Mother of all Mergers

Imagine Steve Jobs saying Steve Ballmer just called him to say Microsoft decided to stop the development of Windows; that he just received a package containing the entire Windows source code; and that in what the industry will soon call the Mother of all Mergers, the two companies decided mutually to merge PC and Mac under the Apple brand.

This would be the equivalent of the earth-shaking turmoil rocking the fraud underground nowadays.

The rumours that the developers of Zeus - the world’s most popular piece of crimeware - may soon shut down shop, spread like wildfire a few weeks ago in the fraud underground. After all, the Zeus Trojan kit is used by thousands of fraudsters, resides on million of victim machines, and has a healthy industry of add-ons and custom models built by third party crimeware writers.

But then came an even more shocking piece of news, publicly reported by Cybercrime researcher and top blogger Brian Krebs: not only will the Zeus Trojan cease to exist, it will actually merge with its main rival, SpyEye.

Talk about mother of all mergers.

For those of you not following the latest and greatest in financial Trojans, SpyEye made an impressive debut less than a year ago.

SpyEye developed a very aggressive marketing strategy. Lets look at the four P’s of marketing:

Product: SpyEye was designed as a massive-use kit that caters for the same audience that buys the Zeus Trojan. It features a sleek graphic user interface, advanced API and easy to use plug-in architecture.

Price: Its basic package, covering Explorer only, sold for $1000 – a third of the latest Zeus Trojan. Firefox form grabbing sold for another $1000, and more advanced modules sold for a few hundreds of dollars each.

Place: SpyEye was originally sold in a specific fraud underground forum, but after that forum was shut down by law enforcement it moved to multiple forums and is on offer to anyone wishing to buy it.

Promotion: upon installing itself on a hijacked PC, SpyEye seeks and removes any existing Zeus variants. This “Kill Zeus” feature actually became an important motif in SpyEye promotional materials.

Results arrived sooner rather than later. According to recent RSA data that tracks new Zeus servers popping up every month, for every 2 new Zeus servers there’s one new SpyEye server. This means it’s a widely accepted Trojan with growing popularity among Cybercriminals.

Underground fraudsters currently debate whether the Zeus - SkyEye merger reported by Krebs is real, or just propaganda by SpyEye authors following a period of mysterious silence from the Zeus writers. One thing is clear: the dramatic announcement left the fraud scene with more questions than answers.