Three months after Zeus’ source code has been spotted being sold for small amounts on underground online markets, Xyliton – a French security researcher and member of the Reverse Engineers Dream Crew – has made public a step-by-step tutorial that can allow anyone to crack the protection that confines the SpyEye toolkit to one physical device.
The crack works for version 1.3.45 of the SpyEye builder, and this development is sure to make a dent in the finances of Gribo-Demon, the team developing and selling the toolkit.
Security researchers welcome the news, as it will allow them to analyze the coding techniques used by the team and find bugs that could allow them to counter the threat that the toolkit presents.
Alas, not all ramifications of Xyliton’s action are positive. The existence and a wide dissemination of the tutorial means that now every individual with a modicum of knowledge can fine a leaked version of the toolkit, crack it and begin using it for its own criminal purposes. And some of them did – less than 12 hours after it was made available, according to security firm Damballa.
One of the results of the cracking process is also the removal of the name of the individual that develops the malware, which can usually be found on the top left hand side of the window, enclosed in square brackets.
“The crack released by Xyliton actually zero’s out the field to  so there can be no attribution to the actual operator beyond following the bread-crumbs of the command-and-control (CnC) infrastructure and then pump-and-dumping the remote CnC server allowing for more formal attribution,” explains Sean Bodmer, Senior Threat Intelligence Analyst at Damballa.
What we can now surely expect from the Gribo-Demon team is that they will be stepping up their game and work on improvements and new features that will make customers buy their wares instead of finding the leaked version and cracking it.
Unfortunately for computer users all over the world, all this means that the SpyEye threat will be now increasing exponentially.