With the configuration mapping and education complete, SpyEye's users would know how to follow the ZeuS injector; they would also have a clear view into what ZeuS was up to and what to do with the system, connections, and accounts. Most everyone interested in the SpyEye kit knew how to read ZeuS malware configurations. This feature made it extremely easy for customers to switch from the ZeuS malware kit to the SpyEye malware kit.
Caution: Lanes merging
Having not seen any updates for quite some time, the market found the ZeuS malware kit sitting at v220.127.116.11 in October 2010. On the underground forums, announcements surfaced from both of these fierce competitors-- Slavik and Gribodemon--claiming that further development of ZeuS and SpyEye would cease as individual offerings and that Slavik's ZeuS business was to be handed over and merged in to Gribodemon's SpyEye business. This, as you could imagine, sent the market into a frenzy.
While the market still saw some unofficial versions of the kit surface and then disappear after October 2010, this was more likely the case of the Zeus source code being used by some of Slavik's close friends--not the result of a successful partnership or business merger. The merger appears to have never really materialized--at least in a substantial, official way. It's safe to say, the SEC certainly didn't publicly sanction any merger.
In 2011, the entire set of ZeuS source code leaked, likely due to Slavik having handed the source to some of his not-so-careful customers/friends. This proved to be a very interesting period both in the cybercrime market and in the cybersecurity industry; now, anyone could develop their own MitB malware kit, modify the kit, and create nuances or even new families of the kit. Fox-IT saw open source MitB products become real solutions in their own right--Ice-IX and Citadel being two examples.
On the other side of the coin, some variants tried to improve upon the original ZeuS encryption methods but failed miserably. While all this is going on with ZeuS, SpyEye was still on the scene, though the development of the kit also started to falter. Eventually the market would see the introduction of SpyEye v18.104.22.168. This would be the last version of SpyEye to appear, and Gribodemon was never to be heard from again.
The researchers at Fox-IT kept following Slavik and discovered that he had in fact given his crown jewels to Gribodemon. But while it appeared on the surface that Slavik had given up on ZeuS and the business of cybercrime, this was far from the case. In fact, Slavik had some clever business plans up his sleeve.
Thanks for the gift horse
As it turns out, Slavik had been working on a new version of ZeuS all along, a version that would equate to a ZeuS v2.1. This new version, however, was never sold by Slavik as a kit. Nor was this new version ever delivered to Gribodemon. As he transitioned the source code to v2.1, Slavik re-defined the market, converting his perpetual license software and business model into one based on a subscription model delivered via the cloud. ZeuS v2.1, which became v3 in September 2011, became the first online banking malware to be offered as a service--the industry's first "malware as a service" (MaaS).
Sign up for CIO Asia eNewsletters.