In prevision of the anticipated merge between the two infamous banking malware ZeuS and SpyEye, our Threat Analyst Kyle Yang spent some time dissecting the most current version of SpyEye we could get our hands on (W32/SpyEye.C!tr.spy).

While SpyEye shares some similarities with ZeuS (encrypted/compressed configuration file, updateable injection scripts, drop zones, update zones for binary and config update, etc …), an extra feature quickly caught our attention: SpyEye connects to a “log server” that is different than the server where it fetches updates from, where fraudulent transactions done by the trojan are logged:

Of course, because most banks today won’t allow transactions initiated online to be transnational, the recipients of such transfers are what we call “mules” (in the money laundering jargon) or “drops” (in the jargon used by cybercriminals themselves) – intermediaries between the victim and the cyber criminals, living in the victim’s country.

Unsurprisingly, the drops are not hardcoded in the trojan’s binary, but simply configured in the log server itself:

Note that the names and account numbers were modified to dumb values for the screenshot. However, the rest of the drop info was untouched, which prompts comments on two items:

• Transfer limits: Those are relatively low, possibly to stay “under the radar.” Transferring a large sum of money “by small chunks” in order to avoid the new anti-laundering legislation (where mandatory records and reports are needed for large sums, etc…) is called “smurfing”. While the chunk limit in the USA is $10,000, thus well above the ~1000  upper limit used by SpyEye, we are not sure these are dollars. They could be British Pounds, and in UK there is no chunk limit: any suspicious transaction must be reported. Or… the SpyEye upper limit may simply reflect the amount of trust the cybercriminals have in each particular drop.

• A percentage: It very likely represents the share taken by each of the two parties (the mule and the cybercriminal) on the transfers. Now, given the unbalance (90% – 10%) it creates, the question is: who gets 10%, and who gets 90%? Some years ago, the question would have been quickly resolved, with the cybercriminals usually taking the bigger piece of cake – which would seem normal, as he/she was the one putting the most effort into the whole operation. But with the large “mule busting” operations conducted in UK and US lately, it is fairly possible that the odds got inverted,which would seem… normal – given the risks now involved for each party. That would at least indicate that while mule busting operations lead by law enforcement do not catch the bigger fishes, warmly sheltered under the complexities of transnational judiciary operations, it does contribute to make them less rich.

Kyle will address some technical points in an upcoming post.

The papers Bryan, Guillaume and I presented at Virus Bulletin 2009 have been available on the FortiguardCenter since yesterday:

‘I am not a numero!’: assessing global security threat levels – Bryan Lu

Fighting cybercrime: technical, juridical, and ethical challenges – Guillaume Lovet

Botnet-powered SQL injection attacks: a deeper look within – David Maciejak & Guillaume Lovet

It’s the 4th year in a row that Fortinet has had at least one paper in the line-up, but the first time we hit a count of three presentations.

The conference was held last month in Geneva, Switzerland, and was quite exciting (see program here). Despite the economic situation, the number of attendants hit a record high this year – which was perceptible during the keynote presentation, but less so afterwards. It seems as if over time people are considering the conference more as a social and professional networking event than a presentation-driven one.

We did follow some presentations in the corporate and technical tracks, the latter slightly more crowded. There were some nice discussions around current topics such as cloud computing (Marian Radu and Hilda Larina Ragragio from Microsoft) or malware sandboxing (Thomas Mandl Secure Business Austria/IKARUS Security Software, Florian Nentwich IKARUS Security Software, Ulrich Bayer and Engin Kirda from Vienna University of Technology/Institute Eurecom), as well as more traditional static analysis (Elda Dimakiling, Francis Allan Tan Seng and Scott Wu from Microsoft) and botnet history (Erik Wu and Gunter Ollmann, Damballa). I got particularly interested by the in-depth looks at some threats like Koobface (Ryan Flores, Joey Costoya and Jonell Baltazar from Trend Micro) or vulnerabilities like MS08-067. Guillaume also shared a good presentation on poorly-known aspects of fighting cyber-crime. Threats leveraging popular Internet web sites also had the honor of multiple presentations this year (especially Twitter and Facebook).

In the upcoming events, I would love to see more discussion around mobile security. Besides the “iPhone v3 malware vector” presentation (Marius van Oers from McAfee), the only other one was “Mobile malware/security: iPhone in the enterprise,” but unfortunately, it was canceled. Nonetheless, this year’s  vintage of the iconic conference of the AV industry was good, and as always a perfect occasion to put faces on various names (and beers into various faces). I hope the 2010 one will be just as good, so… see you in Vancouver ?