Zeus Source Code Leaked

The source code to the infamous Zeus crimeware kit, which has been sold on underground forums for years, has been leaked and is now available for anyone to see if they know where to look.

The source code to the infamous Zeus crimeware kit, which has been sold on underground forums for years, has been leaked and is now available for anyone to see if they know where to look.

Security researchers over the weekend noticed that files that appeared to contain the source code for the Zeus crimeware kit were starting to pop up on various forums frequented by attackers and cybercriminals. The Zeus exploit kit is perhaps the most well-known kit of its kind right now, and has been used by a variety of attackers for numerous malware campaigns and targeted attacks.

Danish security firm CSIS saw copies of the Zeus source code appear on underground forums in the last few days and took the time to download and compile the code.

“This weekend we found the complete source code for this crime kit being leaked
to the masses on several underground forums as well as through other channels.
We already collected several addresses from where it is being distributed in a
compressed zip archive. We even compiled it in our lab and it works like a charm,” Kruse wrote in a blog post.

Zeus has been sold in the criminal underground for several years now and versions of its have been found to be part of a number of targeted attacks. The kit itself can be quite expensive to buy, and researchers say that it can sell for roughly $5,000. But the availability of the Zeus source code not only will likely wipe out the market for Zeus licenses, but will make the kit available to a different class of attacker.

“We believe this will be used as both inspiration for new and complex banking Trojan variants as well as abused in future attacks. The code can easily be modified and even improved in functionality,” Kruse said in an email interview.
“With the source code in the wild it’s likely we’ll see an increase in attacks since lots of potential criminals might have been lacking both financials and trustworthiness to obtain their own license of this kit. Now being available as source code we’ll likely see a rebranding and slight modifications distributed from various sources.”

Several months ago, the code bases for the Zeus kit and the SpyEye kit were joined and speculation among researchers was that development on Zeus had stopped. However, as Kaspersky Lab researcher Dmitry Tarakanov noted in March, that isn’t necessarily the case.

“A few days ago I found a ZeuS sample that also checks if it is being
analyzed, for example, by antivirus companies. The functionality is
basically the same but with minor modifications – another criterion for
detecting a new test platform had been added. In this variant of ZeuS there are also modifications to the structure
in pieces of code, which had remained unchanged for over 6 months and
been used in thousands of samples of the Trojan,” Tarakanov said in a blog post on new developments in Zeus variants.

Aviv Raff, CTO of security firm Seculert, said he’d seen a recent copy of the Zeus source code, as well, and found some interesting bits in there. The source code includes both a FAQ section and a full user manual, which lists the kit’s support for various operating systems, including Windows 7, Vista and some older versions, as well as on Windows x64. The FAQ section spells out how the Zeus malware generates the unique bot ID for each infected machine and what the iterative version numbers mean.

Like Kruse, Raff expects the release of the Zeus code to lead to further changes and modifications to the attack tool.

“Unfortunately, this [leak] means that we will probably see more hybrid malware in the future, and not only the ‘SpyZeus’ (as in latest SpyEye versions). There are rumors of a new Mac OS X banker Trojan which includes a ZeuS like web injections. The author of this kit might have taken the code of the web injection parsing from this public release,” Raff said.

Suggested articles


  • Michael Barbere on

    The main selling point behind ZeuS were the continual updates to evade virus/malware scanners when you subscribed.  My understanding is that the ZeuS config files, binaries, and dropzones were released a couple of years ago.  

  • Anonymous on

    I don't think we have the same definition of "freely download". The only screenshot, provided in the links, related to the code acquisition method, shows someone saying he's selling the source code for big bucks. How is that related to "free download" ?
  • Anonymous on

    If you ever downloaded the zip archive and forgot the password, it's 'zeus'.

    I just downloaded it; ready to bake my noodle.

  • Anonymous on

    "Kevin B : I don't think that you and I have the same definition of "read the article."" Too bad you couldn't give any proof of what you said, that would just give you credibility. Oh, I think I know why... It's because the article has now been edited ! Without any proof, you can say whatever you want. I could even say that every malware source code has been released on "some underground forums" and link to a blog showing a screenshot of a guy saying "I'll give you those sources for 250000$". But since you have problems doing that, I'm gonna help you. Here is how to show someone he's wrong : "Here is a link to the ZeuS source code : http://www.pentestit.com/2011/05/13/famous-zeus-source-code/ proving that, yes, the zeus source code appears to be "freely" downloadable, you moron !"
  • Mark on

    For those who are interested, the ZeuS source code is also available here: http://www.mdl4.com/2011/05/download-zeus-source-code/

    Free upload hosting sites (including the one linked by pentestit) can be kind of spotty, and often stop hosting eventually.

  • Anonymous on

    What if i were to know the code?

    What would you say/do?

  • Anonymous on

    A quick review of the code left me astounded at the sophistication level we are dealing with.

    For the five thousand dollars, the customers really got a lot of code. I heard that the russian mafia was paying for students to get their degrees in computer science in return for siging on with them for a few years afterwards.

    This code is amazing. This is far beyond script kiddle hacks. This is a new world. 

  • Anonymous on

    i will download and will use then i will comment...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.