One proof point of the many findings that Fox-IT uncovered is the fact that SpyEye routinely referred to "sausages" and "sausage patterns" as part of the malware. When victims log in, SpyEye would steal little snippets of Web forms and URLs as a means to extract usernames and passwords. These bits of data were called sausages, and the regular expressions used to read them were called the sausage patterns. Tilon, or SpyEye v2, referred to the same exact elements.
Also of interest is that the first versions of Tilon include functionality to remove the SpyEye malware while not touching any other malware found on the system, including ZeuS. Some Tilon customers were invited to switch to v2 with an auto-upgrade. While some customers were invited to switch, most weren't. It is suspected by Fox-IT that if a lot of people were invited, the word would have gotten out that this new Trojan was in fact the next version of SpyEye.
Gribodemon also shared the same problems as Slavik in terms of customer support and therefore took this opportunity to leave "idiotic" customers behind. Both guys were there from the very beginning -- ZeuS and SpyEye were the two crimeware kits that started it all. Slavik kicked it off, Gribodemon entered as a worthy competitor to help establish it, and the rest of the players filled in the gaps to complete the creation of the market. However, after a long run by both, it seems that both Slavik's and Gribodemon's businesses have come to a halt.
There have been huge takedown operations for P2PZeuS. While Slavik has not been arrested, he has been identified by the FBI and is now on the FBI's most wanted list. According to Fox-IT, the FBI knows his address and that he has a boat somewhere on the Black Sea. He appears to be lying very low at the moment, doing nothing around banking malware. He must realize that he can't leave Russia without risking arrest.
Gribodemon went on holiday to the Dominican Republic. He was eventually arrested and extradited to the United States, where he awaits trial. The crime: Authoring the SpyEye malware kit. It's not certain if he will be convicted of SpyEye2 as well, but time will tell. Interestingly, Tilon (SpyEye2) went dark very soon after the arrest of Gribodemon. Both systems remain offline.
Select a viable alternative
It wasn't just these two businesses that were affected by the crackdown. Development on the Citadel code base also stopped, with the latest version seeing the light of day in late 2012. Fox-IT finds that the cyber criminals using Citadel are looking for a viable alternative as the outdated Citadel browser hooking code no longer works on the latest versions of FireFox and Chrome, making it virtually impossible for the attacks to succeed at scale.
Fox-IT sees a lot of cyber criminals switching to KINS. Much like Citadel, KINS is based on the ZeuS source code. Often referred to as VMZeuS in the security world, the author first named his malware KINS, for Kaspersky Internet Non Security. Later, it was renamed to Kasper Internet Non Security, leaving a subtle reference to a friendly ghost.
Malware analysts are very interested in the KINS configuration as it defines which financial institutions get targeted. As a means to shield the configuration from the deep-probing malware analysts, if the KINS malware recognizes it is being used by a researcher, the malware won't actually start or load.
[Security pros talk about playing defense against cyber crime | Businesses can do more in battle against Gameover Zeus-like botnets]
KINS has also implemented a virtual machine that hosts its configuration information in encrypted form and uses additional measures to determine if it has been compromised before decrypting and presenting the configuration. The use of the virtual machine is what gives this malware its alternative VMZeuS moniker. These are just a few of the most recognizable options available on the market. Fox-IT is tracking many more.
(Cyber) business lessons learned
It would be difficult to determine whether or not these cyber criminals purposefully followed any documented business best practices, but they did employ some as described below:
Follow the leader: Gribodemon saw the success of the ZeuS malware kit and introduced a competitive product that at first didn't have the best quality. However, it worked well enough to get people to consider his product and pay him money. It also enabled him to iterate in order to establish a solid foothold in the market.
Price to gain market share: Gribodemon first grabbed the mindshare of market due to his extremely competitive pricing. This afforded him the ability to gain net new customers and even steal some customers away from Slavik.
Embrace price elasticity: As his product quality improved, Gribodemon was able to increase the price of his wares -- more than double -- while remaining extremely competitive compared to Slavik's offering.
Conduct a competitive takeout: Gribodemon initiated the competitive takeout method as a means to make it easy for Slavik's customers to switch to SpyEye. In a bit of back-and-forth, Slavik employed the same method in response to Gribodemon's takeout campaign, making it easier for each other's customers to switch back-and-forth.
Conduct a competitive upgrade: To capitalize on the success of the actual ZeuS botnet functionality, Gribodemon took advantage of the ZeuS configuration, giving the new customer immediate access to all of the hooks, knowledge, and connections the ZeuS botnet had already gained through its host.
Tough market? Change it: Experiencing pain coming from two sides -- the competition and the customer -- Slavik saw there was a need to change the game. To do this, he handed the expensive and exhausting customer support over to Gribodemon and changed the delivery model of his product from a perpetual kit to software-as-a-service. This forced Gribodemon and the rest of the players to chase a new horse.
Keep your friends close and your enemies closer: With the market's two leaders now on the sidelines, it will be interesting to see how new business leaders, new businesses, and new technologies will surface, battle each other, align with each other, and ultimately drive each other to the legal edge. Until that story is written, I suggest the world's financial institutions continue to beef up their anti-fraud programs to protect their systems--and their money--from these bots.
Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with independent articles published globally covering security, cloud, mobile, networking, virtualization, risk, governance, and compliance--with a focus on specialized industries such as government, finance, healthcare, law, and the supply chain.
This story, "The Zeus botnet and the making of a cyber crime market" was originally published by CSO.