McAfee Labs

Combined Zeus/SpyEye Toolkit Announced

By on Jan 14, 2011

In our recent “2011 Threats Predictions” report, McAfee Labs foresaw that the recent merger of Zeus with SpyEye would produce more sophisticated bots, due to improvements in bypassing security mechanisms and law enforcement monitoring. Both Zeus and SpyEye were prevalent and dangerous malware separately; the combination of their functionality takes this threat to a new level.

It is only mid-January and it seems that the first version of this combined toolkit has arrived on the black market, which means we can soon expect to see the malware it produces. This toolkit version, 1.4.1, appears to have been published on January 11:

Functionality updates include:

  • Brute force password guessing
  • Jabber notification
  • VNC module
  • Auto-spreading
  • Auto-update
  • Unique stub generator for FUD and evasion
  • New screenshot system

US$300 without VNC and FF Inject
US$800 all inclusive.

Make sure your systems remain updated to stay protected against this threat! At McAfee Labs we will continue our diligence as this threat continues to develop.

Update on January 14:

I have already received many requests to share this newly discovered code with other researchers (eight requests within 15 minutes of posting this blog). I have to clarify that I have only discovered this offer in two underground forums known for sharing crimeware. McAfee does not have the source code of this announced version.

The seller of this new version used the nickname hardersell. A known nickname for the original SpyEye maker is harderman. I took this similarity as a possible indication of the veracity of the offer.

On the other hand, the price strikes me as rather low (only US$800). In November 2010, I came across a discussion between the SpyEye maker and a possible buyer. The developer said the next combined version should be “private” (not released in an open forum) and with a price near US$4,000. Could this announcement be a scam?

Of course, only when we discover a sample of this malware will we know for certain that it is now in the wild.