The source code for the Zeus banking malware has been leaked online, leading to a frenzy of activity on what the consequences could be.
This led to a media frenzy of reports about the ‘leak', with The Register plausibly claming that the release could erode the paid market for the DIY malware kit and could also spawn entirelu new kits that clone the existing code and build new features or services on top of it.
The code was found by IT security firm CSIS Security Group, that said that it found it on several underground forums in a compressed zip archive, which under test conditions worked fine. In a recent article CSIS Security Group reported that the source code was being sold online for $5,000, half of its standard sale price of $10,000.
Peter Kruse, partner and security specialist at CSIS Security Group, previously told SC Magazine that the source code for Zeus had been leaked and was in circulation, saying that ‘this is no longer speculation'.
Learning of the new development of Zeus being available to be downloaded for free, Kruse told SC Magazine that the reality of making a non-modified/improved version of the Zbot crimekit was worth less than $0.
He said: “This is the source code, it is complete and it compiles just fine but expect backdoor code to begin circulating shortly. Today we saw URLs for the source code being tweeted and these might be slightly modified packages. We are still running through the code.”
I asked Kruse what the leak of Zeus could mean for its future and whether it could devalue it or did he think that we will see more (or even less) infection than before?
“My guess is that we will see re-brands starting to show up as this code goes into the public mainstream. Future re-brands could just be crimekit using the Zeus base code and with slight modifications, including a new UI/GUI on the client and server, but this could also lead to more advanced functions being added,” said Kruse.
“I remember the same thing happening with SDBot when that source code was released. This resulted in lots of new variants and an ‘open source like environment' where functions and add-ons were shared openly. With Zeus this would be a scary scenario. It has already made SpyEye a much more potent threat that the first variants.”
Orla Cox, senior security operations manager at Symantec, said: “Now that the Zeus source code is public, it's likely that the additional people able to access it will result in more attempted attacks. However their affect is likely to be limited due to the fact that the security community now has this code too and that attack kits are predominantly used by cyber criminals with limited technical skill.
“This leads them to use the code almost ‘as is', which will not be very effective now that the code has been compromised. In short, there may be more attacks but no more successful than they are already. However organisations and end users should continue to exercise appropriate policies over browser software and plug ins which attack kits typically exploit.”
Cox also claimed that the Zeus developers may see a temporary dent in their revenue as a result of this leak, however they may ultimately evolve the Zeus code to engineer modified attack kits that will sell in the underground economy.Bradley Anstis, vice president of technical strategy at M86 Security, said: “Perhaps the creators of Zeus have decided to shake up the market by giving away the tool kit for free and then making their money on the ‘WebInject' projects.
“If the owners of Zeus are also creating these add-ins, then they may believe that they can make more money out of these additional modules than out of the app itself. This would create a “Crimeware Freemium model.”The script kiddie is often seen as much less of a threat than the more organised or nation-sponsored cyber crime activity, but the public availability of such a potent threat could allow more variants to be created and distributed. On the other hand you have to consider how safe it would be to download, unzip and execute a file you found on an underground malware forum.