SpyEye Trojan country hit list

The number of financial institutions targeted by the SpyEye Trojan is growing, according to Trusteer. Risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using SpyEye.

Analyzing the SpyEye command and control centers revealed that 60% of the SpyEye bots target financial institutions in the US. This is followed by the UK with 53%, Canada with 31%, Germany 29%, and Australia 20%.

Interestingly enough, the percentage of SpyEye bots targeting Canadian banks has more than doubled from 14% in May to 31% in June.

Other destinations that are included in more than 10% of SpyEye bots include: Italy, Ireland, UAE, Spain, Costa Rica, France, Turkey, India, Jordan, Russia, and Portugal.

In addition, SpyEye continues to expand its “hit list”.

In May, SpyEye added targets in the Middle East including Saudi Arabia, Bahrain and Oman. While in June, financial institutions in Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru were attacked. Russia is also, Trusteer have observed, a relatively new addition to the target list.

Mickey Boodaei, Trusteer’s CEO comments: “It is interesting to note that the fraud patterns used by SpyEye are somewhat different than Zeus – and other financial malware. Specifically, our risk analysis teams have observed new code being incorporated into SpyEye that is designed to evade transaction monitoring systems.”

Transaction monitoring systems analyze various aspects of the customer’s session with the bank in order to detect abnormal behavior that may be attributed to malware activity.

SpyEye developers appear to have figured how these defenses operate and are now constantly trying to ensure their code activity flies under the radar of these detection systems.

SpyEye seems to follow agile software development practices, namely it is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers.

At certain times, Trusteer has even seen two new versions of the malware released every week. It’s important to note that there is a large difference between a new version and a simple variant of financial malware.

A new version means that the program code itself has been modified, while a new variant is just new packing around the same code.

Some of the changes our risk analysis teams are seeing include some very significant improvements to the core SpyEye technology.

The author’s ability to rapidly react and improve the software should be a major concern to anyone who already is – and who may be – on SpyEye’s target list.




Share this