Cheap Zeus source code will generate more Trojan variants

Barely two months after cybercriminals put the source code of Zeus up for sale at $100,000, reports are now coming in that the source code is being offered at bargain basement prices from multiple sources.

Since confirmed in early February that the Zeus source code was being hawked around for $100,000, it seems that market forces have taken over, with the code’s exclusivity and price have taken consequential tumbles.

I’ve observed before that that the old adage of there being no honour amongst thieves applies equally to the cybercriminal world, and now it seems that this even truer when it comes to electronic crime.

I said at the start of February that research teams were seeing multiple variants of Zeus appearing on users’ machines, and now my colleagues over at Trend Micro are reporting that the source code being offered for sale on multiple forums from different people.

As Kevin Stevens at Trend Micro said in his blog of late last week that elements of the source code have been available for a couple of weeks, but now it appears that matters have become serious after the code is being file-shared amongst potentially hundreds of users.

The only piece of good news to stem from this file-share of Zeus’ source code is that the RAR files are reported to be password protected, but there are also reports, says Klein, that some groups of hackers are attempting to brute force hack the password.

This means it is only a matter of time before the source code for Zeus is released in the wild at little or no cost, a step that potentially means that thousands of cybercriminals can then develop toolkits to maximise their revenues from the malware.

This is a very worrying step, as it means that toolkits based on Zeus malware will then potentially be in the hands of so-called script kiddies.

As I said in early February, the extensible nature of Zeus, and its flexible ability to be recoded, means that the malware is likely to continue to be problem for financial users of the internet, and their organisations, for some time to come.

What I didn’t foresee was how rapidly this prediction would turn out to come true, and on a vastly larger scale than anyone could have foreseen. We may yet see even more variants of Zeus appearing on a larger scale – and shorter timeframe – than anyone could have predicted.

And it’s against this backdrop that I am urging all users of the Internet, whether business or consumer, to patch their software and update their security applications. I also strongly recommend that they look at their options to better defend their Web surfing activities.

Prior to founding Trusteer, Amit Klein was Chief Scientist at Cyota (acquired by RSA Security) a leading provider of layered authentication solutions. In this role, Amit researched technologies that prevent online fraud, phishing, pharming, He filed several patents in those areas during his time at Cyota. Prior to Cyota, Amit worked as Director of Security and Research at Sanctum (acquired by Watchfire) where he was responsible for the security architecture of all Sanctum products. Prior to Sanctum, Amit spent almost 7 years serving in the Israeli Army as a research officer and project manager. He is a graduate of the prestigious Talpiot programme of the Israeli Army. He holds a B.Sc. (cum laude) in Mathematics and Physics from the Hebrew University (Jerusalem). Amit is also a world renowned security researcher, having published over two dozen articles, papers and technical notes on the topic of Internet security.