Cracked SpyEye cheers, worries researchers
Free bot program undermines criminals and provides information to security firms, but will mean more attacks.
By Robert Lemos
August 17, 2011 — CSO —
A hacking group has released a tool to remove the copy protection for a popular bot program, an event that is both good news and bad news for end users, a security researcher said Tuesday.
Last week, a group of hackers, known as the Reverse Engineer's Dream (RED) Team, released a program that can crack the licensing system around the SpyEye bot builder, allowing criminals to pirate -- and researchers to analyze -- the popular malicious program, said Sean Bodmer, senior threat intelligence analyst for network security firm Damballa. The crack, as such security breaks are called, has already led to cut-rate copies of the SpyEye software being sold for less than $100, down from a typical price of $6,000 to $10,000, he says.
"Once you have compiled that patch, you run it against an already acquired SpyEye builder. That builder is then cracked and the hardware ID system is bypassed," Bodmer says. "Therefore, anyone that has access to that specific version of the builder, which you can find online, can crack it."
Also see: The botnet hunters
The crack allows anyone to remove the license protections, run the builder on any of their own systems, or allow others to run the cracked version. The plummeting price is one nugget of good news, undercutting the sales of the original SpyEye group.
"It does hurt the bad guys' revenue stream, because why am I going to pay $10,000 when I can crack it myself for free?" Bodmer says.
In addition, security researchers will be able to easily decompile the program and analyze the code, possibly finding vulnerabilities that can be exploited by security software or attributes that will help antivirus programs to better detect a SpyEye-fueled attack.
"When you are able to strip out the (security), you are able to run the program through a disassembler now, and actually look at, step-by-step, what it's doing, how it's building," says Bodmer. "Everything is right there in front of you in assembly code."
However, bot operators will also benefit from the crack, he says. They can use the code to unregister unique information that remains in any bot created by the builder. Removing that information makes it harder for security researchers to track the spread of a particular group's bots. Normally, the builder and all bots created by the builder have an ID that allows researchers to group particular botnets into those created by a specific builder.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
Now, that's no longer true, says Bodmer.
"This is really good for the bad guys," he says. "If you are a paid customer, you can strip out the attribution."
Finally, the posting of low-cost -- and soon, free -- versions of SpyEye will likely boost the usage of the program. While the cracking code only works with a specific version of the program, anyone will be able to create bots using that version of the building program.
The group behind the development of the SpyEye builder has already committed to pushing out a more feature rich version within 2 months, in reaction to the breach, says Bodmer.
Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.