Spyeye source code made public

Insecurity outfit Damballa has warned that malware kit SpyEye Builder has had patch source code for release 1.3.45 leaked by hackers, the Reverse Engineers Dream Crew.

A crew member was able to locate a copy of SpyEye Builder 1.3.45 and create a tutorial that enables a reader with SpyEye Builder to crack the hardware identification.

The SpyEye builder tool, generates the SpyEye malware and the release of the source code means that security researchers can use the crack to start hunting for bugs.

But as Damballa’s Sean Bodmer pointed out to Security Week, it also means the malware’s authors will be forced to step up their game.

He said that it will make make newer versions harder to crack with enhanced security mechanisms. Already the SpyEye author team has already released 1.3.48 and has newer versions in-development, it appears.

But the leak makes the tool widely available to script kiddies, and is now being sold online for as little as $95 “for those not seasoned enough” to compile the code, he added.

Writing in his bog, Bodmer said that the leak throws a monkey-wrench into the business model of the Gribo-Demon crew behind SpyEye.

Aspiring cyber criminals can find a leaked version of the builder and use the RED Crew tutorial to break its embedded security and launch their own version of SpyEye.

Paid customers or other cyber-criminals can now strip out that attribution of the handle in the malware and this increases difficulty of identifying the operator or campaign group.

SpyEye has done rather well after the development team behind the malware merged it with that of the older Zeus code. It can even remove Zeus from an infected host machine.