There are wide varieties of malware, many of which have similar functionality. As a result there is a tendency to portray them as being in competition with on another. In some ways this is true, especially when it comes to malware authors, however, I prefer to see it as less of a rivalry and more of an opportunity for diversification on the part of the botnet operators. Recently there have been some articles that suggest that Zeus may be “dethroned” (“New threat set to dethrone Zeus“, “Online criminals are moving on from Zeus“) thanks to Bugat and Carberp.
Well, despite the recent arrests of over 150 individuals associated with Zeus-related bank fraud and the decline in the number of active Zeus command and control servers Zeus is still “going strong” and demonstrating its resilience.
However, this is not a property of the malware, but of the wide base of criminals that use it. While there may be a core of Zeus activity, anyone can use the Zeus toolkit to setup his or her own botnet. An additional factor to include is the fact that criminals make use of multiple malware kits, even rival malware kits.
The relationship between SpyEye (see two great SpyEye posts here and here) and ZeuS has been described as a rivalry — largely based on SpyEye’s ability to remove ZeuS from compromised computers — but botnet operators make use of both.
Here are two command and control server domain names that have hosted both Zeus and SpyEye. The domain coolparts31.tw was a known Zeus (see MDL) command and control, but I found that it was also hosting SpyEye. More recently, I have been monitoring mir-krossover.com that was a known Zeus command and control (see MDL) but is also hosting SpyEye.
http://mir-krossover.com/mirspy/mainadmin/bin/bd.exe
b911f40ff9573f33e73055b2267a5cd7 bd.exe
VT: 36/ 43 (83.7%)
http://mir-krossover.com/mirspy/mainadmin/bin/id.exe
e8091d2099a8472b27a62c5ae57be5e9 id.exe
VT: 37/ 43 (86.0%)
Malware diversification allows the botnet operators to run multiple botnets, increasing their resilience to countermeasures aimed at taking down one particular strain. In addition, they can capitalize on new features and functionality available across various toolkits. To counter such operations we need to look beyond the toolkit and and investigate the operators as well.
