backed by online forum posts by the SpyEye author claiming that the Zeus source code had been turned over to him and that the two Trojans would soon be “merged into one powerful Trojan.”
By the end of 2010, an update to the SpyEye crimeware toolkit (1.3.X) included a feature, formerly unique to the Zeus crime kit, that targeted an anti-Trojan agent developed by the firm Trusteer. The new version of SpyEye also removed a feature to remove the Zeus malware if it was found running on the affected machine, Microsoft said.
Despite some early reports that a merged SpyEye/Zeus Trojan was circulating online, the promised merger never happened, beyond some basic cutting and pasting of code. In fact, subsequent reports suggested that the two malware families were continuing down separate tracks, with Zeus adding new features not seen in the other.
Now Microsoft says that reports of the merger may have been overblown. In a post Tuesday on the company’s Threat Research and Response Blog, researchers said that they considered reports of the union to be “speculative” and saw little evidence that Zeus and SpyEye were sharing code.
The company declined to discuss the specifics of its research, but stood by the statement in its blog post.
Dmitry Tarakanov, a researcher at Kaspersky Lab who has studied the two families said that there was a code transfer from Zeus to SpyEye in the immediate aftermath of the source code being transferred to the SpyEye author. For example, the SpyEye author grabbed a Zeus feature that allowed the malware to force Web browsers on infected systems to load malicious HTML served by the botnet, even in cases where the host had a recent version of the page in question (say, an electronic banking site) stored locally in its browser cache. “SpyEye could not intercept the cached html-code,” Tarakanov wrote in an e-mail. “So the author of Spyeye had seen that part of the code where Zeus replaces the cache as well and added that part of code into his own source code of SpyEye.”
But there’s little evidence of further consolidation of the two code bases after that, he said. “We can make a conclusion that author of SpyEye did not even try to concoct one bot squeezing all the best from two source codes,” he wrote.
Tarakanov said he believes the original author of Zeus was interested in washing his hands of the malware industry, especially with increased attention to the Zeus malware by law enforcement. In September, 2010, more than 60 individuals were charged in the U.S. and U.K. for crimes linked to the Zeus botnet. That may have chased the bot’s original author into hiding.
Human nature may explain the SpyEye author’s failure to carry out a grand union of the two botnets that was originally promised. “People tend not to change work,” Tarakanov wrote. In other words: ‘if it ain’t broke, don’t fix it,’ as the saying goes.
However, its harder to explain the subsequent modifications to the Zeus code, which Tarakanov said are “too serious and notable” to be the work of amateurs. While its possible that the SpyEye author would choose to keep the malware families separate, its harder to understand why new features added to Zeus weren’t also added to SpyEye. “A programmer really does not like to code one thing twice. So, it’s hard to believe that the author of SpyEye somehow developed new features (but different) for SpyEye and for Zeus,” he wrote.
One possibility is that both tools are being offered to cyber criminals simultaneously, rather than requiring any one set of customers to adapt abandon their platform of choice, or asking everyone to switch to a new, merged platform. Aviv Raff, the CTO of Seculert, said in June that his researchers had found evidence of back-end servers that are being used to host both the Zeus and SpyEye crimeware packs. Attackers who are interested in using one or the other can have their choice of which tool they’d like to use at any given time, said Raff, who expects greater convergence of crime kits like SpyEye and Zeus and Web exploit kits in the future.
Its also possible that main development of Zeus has been passed to a third party now that the malware source code is available online. “The situation is too muddy and there are too many conflicting arguments,” Tarakanov said.
