The Pupil Usurps the Master—Not So Fast
Since as far back as I can remember there has always been talk of rivalry and wars between various malware creators. The testosterone-fuelled battles may have even been encouraged by the media running stories of how such-and-such botnet “has X million nodes,” egging the botnet herders to try and outwit and outgrow each other in a competition to grab market share.
Take, for example, the Zeus botnet (Trojan.Zbot). This has been around for some time and has now developed into a mature piece of malware that is widely sold and used by wannabe eCriminals to steal information from hapless victims throughout the Internet. The ease of use afforded by the Zeus Trojan builder has helped it achieve its notorious status as one of the most widely seen bots in the world.
As with the gold rush in the previous centuries, some people learned that it was easier and more profitable to supply the tools to the people who do the digging than to do the digging themselves. Of course, some would-be eCriminals were not slow to catch on to the idea of providing Trojan creation kits as a business model. While the Zeus bot was by no means the first bot, its success has no doubt served as a model for success that has inspired a rash of copycat offerings. One such offering, named Trojan.Spyeye, was recently reported by my colleague Peter Coogan in his excellent blog. One of the features available in Spyeye was “Kill Zeus,” a feature blatantly designed to try and commandeer existing Zeus bots from their current owners, which could potentially start a bot war between the makers. However, with all that’s been said, it is still very early days for Spyeye—after about two months in circulation the level of activity is still very low.
Compare and contrast the activity of Spyeye versus Zbot in the above chart. I had to make the scale a logarithmic one, otherwise Spyeye doesn’t even register on the same chart. Based on this data you can draw your own conclusions. Spyeye has a very long road to travel before it can even hope to usurp Zeus as the king of the bots, and we’ll do our utmost at Symantec to make that road as bumpy as possible.