Gribodemon went on holiday to the Dominican Republic. He was eventually arrested and extradited to the United States where he awaits trial. The crime: authoring the SpyEye malware kit. It's not certain if he will be convicted of SpyEye2 as well, but time will tell. Interestingly, Tilon (SpyEye2) went dark very soon after the arrest of Gribodemon. Both systems remain offline.
Select a viable alternative
It wasn't just these two businesses that were affected by the crackdown. Development on the Citadel code base also stopped, with the latest version seeing the light of day in late 2012. Fox-IT finds that the cybercriminals using Citadel are looking for a viable alternative as the outdated Citadel browser hooking code no longer works on the latest versions of FireFox and Chrome, making it virtually impossible for the attacks to succeed at scale.
Fox-IT sees a lot of cybercriminals switching to KINS. Much like Citadel, KINS is based on the ZeuS source code. Often referred to as VMZeuS in the security world, the author first named his malware KINS--for Kaspersky Internet Non Security. Later, it was renamed to Kasper Internet Non Security, leaving a subtle reference to a friendly ghost.
Malware analysts are very interested in the KINS configuration as it defines which financial institutions get targeted. As a means to shield the configuration from the deep-probing malware analysts, if the KINS malware recognizes it is being used by a researcher, the malware won't actually start or load.
KINS has also implemented a virtual machine that hosts its configuration information in encrypted form and uses additional measures to determine if it has been compromised before decrypting and presenting the configuration. The use of the virtual machine is what gives this malware its alternative VMZeuS moniker. These are just a few of the most recognizable options available on the market. Fox-IT is tracking many more.
(Cyber)Business lessons learned
It would be difficult to determine whether or not these cybercriminals purposefully followed any documented business best practices. One thing is clearthey did employ some as described below:
Follow the leader
Gribodemon saw the success of the ZeuS malware kit and introduced a competitive product that at first didn't have the best quality. However, it worked well enough to get people to consider his product and pay him money. It also enabled him to iterate in order to establish a solid foothold in the market.
Price to gain market share
Gribodemon first grabbed the mindshare of market due to his extremely competitive pricing. This afforded him the ability to gain net new customers and even steal some customers away from Slavik.
Embrace Price Elasticity As his product quality improved, Gribodemon was able to increase the price of his wares--more than double-- while remaining extremely competitive compared to Slavik's offering.