Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SpyEye Trojan Source Code Leaked

Soulskill posted more than 3 years ago | from the without-the-consent-of-major-league-baseball dept.

Security 55

wiredmikey writes "The SpyEye malware kit has long been both the bane of unsuspecting victims and a boon for cyber-criminals. Now, according to security researchers, the situation may have taken a turn for the worse. The SpyEye Builder patch source code for release 1.3.45 was leaked by the Reverse Engineers Dream Crew (RED Crew) recently after a crew member was able to locate a copy of SpyEye Builder 1.3.45 and create a tutorial that enables a reader with SpyEye Builder to crack the hardware identification."

Sorry! There are no comments related to the filter you selected.

WTF (0, Troll)

Anonymous Coward | more than 3 years ago | (#37100222)

...does any of this mean? Can we get summaries that aren't the first paragraph of TFA? Can we get an explanation of what the hell TFA is talking about and why we should care?

Sheesh.

Re:WTF (1)

AnotherScratchMonkey (592037) | more than 3 years ago | (#37100496)

It means it's now available to script kiddies.

Re:WTF (1)

kidgenius (704962) | more than 3 years ago | (#37100586)

as opposed to whom? Didn't these script kiddies have this script before as well?

Re:WTF (1)

AnotherScratchMonkey (592037) | more than 3 years ago | (#37100670)

According to the article, the code was only available for purchase before.

Re:WTF (1)

Riceballsan (816702) | more than 3 years ago | (#37101320)

Now it's available to 13 year old script kiddies living in their mothers basement, before it was only available to script kiddies with thousands of dollars to invest.

Re:WTF (1)

Grishnakh (216268) | more than 3 years ago | (#37100608)

What's wrong with that? With the source code to this malware now publicly-available, then it should be trivial for any systems vulnerable to it to be patched quickly, as it'll be obvious exactly what attack vectors it uses.

This sounds like good news, not bad news.

Re:WTF (2)

zget (2395308) | more than 3 years ago | (#37100784)

Yes, it's really trivial to patch human stupidity, which nowadays leads to most malware infections.

Re:WTF (1)

Grishnakh (216268) | more than 3 years ago | (#37101012)

Please explain exactly how "human stupidity" leads to malware infections. I'm sure I can come up with a simple technical solution for every one.

Re:WTF (2)

dgatwood (11270) | more than 3 years ago | (#37101134)

Please explain exactly how "human stupidity" leads to malware infections.

User is presented with a web site banner ad for a fake antivirus product. User downloads the antivirus product and installs it. User gets hosed.

I'm sure I can come up with a simple technical solution for every one.

Good luck with that. (BTW, solutions that bring with them a host of other problems, e.g. walled gardens, don't count, as they aren't simple.)

Re:WTF (1)

Grishnakh (216268) | more than 3 years ago | (#37102080)

User is presented with a web site banner ad for a fake antivirus product. User downloads the antivirus product and installs it. User gets hosed.
Good luck with that. (BTW, solutions that bring with them a host of other problems, e.g. walled gardens, don't count, as they aren't simple.)

I can think one method: a blacklist. The OS should have a standardized method for software installation (like apt-get or yum). When installing something, the installer checks with the OS vendor's site to get the most updated blacklist, and checks that the software being installed isn't on it. For better security, this check should use some kind of signature so simply renaming files or whatever doesn't get around it. Obviously, this is a reactive approach rather than proactive, but it would still make it fairly pointless to go to the trouble of setting up a website and making fake antivirus (or other) software, as they'd get put on the blacklist quickly and wouldn't get very many successful infections before they needed to change things enough to get around the blacklist, until the blacklist is updated again. These malware purveyors need a large number of infections for their work to be profitable, and if the reward is too little for the amount of effort needed, they won't bother.

