Peter Coogan at Symantec put up a very interesting blog post yesterday about a crimeware kit called SpyEye v1.0.7 (on sale now on Russian sites — $500) that has a module that will kill a Zeus bot infection on a victim’s computer so the bot created by SpyEye can take it over.

In September, Computer Weekly reported the Swedish telco Telia Sonera shut down the Internet connections of Latvian company Real Host after it was linked to the Zeus botnet. At the time, researchers said they believed Real Host’s servers had captured about 3.6 million PCs for the Zeus botnet.

They linked Zeus to a Russian gang named Rock Phish which is believed responsible for a massive amount of the phishing attacks aimed at stealing credit card and banking information.

The Zeus network took the hit and recovered, however, sending out massive malicious spam campaigns to infect more machines. One campaign carried an income tax topic in September and another had H1N1 as a lure in December.

Coogan said the SpyEye kit can also create crimeware with:
• keyloggers
• credit card modules
• daily email backup
• encrypted config files
• Ftp protocol grabbers
• Pop3 grabbers
• Http basic access authorization grabber

“If the use of SpyEye takes off, it could dent Zeus bot herds and lead to retaliation from the creators of the Zeus crimeware toolkit. This, in turn, could lead to another bot war such as we have seen in the past with Beagle, Netsky, and Mydoom.” he wrote.

He credits Mario Ballano Barcena with the analysis.

Symantec blog post “SpyEye Bot versus Zeus Bot” here.