The source code to the infamous Zeus crimeware kit, which has been sold on underground forums for years, has been leaked and is now available for anyone to see if they know where to look.
Security researchers over the weekend noticed that files that appeared to contain the source code for the Zeus crimeware kit were starting to pop up on various forums frequented by attackers and cybercriminals. The Zeus exploit kit is perhaps the most well-known kit of its kind right now, and has been used by a variety of attackers for numerous malware campaigns and targeted attacks.
Danish security firm CSIS saw copies of the Zeus source code appear on underground forums in the last few days and took the time to download and compile the code.
“This weekend we found the complete source code for this crime kit being leaked
to the masses on several underground forums as well as through other channels.
We already collected several addresses from where it is being distributed in a
compressed zip archive. We even compiled it in our lab and it works like a charm,” Kruse wrote in a blog post.
Zeus has been sold in the criminal underground for several years now and versions of its have been found to be part of a number of targeted attacks. The kit itself can be quite expensive to buy, and researchers say that it can sell for roughly $5,000. But the availability of the Zeus source code not only will likely wipe out the market for Zeus licenses, but will make the kit available to a different class of attacker.
“We believe this will be used as both inspiration for new and complex banking Trojan variants as well as abused in future attacks. The code can easily be modified and even improved in functionality,” Kruse said in an email interview.
“With the source code in the wild it’s likely we’ll see an increase in attacks since lots of potential criminals might have been lacking both financials and trustworthiness to obtain their own license of this kit. Now being available as source code we’ll likely see a rebranding and slight modifications distributed from various sources.”
Several months ago, the code bases for the Zeus kit and the SpyEye kit were joined and speculation among researchers was that development on Zeus had stopped. However, as Kaspersky Lab researcher Dmitry Tarakanov noted in March, that isn’t necessarily the case.
“A few days ago I found a ZeuS sample that also checks if it is being
analyzed, for example, by antivirus companies. The functionality is
basically the same but with minor modifications – another criterion for
detecting a new test platform had been added. In this variant of ZeuS there are also modifications to the structure
in pieces of code, which had remained unchanged for over 6 months and
been used in thousands of samples of the Trojan,” Tarakanov said in a blog post on new developments in Zeus variants.
Aviv Raff, CTO of security firm Seculert, said he’d seen a recent copy of the Zeus source code, as well, and found some interesting bits in there. The source code includes both a FAQ section and a full user manual, which lists the kit’s support for various operating systems, including Windows 7, Vista and some older versions, as well as on Windows x64. The FAQ section spells out how the Zeus malware generates the unique bot ID for each infected machine and what the iterative version numbers mean.
Like Kruse, Raff expects the release of the Zeus code to lead to further changes and modifications to the attack tool.
“Unfortunately, this [leak] means that we will probably see more hybrid malware in the future, and not only the ‘SpyZeus’ (as in latest SpyEye versions). There are rumors of a new Mac OS X banker Trojan which includes a ZeuS like web injections. The author of this kit might have taken the code of the web injection parsing from this public release,” Raff said.