An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.
Security researchers say that the relatively unknown Spy Eye toolkit added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.
The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords.
Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules -- U.S. residents with bank accounts -- who then move the cash out of the country.
Most of these "money mules" are people who take "work from home" jobs they find on the internet. From the stories I've read, they'll get an official-looking email from their "boss" stating that money will be wired into their bank account, they keep around 10%, and then are instructed to wire the remainder to another account outside of the country.
First, I find it odd that these criminals aren't swindled by their "employees." I'm surprised more people don't just keep the large sums of money deposited into their accounts.
Second, I have a hard time believing that these "employees" don't find it suspicious that their boss is telling them that large sums of money will be deposited into their account, and that they are then to wire most of it to another account. I'd certainly be questioning their methods and intentions. Any legitimate business that needed to move money around would have their own billing/accounting department to handle all of that; and that my pay, for whatever work performed, would be given to me in whole. I've never had a job where I'd be given 10 times my pay with the understanding that I'm to keep what I'm entitled to and then "give back" the rest.
With its "Kill Zeus" option, Spy Eye is the most aggressive crimeware, however. The software can also steal data as it is transferred back to a Zeus command-and-control server, said Kevin Stevens, a researcher with SecureWorks. "This author knows that Zeus has a pretty good market, and he's looking to cut in," he said.
I think this is the genius part of this new botnet. New botnets seem to spring up every couple weeks at most; but this one is intelligent enough to not only gather it's own data (via keyloggers, HTTP POSTs, etc), but to also steal data already captured by a market-leading botnet. Let the others do all of the work collecting the data, and then just swipe the data as they report back to their C&C servers.
Turf wars are nothing new to cybercriminals. Two years ago a malicious program called Storm Worm began attacking servers controlled by a rival known as Srizbi. And a few years before that, the authors of the Netsky worm programmed their software to remove rival programs Bagle and MyDoom.
Such behavior is definitely not new. I recall a worm that spread using the same vulnerability as SQL Slammer that would remove Slammer and download/install the patch for the vulnerability they both used to obtain access. Viruses have used similar tactics in the past, as well.
Spy Eye sells for about $500 on the black market, about one-fifth the price of premium versions of Zeus. To date, it has not been spotted on many PCs, however.
$500 - $2500 is a small investment considering the enormous potential it could buy you. If you only manage to obtain $250 per stolen bank account, it would only take you 10 compromised accounts to see a return on investment.