Obviously, a whitelist would be more secure, but that's basically the same thing as a "walled garden" as you mentioned, and has a lot of other problems (namely, it'd create a monetary barrier of entry to anyone trying to distribute software, whether free or not, as the OS vendor would undoubtedly charge to get on the whitelist; it'd also make it a pain to create your own software, custom in-house software, etc.).

So what other methods these days lead to malware infections, or is that pretty much the only one left? This one really isn't that bad, as it requires a fair amount of effort for the user to get himself infected: he has to go to a new website, click on something to download a file, and then click on something allowing it to be run. I haven't used IE lately, but haven't they made it so you can't just run executables when you download them (i.e., you must first download them someplace, and then go execute them from a file manager)? That's a pretty far cry from simply clicking on something that you don't even know will install software on your system, which is what used to happen years and years ago.

Re:WTF (1)

dissy (172727) | more than 3 years ago | (#37102312)

I can think one method: a blacklist.

You mean an antivirus program?

Re:WTF (1)

Grishnakh (216268) | more than 3 years ago | (#37102698)

Sort of, but it has to be tied into the OS so that you can't easily install software without going through this check. Since this would seem to require a standardized way of installing software (instead of individual programs just doing whatever they want, which seems to be the norm on one popular OS), it would work a lot better if it were done by the OS vendor itself, rather than being added on by some 3rd-party vendor.

To me, the whole idea of a 3rd-party antivirus program seems wrong. If there's a need for security add-ons to prevent programs from misbehaving, that seems to be the job of the OS, and if a 3rd party product needs to be added on to fix a basic problem with the OS, there's something seriously wrong. This doesn't mean that add-ons aren't useful sometimes; several Linux distros include AppArmor, for instance, which helps to prevent pre-existing vulnerabilities in installed software from being exploited by limiting what that software is allowed to do on the system. But AppArmor (while made by a different team) is packaged and included as part of the OS by the distro so that it's properly integrated; it's not installed after-the-fact by users.

Re:WTF (1)

X0563511 (793323) | more than 3 years ago | (#37106270)

Blacklists are trivial to get around. There's all sorts of things you can do to avoid signature matching. Look up a polymorphic virus, it's the same idea.

Re:WTF (1)

newcastlejon (1483695) | more than 3 years ago | (#37101148)

It's easy:

Blah blah blah administrator blah blah would you like blah blah... .
*Clicks No*

Or:

Yadda yadda type password...
Sure, whatever...
*types password*

And bish bash bosh, you've got the electronic clap [wikipedia.org] .

Re:WTF (1)

Grishnakh (216268) | more than 3 years ago | (#37102096)

Sorry, you're not making much sense here. For some window to come up asking for your password, some software (i.e. malware) has to already have been installed on your system. How'd that get there?

Re:WTF (0)

Anonymous Coward | more than 3 years ago | (#37102334)

Sorry, you're not making much sense here. For some window to come up asking for your password, some software (i.e. malware) has to already have been installed on your system. How'd that get there?

They call that a "web browser" or, in some cases, an "operating system".
FYI those things tend to come pre-installed on computers these days.

Re:WTF (1)

Grishnakh (216268) | more than 3 years ago | (#37102718)

You're still making no sense at all. When does a web browser pop up a window asking for your root password? Never. When does an OS do such a thing, prompted by some 3rd-party malware? Never.

If you have some kind of specific instance you can describe in detail, let's hear it, but let's dispense with this vagueness.

Re:WTF (1)

CSMoran (1577071) | more than 3 years ago | (#37104306)

You're still making no sense at all. When does a web browser pop up a window asking for your root password? Never. When does an OS do such a thing, prompted by some 3rd-party malware? Never.

You and I know that. Now ask yourself, does a clueless user know that?

Re:WTF (0)

Anonymous Coward | more than 3 years ago | (#37104576)

When does a web browser pop up a window asking for your root password?

I dunno, it's always popping all this annoying shit up in my face any time I want to do anything. I just click on shit until it goes away. Password? Hell I see it asking for that all the time. If you could tell me how to just turn that thing off entirely I'd be happy.

