Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The making of a cybercrime market

Sean Martin | Aug. 12, 2014
How two underground entities surfaced, battled, aligned, and ultimately extracted billions from some of the world's largest financial institutions via unsuspecting, everyday banking client victims

I spy some competition
It took three years for a new version of the ZeuS botnet to surface. In 2009 ZeuS version 2 appeared, adding a tremendous amount of new functionality to the product. ZeuS v2 was more robust, capable of handling take-downs better, and included new features such as the ability to monitor network traffic, capture screen shots, record the victim's keystrokes, steal certificates, and even connect to other systems using the victim's IP address. New versions signaled success: A business had been born.

As with most businesses, the exposure and recognition of success spurs the introduction of new offerings from one or more competitors. While the business of cybercrime is neither legal nor moral, it happens to be no different from a legitimate business in this sense. So, as you can imagine, as Slavik created and established this new bot-based banking fraud market, at least one viable competitor would surface. And it did.

The first competing product, SpyEye, was authored by someone using the underground aliases Gribodemon and Harderman. While the first versions of this malware were laughably bad--meaning they often failed to run and would even blue-screen-of-death the host victim's computer--these kits only cost $400. This was a huge slash in price compared to the $8K charged by Slavik for his ZeuS malware kit.

With its aggressive pricing, the market took notice of SpyEye. The revenue generated by SpyEye was seemingly re-invested by Gribodemon to quickly improve the software, and the competing product soon started to gain market share--even after Gribodemon found he could successfully increase the price of his kit from $400 to $1K.

As its foothold solidified and the SpyEye software became more mature, its author began to get extremely aggressive in other areas of the business. Gribodemon went directly after the ZeuS market share, looking for complete domination. A fierce battle ensued.

One example of a traditional tactic used by SpyEye was a competitive takeout. Gribodemon's goal was not only to just win net new customers but also to replace existing ZeuS customers. Gribodemon built his SpyEye malware kit such that, upon successful injection of the botnet into the host browser, it would check for the existence of the ZeuS botnet and remove it, essentially taking over the system and all banking accounts previously compromised by ZeuS.

In true business form, Slavik responded in kind with updates to his Zeus kit. Another example of a traditional business tactic applied by SpyEye was one of a competitive migration. Gribodemon delivered a feature in SpyEye called "Spy Config" that extracts the configuration defined in the ZeuS malware kit, loads it into the SpyEye configuration, and provides additional documentation on how to leverage the ZeuS configurations.

 

Previous Page  1  2  3  4  5  6  7  Next Page 

Sign up for CIO Asia eNewsletters.