Tuesday, February 14, 2012

Ice IX Rising Against SpyEye

As commercial crimeware construction tools go, SpyEye has been king of the hill for the last year or so – with dozens of cybercrime organizations adopting it as their attack platform of choice. But has its time come to an end already? In the competitive ecosystem of crimeware construction tools and attack delivery platforms, to maintain a lead, the engineers behind the tools have to continuously innovate and roll out new features to their subscriber-base. In the case of SpyEye, it looks like they’re falling behind and their customers are already switching platforms and providers.

Ever since the public leaking of the 1.3.45 SpyEye builder and some accompanying cracks, a menagerie of “unauthorized” SpyEye resellers and distributors have flooded the hacker forums with cut-price copies of the malware construction tool. As would-be SpyEye sellers tout their latest extensions, fake updates and fixes, the SpyEye original authors have bunkered down – focusing their attention upon only their most trusted customers, and not actively seeking more. As distrust spreads within the cybercrimal fraternity, a number of notable criminal operators have been moving to a new competitor on the block – “Ice IX”.

Ice IX, like its competitors (SpyEye, Zeus, TDL, Hiloti, Carberp, etc.), offers the same core crimeware construction functionality – malware builders, an attack delivery platform, and a management console – and also makes extensive use of third-party developed Web Inject content to extract valuable data from its victims. What makes Ice IX so interesting to (former) SpyEye customers is that it’s being actively maintained and is proving to be a reliable attack platform against even newly patched victims – not to forget being much cheaper too.

Over the last few months Damballa Labs have been tracking a number of criminal operators as they replace their SpyEye installations and migrate to the new Ice IX platform. It is only a trickle at the moment, but we can probably expect more SpyEye operators to transition to other better-supported crimeware construction platforms throughout the year.

To understand why SpyEye is losing out to Ice IX, my colleague Sean Bodmer has pulled together a Research Note on the topic – where he details the crybercriminal migration between attack platforms and discusses the impact on some of the larger (former) SpyEye-based operators we’re tracking.

The Research Note – “SpyEye, being kicked to the curb by its customers?” can be found at http://www.damballa.com/downloads/r_pubs/RN_SpyEye-Kicked-to-Curb_Bodmer.pdf

No comments:

Post a Comment