Zeus Trojan's Source Code Leaked In The Wild

'Open source' Zeus could result in widespread infections

Dark Reading Staff, Dark Reading

May 11, 2011

3 Min Read
Dark Reading logo in a gray background | Dark Reading

The source code of the powerful Zeus Trojan used for stealing online banking credentials and other sensitive information is now out there for anyone to take, tweak, or use in an attack.

Denmark-based security firm CSIS Security Group blogged yesterday that it had discovered the source code was being leaked through various underground forums and places on the Internet. Peter Kruse, partner and security specialist with CSIS, says Zeus code now can be easily enhanced or modified. "We believe this will be used as both inspiration for new and complex banking Trojan variants, as well as abused in future attacks," he says.

The freely available code also makes it easier for script kiddies and hackers without the financial means to license the crimeware kit to now easily use Zeus or some new variant for infecting machines and stealing sensitive information. Liam O Murchu, manager of operations for Symantec Security Response, says his team has a copy of the source code and is currently analyzing it. "We've even seen some of the code being reused in other threats," Murchu says.

The big concern is that the freely available Zeus source code will lead to a flood of new Zeus variants as various malware writers clamor to customize it. Murchu says it could follow the path of the Sbot malware family from nearly five years ago, when the Sbot source code was released and various malware writers added their own functionality to it, some making it plug-ins or other features.

"We saw slight variants of the same code being released with slightly different configurations or modules -- some made it faster, some more lightweight ... It became just a huge flood of slightly different variants of these worms," he says. "It could be that we see that again with Zeus ... It becomes an open-source project where everyone adds their own functionality. We haven't seen that yet, but it's a possibility."

Aviv Raff, CTO of Seculert, says he has seen a copy of the source code, as well. He says recent posts about the new Mac OS X malware that includes a Zeus-like Web injection feature indicates it could have been based on the leaked source code. Raff says the Zeus user guide included with the source code includes support for Windows XP, Vista, Windows 7, and Windows 2003/2003R2/2008/2008R2.

The Zeus user guide says the Trojan also doesn't require administrative rights to operate on XP and with UAC enabled on Vista and Windows 7, Raff says.

Meanwhile, CSIS first noticed back in March that the crimeware kit was for sale in at least two black market forums.

"ZeuS/Zbot is already considered as being amongst the most pervasive banking Trojan in the global threat landscape. It is an advanced crime kit and very configurable. With the release and leakage of the source code the ZeuS/Zbot could easily become even more widespread and an even bigger threat than it already is today," Kruse wrote in the company's blog post yesterday.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights