Research findings from IBM indicate that the number of financial institutions targeted by the SpyEye Trojan is growing. In parallel with this, our risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using this Trojan.

Analyzing this malware’s command-and-control (C&C) centers, which the risk analysis team at IBM reviews every month, revealed that 60 percent of the SpyEye bots target financial institutions in the U.S. This is followed by the U.K. (53 percent), Canada (31 percent), Germany (29 percent) and Australia (20 percent).

Interestingly enough, the percentage of bots targeting Canadian banks more than doubled from 14 percent in May 2011 to 31 percent the following month.

Other destinations targeted by more than 10 percent of these bots include Italy, Ireland, UAE, Spain, Costa Rica, France, Turkey, India, Jordan, Russia and Portugal.

Meanwhile, SpyEye continues to expand its hit list. In May, it added targets in the Middle East to include Saudi Arabia, Bahrain and Oman. In June, financial institutions in Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru faced attacks. Russia is also a relatively new addition to the target list.

It is worth noting that the fraud patterns used here are somewhat different than those used by Zeus and other financial malware. Specifically, our risk analysis teams have observed new code being incorporated into the Trojan that is designed to evade transaction-monitoring systems.

Transaction-monitoring systems analyze various aspects of the customer’s session with the bank in order to detect abnormal behavior that may be attributed to malware activity.

These fraud developers appear to have figured out how these defenses operate and are now constantly trying to ensure their code activity flies under the radar of these threat protection and detection systems. The code seems to follow Agile software development practices: It is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers.

At certain times, we have even seen two new versions of the malware released every week. There is a large difference between a new version and a simple variant of financial malware. A new version means that the program code itself has been modified, whereas a new variant is just new packing around the same code.

Some of the changes that our risk analysis teams are seeing include very significant improvements to the malware’s core technology. The author’s ability to rapidly react and improve the software should be a major concern to anyone who already is — or who may be — on SpyEye’s target list.

SpyEye and Its Rapid Rise to Prominence

Although it seems much older, this malware toolkit surfaced less than two years ago in December 2009. Over the last 18 months, it has made several headlines, especially when it was revealed that the development team behind the malware was effectively merging it with that of the older Zeus code.

From the very beginning, SpyEye has been a highly aggressive Trojan. Interestingly, early versions of the malware included a feature to remove Zeus from an infected host machine.

This feature was, of course, in place to ensure that this is the only financial malware on the infected computer. We have covered SpyEye a few times before in our blog. Therefore, the evolution of the malware toolkit is not surprising.

Overall, financial institutions should monitor development in the SpyEye toolkit, paying close attention to its attack vectors that target their brand as well as new attacks that target other financial institutions.

The intelligence from this process should be included in the financial institution’s security controls, such as anomaly detection and endpoint protection. The ability to react quickly to SpyEye’s changes in pattern is key to an effective fraud prevention architecture.

more from Malware

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…