McAfee Labs

Quiet Merger, Gang Warfare, or Mere Deception?

0
By on Nov 15, 2010

Since 2006, the Zeus Trojan has grabbed and held our interest. The following table recaps most of the versions we have discovered. (Click on the image to enlarge it.)

Today, however, the situation appears to be changing. Not only has a rival–SpyEye–appeared, but security researchers are also speaking about a joint-venture agreement between the well-known Zeus industry and its major competitor. Among these experts, our friend Brian Krebs explains that Zeus’ author seems to have gone into online retirement. He has freely transferred the source code of his Trojan to SpyEye’s developer, according to the latter. The result could be a powerful new banking malware available for sale within a few months. The new threat will contain the best features of the two as well as some additional functions, SpyEye’s maker claims. For now, perhaps waiting for things to calm down after recent U.S. and U.K. law enforcement efforts, both products have been withdrawn from sale.

In his blog, Krebs speaks about a “quiet merger.” He quotes a post from SpyEye’s author dated October 13, 2010, in which “Harderman” claims the Zeus source code was given to him free of charge by its author, Slavik, who has chosen to quit the scene. I find this difficult to believe. I do not imagine someone making more than US$1 million per year (as mentioned by Harderman/Gribodemon when interviewed by Ben Koehl, Crimeware Researcher of Malware Intelligence) throwing in the sponge. I am also surprised at Slavik’s silence in not confirming the news.

Three days earlier (on October 10), just to confuse the issue, SpyEye’s author deleted his posts in the various forums he frequented. (Click to enlarge.)

Here is some data I was able to consolidate using various screenshots I collected. The last entry shows that, as happens in many industries, the merger will bring about a price increase for customers.

When the Zeus story started, rumors said the group UpLevel was behind it. But gradually the product appeared to have a single author. Since 2008, numerous blogs and documents have published various pseudonyms. The following timeline summarizes the most important. (Click to enlarge.)

As I wrote this blog, I was surprised by some similarities between two possible individuals. In 2009, one Zeus seller was known as magicz. As this character disappeared (banned from some underground forums, his ICQ supposedly hacked, etc.), the individual “magic” started promoting SpyEye. I cannot be certain we are dealing with the same person, but I do wonder about some similarities in language. The pictures associated with both of these profiles–a magician controlling luminous energy–also amazed me.

Instead of our observing a friendly agreement, I would not be surprised if some of Slavik’s friends created SpyEye and forced their former and now solo colleague to silence by eliminating him from the scene. I am worried about Slavik’s health.

Another possibility I cannot rule out is that Slavik’s retirement and Harderman’s forum cleaning are just deceptions. They and their friends may be restructuring the gang with new pseudonyms and contacts to put law enforcement off their trail. Recent arrests in their circles have made for worrisome times.

Regardless of what’s true, I really can’t believe that Zeus’ author has chosen voluntary retirement.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>