Re:WTF (2)

BosstonesOwn (794949) | more than 3 years ago | (#37106278)

Just throwing this out there but doesn't OS X and Linux both require a password installing software from a downloaded package ? as well as windows when running as a non admin user ?

And we all run as non admin users right ?

I think you doubt the "want it now" factor.

I know quite a few occasions when a savvy user was faked into clicking the close button on a browser window and the browser launched an escalation attack and injected it's own app and infected the system.

Re:WTF (1)

Grishnakh (216268) | more than 3 years ago | (#37110142)

I know quite a few occasions when a savvy user was faked into clicking the close button on a browser window and the browser launched an escalation attack and injected it's own app and infected the system.

Ok, and how exactly does that work? Some kind of malicious Javascript or something? That seems like it'd be a pretty easy thing to prevent on the browser side.

Re:WTF (1)

X0563511 (793323) | more than 3 years ago | (#37106300)

Do you use windows (newer than XP?) UAC satisfies his first prompt. Do you use any modern Linux distro that uses a graphical sudo frontend? Then you just satisfied the second.

Those are common ways for things in userspace (eg DancingPigs.exe or .sh) to ask for privilege escalation. Which the user will most likely provide, because they want their Dancing Pigs.

Re:WTF (2)

Lumpy (12016) | more than 3 years ago | (#37100620)

Hello? this was FOR script kiddies, it was DESIGNED for script kiddies. Script kiddies have had all along.
it.
Now joe schmoe script kiddie that does not have any money at all because he blows it all on Monster and Twizzlers in his mom's basement can now have

Re:WTF (1)

Hsien-Ko (1090623) | more than 3 years ago | (#37100600)

It means it's coming to Linux

Re:WTF (4, Informative)

flappinbooger (574405) | more than 3 years ago | (#37100668)

...does any of this mean? Can we get summaries that aren't the first paragraph of TFA? Can we get an explanation of what the hell TFA is talking about and why we should care?

Sheesh.

Spy Eye is a pretty well known and powerful RAT/Bot tool on level with the venerable Zeus. The real non-backdoored copies are (generally) all for-pay.

This is a licensed for-pay malware/crimeware toolkit. The source code is leaked and there is a CRACK for the builder. This is key. Now it's easier for the freeloaders and skiddies to get at and CUSTOMIZE this high level malware tool, making it harder to detect.

This means things are going to get more interesting (re: worse) before they get better.

The 'hacker" scene is like .001% real coder and 99.999% script kiddie and leach. This makes powerful tools available to many more people than before.

Re:WTF (1)

cm017510 (2400266) | more than 3 years ago | (#37100742)

Thanks for that.

Re:WTF (1)

Hatta (162192) | more than 3 years ago | (#37101570)

That's the power of open source.

Re:WTF (1)

flappinbooger (574405) | more than 3 years ago | (#37101664)

That is true, having SpyEye wide open like this will help security researchers and white hats just as much as the skiddies and black hats. TFA mentions as such.

The department? (1)

Anonymous Coward | more than 3 years ago | (#37100254)

from the without-the-consent-of-major-league-baseball dept.

really? that's the best phrase you came up with?

Re:The department? (2, Informative)

Anonymous Coward | more than 3 years ago | (#37100324)

It's from the Simpsons episode "Brother's Little Helper."

*TWELVE YEAR OLD SPOILER WARNING*

Major League Baseball is found to be spying on Americans with spy satellites.

Re:The department? (2)

kmoser (1469707) | more than 3 years ago | (#37105022)

Believe it or not, the phrase was around long before the Simpsons parodied it.

That's ok - because SpyEye's kept up on AND (0)

Anonymous Coward | more than 3 years ago | (#37100334)

It's quite blockable in HOSTS files &/or Firewalls (software OR hardware router types) -> https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]

APK

P.S.=> They create variants? Those will be tracked as well as to their botnet C&C servers... simple!

