The source code for the Zeus banking Trojan has been leaked on the Internet, which will allow pretty much anyone interested in crafting a malware attack to do so, provided they know where to look.
The complete source code for the Zeus malware kit is being freely distributed as a ZIP file on several underground forums.
Zeus, also known as Zbot, is one of the most advanced pieces of malware currently active and is commonly used to steal money from victims’ online banking accounts.
Previously, cyber-criminals interested in setting up their own Zeus botnets had to buy the malware kit from closed underground forums. As crimeware kits go, Zeus was fairly expensive, costing roughly $5,000 for the ability to download malware, inject fields into forms and log victims’ keystrokes. It has been used in a number of targeted attacks using several attack vectors, including SMS, spam and rogue Websites.
The code is not so readily available that any kid can get a hold of it. It has been leaked to various groups for more than a month but became more open just a few days ago. The volume of online threats will likely increase now that “less experienced Bad Guys” have access to high-quality malware, Tim van der Horst, a malware researcher at Blue Coat Systems had stated.
It “lowered the bar of entry” for malware authors who want to create banking Trojans, Pierre-Marc Bureau, a senior researcher at ESET stated. because now they can just download the code and compile it without having to pay for it. Any junior programmer can now easily copy-and-paste desired functionality and include them in another malware application, thereby creating a new Zeus variant.
Aviv Raff, CTO of Seculert, told ThreatPost that it is possible that the recent Mac OS Trojan exhibiting Zeus-like features may have copied portions of the code after it was publicly released.
The Zeus copy-cats, when they come, shouldn’t be too hard to recognize and analyze, since “most of the tricks have already been studied through reverse engineering,” according to Bureau.
The availability of the source code won’t give security researchers any advantage over cyber-criminals. Zeus has been updated continuously over the “past not-quite-three” years, so researchers have already been looking at samples “non-stop since then,” Aryeh Goretsky, distinguished researcher at ESET had said.
However, the actual code may give researchers insight into the “psychology” of the original Zeus creator.
“Anti-malware is, in some sense, like playing 100,000 games of chess a day, and having some understanding of your opponents’ thought processes can be of some benefit,” Goretsky said.
Researchers speculated the code may have been leaked to create more complicated Zeus variants. Zeus botnets are notoriously difficult to shut down because each network operates independently of each other. Shutting down one operation doesn’t affect all the other Zeus variants merrily stealing funds from victims’ bank accounts.
“If the leak was intentional, it could be an attempt to flood the market with one-off variants Zeus-based malware,” van der Horst said. Such an increase in malware volume would create a lot of “noise” that may distract security researchers from noticing the next generation of stealthy malware, according to van der Horst.
After the Spyeye Trojan started exhibiting some Zeus capabilities, many researchers speculated that there would be no more active development on Zeus. Kaspersky Lab researcher Dmitry Trakanov reported in March that Zeus was still being modified.