Ever since the public leaking of the 1.3.45 SpyEye builder and some accompanying cracks, a menagerie of “unauthorized” SpyEye resellers and distributors have flooded the hacker forums with cut-price copies of the malware construction tool. As would-be SpyEye sellers tout their latest extensions, fake updates and fixes, the SpyEye original authors have bunkered down – focusing their attention upon only their most trusted customers, and not actively seeking more. As distrust spreads within the cybercrimal fraternity, a number of notable criminal operators have been moving to a new competitor on the block – “Ice IX”.
Ice IX, like its competitors (SpyEye, Zeus, TDL, Hiloti, Carberp, etc.), offers the same core crimeware construction functionality – malware builders, an attack delivery platform, and a management console – and also makes extensive use of third-party developed Web Inject content to extract valuable data from its victims. What makes Ice IX so interesting to (former) SpyEye customers is that it’s being actively maintained and is proving to be a reliable attack platform against even newly patched victims – not to forget being much cheaper too.
Over the last few months Damballa Labs have been tracking a number of criminal operators as they replace their SpyEye installations and migrate to the new Ice IX platform. It is only a trickle at the moment, but we can probably expect more SpyEye operators to transition to other better-supported crimeware construction platforms throughout the year.
To understand why SpyEye is losing out to Ice IX, my colleague Sean Bodmer has pulled together a Research Note on the topic – where he details the crybercriminal migration between attack platforms and discusses the impact on some of the larger (former) SpyEye-based operators we’re tracking.
The Research Note – “SpyEye, being kicked to the curb by its customers?” can be found at http://www.damballa.com/downloads/r_pubs/RN_SpyEye-Kicked-to-Curb_Bodmer.pdf