... apk

Why was my post "modded down"? (0)

Anonymous Coward | more than 3 years ago | (#37102430)

It was meant for the "general good". I'd like a technical justification offered @ least on WHY it was 'downward modded' (thanks).

* The "general good" being information on stopping this SpyEye botnet from infesting you in the 1st place, by blocking it @ the HOSTS file OR firewall level (prefereably both local to your own system, & hopefully @ DNS server layers/levels too @ ISP/BSP's also via DNSBL's on THEIR parts, like Norton DNS does for example - which IS what makes IT, outstanding!)

APK

P.S.=> Of course, there are those who don't WANT others to KNOW about that site (the makers of this botnet mainly), & I've also made my share of enemies out there online as well (dolts I've floored on technical issues & they're obviously still "stinging" from the "bitter taste of defeat" @ having to eat their own erroneous words flavored with it, lol, @ MY hands)!

However? Well, so far here?? That's just speculation (but, IF I don't get a SOLID explain on the downmod? Then, I can only assume I am 100% correct on my "speculations" above))...

... apk

Re:Why was my post "modded down"? (0)

Anonymous Coward | more than 3 years ago | (#37103512)

You are 100% correct on your speculations, you don't need to wait for anyone to confirm that. Try not be so weird all the time.

Disprove what I wrote (0)

Anonymous Coward | more than 3 years ago | (#37104712)

In my init. post then here -> http://it.slashdot.org/comments.pl?sid=2380830&cid=37100334 [slashdot.org] because there is NOTHING "weird" about that, only facts & useful ones @ that!

(And, the fact is, IS that it lists the botnet C&C servers that SpyEye uses, which CAN BE BLOCKED @ the HOSTS file OR Firewall level (in software &/or hardware router firewall levels)).

* That's USEFUL INFORMATION others here can gain by... period!

"You are 100% correct on your speculations, you don't need to wait for anyone to confirm that." - by Anonymous Coward OBVIOUSLY A BOTNET MASTER HIMSELF on Tuesday August 16, @01:23AM (#37103512)

Thank you then for confirming my speculations then for me... now, go away you TROLLING botnet master... ok? Try to do something useful to the general human condition instead of being a scumbag...

APK

P.S.=> An application of... "ReVeRsE-PsYcHoLoGy" - 4 off-topic trolls like you (who clearly demonstrate ALL THEY HAVE, is effete down-moderations in retaliation vs. myself):

".emit eht lla driew os eb ton yrT" - by Anonymous Coward ANOTHER "ne'er-do-well" /. OFF-TOPIC TROLL on Sunday July 10, @06:32AM (#36710070)

"???"

Uhm... Could we get a translation of that off-topic "troll-speak/trolllanguage" of yours, please?

---

* And, you're an off-topic troll - no questions asked...SEE MY SUBJECT LINE ABOVE!

("ReVeRsE-PsYcHoLoGy", for trolls - Courtesy of this code by "yours truly" in less than 1 second flat):

---

#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)

def reverse(s):
    try:
        trollstring = ""
        for apksays in s:
        trollstring = apksays + trollstring
    except:
        print("error/abend in reverse function")
    return trollstring

s = ""
print reverse(s)

try:
  s = "Insert whatever 'trollspeak/trolllanguage' gibberish occurs here..."
  s = reverse(s)
  print(s)
except Exception as e:
  print(e)

---

... apk

Ah...no (0)

Anonymous Coward | more than 3 years ago | (#37100648)

The author of the original blog post that laid out the hardware ID crack completely refuted Damballa's post. If you read his original post, it's very clear that he didn't post the source code or anything close to it. He just showed how to crack the HWID. Not the same thing by a long shot.

More info (3, Informative)

Anonymous Coward | more than 3 years ago | (#37100726)

From ComputerWorld [computerworld.com] : "SpyEye is a particularly nasty piece of malicious software: it can harvest credentials for online accounts and also initiate transactions as a person is logged into their account, literally making it possible to watch their bank balance drop by the second."

