August 16, 2011, 12:11 PM — The source code for a powerful rootkit designed to attack banks and was being launched from private accounts on Amazon's cloud services twice so far this year, has posted online by a hacker group that claims to have reverse-engineered version 1.3.45 of SpyEye.
According to security firm Damballa, a hacker group called the Reverse Engineers Dream Crew (RED Crew), which also created a tutorial designed to teach even novices how to use the SpyEye Builder tool to modify and generate copies of the actual SpyEye malware.
According to a blog by Damballa threat analyst Sean Bodmer, the good news is that security companies like Damballa have more information to help recognize and squash outbreaks of SpyEye – one of the most successful of all recent new malware product families.
The bad news is that a newer version of SpyEye, with better security, has already been released and that the source code will make the still very effective older versions much more widely available.
British police arrested three men in April in connection with an attempted hack on a bank using SpyEye, and have arrested dozens of "money mule" associates of SpyEye users routing money through other people's personal bank accounts to scrub it.
They have not identified or reached the authors of the malware or directors of any of the networks using it.
Bodmer predicts that SpyEye, like its direct rival, Zeus, will morph more quickly, become more dangerous and be the key weapon in far more attacks in the next few months than even malware as prolifically used as SpyEye has been until now:
SpyEye has been on everyone’s priority list of threat discussions for quite some time, and is now going to become an even more pervasive threat. The same thing happened when the Zeus kit source code was released in March 2011. Damballa labs has been tracking dozens of new Zeus bot operators since the leak earlier this year, and now that SpyEye has been ousted it is only a matter of time before this becomes a much larger malware threat than any we have seen to date. So for the next few months, please hold onto your seats people… this ride is about to get very interesting. – Sean Bodmer, Damballa.