The source code for the Zeus banking Trojan has been leaked on the Internet, which will allow pretty much anyone interested in crafting a malware attack to do so, provided they know where to look.
The complete source code for the Zeus malware kit is being freely distributed as a ZIP file on several underground forums, Peter Kruse, a security researcher with Danish security firm CSIS, wrote on the company blog on May 9. Kruse downloaded the ZIP file, compiled the code and confirmed it worked “like a charm.”
Zeus, also known as Zbot, is one of the most advanced pieces of malware currently active and is commonly used to steal money from victims’ online banking accounts.
Previously, cyber-criminals interested in setting up their own Zeus botnets had to buy the malware kit from closed underground forums. As crimeware kits go, Zeus was fairly expensive, costing roughly $5,000 for the ability to download malware, inject fields into forms and log victims’ keystrokes. It has been used in a number of targeted attacks using several attack vectors, including SMS, spam and rogue Websites.
“We can hereby confirm that the complete Zeus/Zbot source code is freely available for inspection, inspiration or perhaps to be compiled and used in future attacks,” Kruse wrote.
The code is not so readily available that any kid can get a hold of it, Kevin Stevens, a senior threat engineer at Trend Micro, told eWEEK. It has been leaked to various groups for more than a month but became more open just a few days ago. Stevens even saw a “few people” sharing the code within their LinkedIn groups.
The volume of online threats will likely increase now that “less experienced Bad Guys” have access to high-quality malware, Tim van der Horst, a malware researcher at Blue Coat Systems, told eWEEK.
It “lowered the bar of entry” for malware authors who want to create banking Trojans, Pierre-Marc Bureau, a senior researcher at ESET, told eWEEK, because now they can just download the code and compile it without having to pay for it. Any junior programmer can now easily copy-and-paste desired functionalities and include them in another malware application, thereby creating a new Zeus variant.
The Zeus copy-cats, when they come, shouldn’t be too hard to recognize and analyze, since “most of the tricks have already been studied through reverse engineering,” according to Bureau.
The availability of the source code won’t give security researchers any advantage over cyber-criminals. Zeus has been updated continuously over the “past not-quite-three” years, so researchers have already been looking at samples “non-stop since then,” Aryeh Goretsky, distinguished researcher at ESET, told eWEEK. However, the actual code may give researchers insight into the “psychology” of the original Zeus creator.
“Anti-malware is, in some sense, like playing 100,000 games of chess a day, and having some understanding of your opponents’ thought processes can be of some benefit,” Goretsky said.
Researchers speculated the code may have been leaked to create more complicated Zeus variants. Zeus botnets are notoriously difficult to shut down because each network operates independently of each other. Shutting down one operation doesn’t affect all the other Zeus variants merrily stealing funds from victims’ bank accounts.
“If the leak was intentional, it could be an attempt to flood the market with one-off variants Zeus-based malware,” van der Horst said. Such an increase in malware volume would create a lot of “noise” that may distract security researchers from noticing the next generation of stealthy malware, according to van der Horst.
After the Spyeye Trojan started exhibiting some Zeus capabilities, many researchers speculated that there would be no more active development on Zeus. Kaspersky Lab researcher Dmitry Trakanov reported in March that Zeus was still being modified.