Cracked SpyEye cheers, worries researchers

Free bot program undermines criminals and provides information to security firms, but will mean more attacks.

A hacking group has released a tool to remove the copy protection for a popular bot program, an event that is both good news and bad news for end users, a security researcher said Tuesday.

Last week, a group of hackers, known as the Reverse Engineer's Dream (RED) Team, released a program that can crack the licensing system around the SpyEye bot builder, allowing criminals to pirate -- and researchers to analyze -- the popular malicious program, said Sean Bodmer, senior threat intelligence analyst for network security firm Damballa. The crack, as such security breaks are called, has already led to cut-rate copies of the SpyEye software being sold for less than $100, down from a typical price of $6,000 to $10,000, he says.

"Once you have compiled that patch, you run it against an already acquired SpyEye builder. That builder is then cracked and the hardware ID system is bypassed," Bodmer says. "Therefore, anyone that has access to that specific version of the builder, which you can find online, can crack it."

Also see: The botnet hunters

The crack allows anyone to remove the license protections, run the builder on any of their own systems, or allow others to run the cracked version. The plummeting price is one nugget of good news, undercutting the sales of the original SpyEye group.

"It does hurt the bad guys' revenue stream, because why am I going to pay $10,000 when I can crack it myself for free?" Bodmer says.

In addition, security researchers will be able to easily decompile the program and analyze the code, possibly finding vulnerabilities that can be exploited by security software or attributes that will help antivirus programs to better detect a SpyEye-fueled attack.

"When you are able to strip out the (security), you are able to run the program through a disassembler now, and actually look at, step-by-step, what it's doing, how it's building," says Bodmer. "Everything is right there in front of you in assembly code."

However, bot operators will also benefit from the crack, he says. They can use the code to unregister unique information that remains in any bot created by the builder. Removing that information makes it harder for security researchers to track the spread of a particular group's bots. Normally, the builder and all bots created by the builder have an ID that allows researchers to group particular botnets into those created by a specific builder.

CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

Now, that's no longer true, says Bodmer.

"This is really good for the bad guys," he says. "If you are a paid customer, you can strip out the attribution."

Finally, the posting of low-cost -- and soon, free -- versions of SpyEye will likely boost the usage of the program. While the cracking code only works with a specific version of the program, anyone will be able to create bots using that version of the building program.

The group behind the development of the SpyEye builder has already committed to pushing out a more feature rich version within 2 months, in reaction to the breach, says Bodmer.

Join the CSO newsletter!

Error: Please check your email address.

Tags antispamsecuritymalware

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place