Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/10/2011
04:54 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Zeus Trojan's Source Code Leaked In The Wild

'Open source' Zeus could result in widespread infections

The source code of the powerful Zeus Trojan used for stealing online banking credentials and other sensitive information is now out there for anyone to take, tweak, or use in an attack.

Denmark-based security firm CSIS Security Group blogged yesterday that it had discovered the source code was being leaked through various underground forums and places on the Internet. Peter Kruse, partner and security specialist with CSIS, says Zeus code now can be easily enhanced or modified. "We believe this will be used as both inspiration for new and complex banking Trojan variants, as well as abused in future attacks," he says.

The freely available code also makes it easier for script kiddies and hackers without the financial means to license the crimeware kit to now easily use Zeus or some new variant for infecting machines and stealing sensitive information. Liam O Murchu, manager of operations for Symantec Security Response, says his team has a copy of the source code and is currently analyzing it. "We've even seen some of the code being reused in other threats," Murchu says.

The big concern is that the freely available Zeus source code will lead to a flood of new Zeus variants as various malware writers clamor to customize it. Murchu says it could follow the path of the Sbot malware family from nearly five years ago, when the Sbot source code was released and various malware writers added their own functionality to it, some making it plug-ins or other features.

"We saw slight variants of the same code being released with slightly different configurations or modules -- some made it faster, some more lightweight ... It became just a huge flood of slightly different variants of these worms," he says. "It could be that we see that again with Zeus ... It becomes an open-source project where everyone adds their own functionality. We haven't seen that yet, but it's a possibility."

Aviv Raff, CTO of Seculert, says he has seen a copy of the source code, as well. He says recent posts about the new Mac OS X malware that includes a Zeus-like Web injection feature indicates it could have been based on the leaked source code. Raff says the Zeus user guide included with the source code includes support for Windows XP, Vista, Windows 7, and Windows 2003/2003R2/2008/2008R2.

The Zeus user guide says the Trojan also doesn't require administrative rights to operate on XP and with UAC enabled on Vista and Windows 7, Raff says.

Meanwhile, CSIS first noticed back in March that the crimeware kit was for sale in at least two black market forums.

"ZeuS/Zbot is already considered as being amongst the most pervasive banking Trojan in the global threat landscape. It is an advanced crime kit and very configurable. With the release and leakage of the source code the ZeuS/Zbot could easily become even more widespread and an even bigger threat than it already is today," Kruse wrote in the company's blog post yesterday.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.