The malware kit is normally sold to criminals, with each sold copy protected by an encryption scheme of some kind. This encryption scheme was cracked and the source code also released, so anyone can now freely compile the software. The malware also uses a botnet to perform transactions using compromised banking credentials. It's not clear if the hack also enables one to setup or control the botnet aspect. However, one could presumably make use of the capability to directly initiate transactions on the victim's computer.

And to think I just got all my online accounts linked together to make my life easier!

Re:More info (0)

Anonymous Coward | more than 3 years ago | (#37101592)

"And to think I just got all my online accounts linked together to make my life easier!"

I wonder how many people are thinking that very thought...

Coincidence?

*hoorya for drunk post!*

Derp (0)

Anonymous Coward | more than 3 years ago | (#37100906)

Download is here

http://forum.potsec.net/showthread.php?3-SpyEye-Source-Code-is-Leaked

Re:Derp (0)

Anonymous Coward | more than 3 years ago | (#37101046)

how do you compile it?

Re:Derp (1)

flappinbooger (574405) | more than 3 years ago | (#37101612)

maybe start looking for the builder on hacker forums like HF and opensc. There are many, and this is such big news it shouldn't take you long to find it.

I'd run it in a VM or sandboxed or on a "disposable" computer. You are playing with fire, watch out so you don't get burned. 50-50 odds get owned by DLing someone ELSES deployment of SpyEye. lol.

To truly deploy this is actually sorta involved, I know for Zeus you hafta run a web server to gather all the data and do C+C. A simple RAT with a few dozen bots is easy peasy, that's just messing with noIP and opening some ports, these crimeware tools are a CAMPAIGN. With Zeus and SE you are intending on stealing people's money on a large scale.

Remember kids, don't hack from your own IP address, your dad will get pissed when the FBI comes.

Re:Derp (0)

Anonymous Coward | more than 3 years ago | (#37102190)

If you are going to teach a wannabe script kiddie how to be a script kiddie, please try to use proper spelling. Your post hurt my brain...

Besides, if it's good, running it in a VM or chrooted (if windows supports that yet) won't help the slightest. Maybe if you setup a small network with a bunch of computers, make sure it's disconnected from any external network (for your sake and others'), play around with it, and then wipe all computers used. That way, you can re-use the HDDs for the next piece of software you want to use, and you become more familiar with setting up a good testing environment too.

And if you have to tell someone "you don't hack across the state lines, you'll get nailed by the FBI" (the movie Hackers), they deserve to be caught. Seriously...

Re:Derp (0)

logjon (1411219) | more than 3 years ago | (#37119550)

Besides, if it's good, running it in a VM or chrooted (if windows supports that yet) won't help the slightest.

Stupidest thing I've read on slashdot in months.

Wonderful (0)

zerox030366 (2430128) | more than 3 years ago | (#37102120)

Because we don't have enough script kiddies in anonymous and lulz-sec running around breaking stuff as fast as they can already. Just awesome.

Re:Wonderful (1)

kelemvor4 (1980226) | more than 3 years ago | (#37103322)

Because we don't have enough script kiddies in anonymous and lulz-sec running around breaking stuff as fast as they can already. Just awesome.

I think lulzsec got arrested a week or two ago, not that your point is any less valid.

Re:Wonderful (1)

GameboyRMH (1153867) | more than 3 years ago | (#37107212)

No, they think they arrested the spokesman but they arrested some dude who was framed by the spokesman. But the real spokesman (Topiary) has since had all his personal info released online so he's probably hiding in the woods right now.

on the good side (3, Insightful)

kwikrick (755625) | more than 3 years ago | (#37104120)

with the source code out, it should be easy to plug the security holes that the spyware uses, and it should be easy to generate hashes and heuristics for virus scanners to detect spyware on infected computers. In theory anyway.

