Spyeye malware source code is leaked

THE SOURCE CODE for the Spyeye toolkit has been leaked, prompting concerns that it could be tailored to produce more malware and security attacks.

The source code release was announced on security firm Damballa's blog, where it was introduced as a two edged sword.

The Spyeye builder patch source code was leaked by French cracker Xyliton, said Damballa in its post, and was accompanied by a handy how-to guide.

"Xyliton, part of the Reverse Engineers Dream Crew (RED Crew) [was] able to locate a copy of SpyEye builder 1.3.45 and created a walkthrough/tutorial that enables the reader (once in possession of SpyEye builder) to crack the hardware identification (HWID) which has been secured using VMProtect (a licensing tool that locks an installation of software to a particular physical device)," wrote Sean Bodmer, senior threat intelligence analyst .

"This leak is important as it illustrates the coding techniques of Gribo-Demon's team (the authors of SpyEye) and also deals another blow to the underground criminal ecosystem. But it is a double-edged sword."

The release is double-edged because, although it could be used by security researchers looking to understand more about the threat, so could it be used by cyber criminals, and worse, they could tailor it to their special and emerging needs.

"Now that a patch/crack for the SpyEye builder (the tool that generates the SpyEye malware) has been released along with source for the HWID crack, security researchers can now begin bug hunting for vulnerabilities in the authors work. This is a good thing, especially if you have the SpyEye SDK and know which APIs are available and capable of being accessed/exploited for defensive purposes," added Bodmer.

"With this leak and the leak of the Zeus source in March 2011, this now puts one of the world's largest botnet criminal enterprises at risk to all sorts of horizontal and vertical attacks by world governments, law enforcement, security vendors, and even other criminals desiring to increase their monetary footprint across the Internet."

The ability to do this is not new and indeed there are Spyeye code kits already available. However the cost of these at $10,000 has been prohibitive for some. This release and its handy walkthrough will have much more appeal than the paid-for alternatives, and as a result it could see much more use.

"At over $10,000 (USD or WMZ) for the bundle, it is now easier and cheaper for criminals to find a leaked version and use this walkthrough to break the embedded security of the builder and start their own enterprise," said Bodmer

"Putting in the hands of babes one of the most powerful cyber threats today, 'for free', is something that will mean even more sleepless nights for security administrators." µ