A recent merger of two major banking Trojans has led to new concerns about the ability of banking malware.
It has recently claimed that the Zeus and SpyEye Trojans merged to create one major botnet. Along with the well known Zeus Trojan, SpyEye was described by novirusthanks.org at the start of this year as ‘a new fresh and sophisticated web-based bot' that could be the possible successor to Zeus ‘due to its very interesting features, with the main objective to steal bank accounts, credit cards, ftp accounts and other sensitive data from the victim's computer'.
Kapil Raina, senior product manager at IronKey, said that he believed that the cause of the merger was the Zeus writer retiring and he believed that SpyEye would become the dominant virus of the two.
He said: “The significance of this will mean more brains between the owners and less competition and that is a real problem. It does not need more mules and I believe that the sophistication will increase. Zeus had such a focus from government that the creator had to get out of the game, I heard that it can make $2-3 million on average but with enough mules, it can make $4-5 million a week and that is a lot of incentive to keep it alive.”
Paul Wood, senior analyst at Symantec Hosted Services, claimed that the Zeus toolkit fell into the public domain some time ago and this led to smaller but more dominant botnets ‘with the same intention in mind', rather than one big botnet.
Talking to SC Magazine, Ed Rowley, product manager of M86 Security, said: “Was this created from a merger or acquisition? It is interesting how it mirrors the business world with an OEM partnership agreement. Did the cyber criminals get rights to it or did they just steal it? There is a saying that there is no honour among thieves.”
David Jevans, CEO of IronKey, said: “The demand is there for this malware as the codes get more sophisticated. They are now working on getting malware and the Trojan (SpyEye) is not as well seen as Zeus but anyone can change it, but I am not sure what will happen. At the end of the day people do not want the code to die and will give it away.”
David Holmes, software engineer at F5, said that while Zeus and SpyEye remain a threat, he warned of ‘a new kid on the block' called Feodo, which he said has the ability to deliver a payload that attacks over a dozen different banking institutions. He also warned of URLZone which he said was the scariest new threat as it does not just steal credentials; it transfers money out of an account but manipulates the browser to keep showing the user their old balance.
He said: “I could not sleep knowing that each time I touched my bank account I might be letting the bad guys take all my money. I eventually made an appointment with a neighbourhood broker and invested that money to keep it safe.
“The FBI says that Zeus, SpyEye and URLZone stole $100 million in 2008 and 2009. One would expect cyber crime gains to be even larger this year as Feodo makes the rounds. If you were to plot these two trends, rising cyber crime and increasing online banking you expect a rise in the number of victims.
“So what is to be done? The anti-virus companies think we need to deploy them into the cloud (big surprise). I am not sure that we will be safe until you absolutely cannot install unsigned binaries on to your system. I am not saying that would fix it for all cases but it would leave an audit trail. Perhaps it could get traced and locked up and maybe money would be ‘safe' in our accounts again.”