Zeus leaks give tools to researchers, attackers

Crimeware leak could aid both the good and bad

The source code and a manual to the popular crimeware creation kit Zeus has been leaked, perhaps giving defenders additional tools to fight infections but also raising concerns that criminals may use the source code to create a rapidly expanding compendium of variants.

Nearly a week ago, copies of the source code to Zeus appeared on the Internet, according to Danish security firm CSIS. The release comes about the same time that a manual describing Zeus's functionality also appeared on the Web. While having access to the source code could be a boon to researchers, security professionals also worried that having access to the code could result in a spurt of innovation among criminals.

"It remains to be seen whether we see different flavors of Zeus appearing over the next few days, weeks or even months," says Paul Wood, senior analyst with Symantec.cloud. "Of course, the ability then is for the other bad guys to take advantage of some of the technology that they don't have in their tool kit and build that into their own technology, because there are certainly a quite a lot of interesting features in the Zeus toolkit."

In 2004, the creator of the Agobot bot software posted his code to the public. Soon after, Agobot variants skyrocketed, turning the code for the software into one of the largest families of malware detected on the Internet.

Zeus is already popular and is frequently used as the means to steal money from victims' bank accounts. Yet, the source code could help criminals create more variations on the source code, says Wood.

The release of the code comes around the same time as the publication of a manual for the software. In a tweet on Wednesday, Mikko Hyponnen, chief research officer for security firm F-Secure, highlighted the document.

"Gives a good idea on how organized these guys are," he posted.

Yet, the public outing of both the source code and manual can help defenders create better ways of detecting variants of the Zeus code, says Symantec.cloud's Wood.

"The other side of the coin really is the ability to understand how these components are generated by looking at the source code, which enables us to put in place better rules to identify that type of malicious activity," Wood says. "If we can understand a bit about how they work, that allows us to build better rules to detect them.

Unfortunately, the code has not yet revealed much about the author or authors. In an analysis posted on Wednesday, Derek M. Jones, a visiting professor at Kingston University focusing on forensics software engineering, concluded that there is a single author who had some professional development experience and had very strong English skills. Extending those conclusions is difficult, he says.

"There has been some research where people have tried to do some author attribution," he says. "But the problem is that people look for patterns, but in code, there is not a lot of patterns."

Or, as F-Secure Hypponen deadpans, " They're Russian. That should help us a lot in finding them."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags applicationsmalware toolkitsdata protectionmalware source codecybercrimeRussian cybercrimeSymantec.cloudsymantecData Protection | Malwarezeusbotnetslegalf-securesoftware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert Lemos

CSO (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?