Re:on the good side (2)

NotQuiteInsane (981960) | more than 3 years ago | (#37106602)

... Or make variants of the spyware which avoid said heuristics.

Sir, I'd like you to meet my friend, the double-edged sword...

Re:on the good side (1)

Anonymous Coward | more than 3 years ago | (#37106790)

"No shit, everything is a double-edged sword. Even a single-edged sword is a double-edged sword. Because on the one hand it's sharp but on the other hand it's dull....a single-edged sword is a double-edged sword."
--Louis C. K.

Re:on the good side (0)

Anonymous Coward | more than 3 years ago | (#37106812)

I for one am glad the source code is out in the open. At least we know what we're facing, even if it allows for people (who probably already know how to write trojans) to write more trojans.

No, SpyEye Trojan Source Code *NOT* Leaked (0)

Anonymous Coward | more than 3 years ago | (#37105006)

*picard-facepalm.jpg*

Holy fuck, I do not believe how many people have commented on and reblogged this story while failing basic Reading Comprehension 101.

The source code for the SpyEye trojan has NOT been leaked.

The source code for a >>a tool that patches the binary executable of the SpyEye trojan has been leaked.

Re:No, SpyEye Trojan Source Code *NOT* Leaked (1)

Em Adespoton (792954) | more than 3 years ago | (#37107998)

It's not even that... the source code for a tool that patches the tool that BUILDS SpyEye trojans has been *released*.

It's amazing how the internet resembles that children's whispering game, considering we're dealing with text that supposedly doesn't change. I feel like I could write "I bought ice cream on Craigslist" on my blog and eventually see it posted to Slashdot as "Foreign terrorist creams Craig Ferguson." -- and yes, neither of these are news for nerds (well, maybe the first one).

Good Job (1)

k4f (2433858) | more than 3 years ago | (#37105418)

“Over the last 18 months, SpyEye has made a lot of headlines [hyperlinkcode.com] , especially when it was revealed that the development team behind the malware was effectively merging it with that of the older Zeus code,”

This is a good thing (1)

Candyban (723804) | more than 3 years ago | (#37117408)

They should do this more often.
It is not that they will get sued for copyright infringement or revealing trade secrets ...

If all malware were put freely on the internet, wouldn't that dry up some of the revenue streams for the authors? Sure, you will briefly see a spike in derivatives, but I believe the way to combat covert actions is not by covert counter-actions, but by bringing it all in the open.

When you consider this to be a battle, there are a number of things which would make sense:

1) Choose your battleground where you have a tactical advantage. Draw them in the open as "we" are more numerous and have more firepower.

2) Disrupt their supply lines by removing incentives to start writing malware. When they are selling their malware, buy one copy and provide it for free. This will remove a lot of their demand as they will have to start charging more and increase their exposure (larger money transactions will stand out more) or drive them deeper underground which makes them harder to find and buy from.

3) Increase your defences by making genuine software more secure and harder to exploit. "We" are making progress in this area.

4) Decrease their firepower by implementing more control on the ISP level. This may be dangerous as there might be "civilian casualties" but spam zombies are easily identified. Remove zombie hosts from the network. Remove ISPs who do not take action on the zombies from the network. Reduce bandwidth from countries who do not take action on the ISPs. This will have an added bonus that it will also disrupt some of their revenue streams. What is the point of raising a botnet army when you cannot do anything with it?

5) Demoralise their troops by taking legal action. Seize their spoils of war (assets) and their freedom (PoW).

6) Moralise your own troops by increasing incentives to write good code and identify problems. Have them rated like their financial health and increase/decrease tax rates accordingly as would interest rates. This will give incentives to write secure code rather than rush something out the door. When problems arise, security holes are patched as quickly as they are discovered and it allows companies to pay security researchers for their effort. It may even convince some of the black hatters (mercenaries) to switch sides as it becomes more profitable.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?