Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:54 PM
Connect Directly

Zeus Trojan's Source Code Leaked In The Wild

'Open source' Zeus could result in widespread infections

The source code of the powerful Zeus Trojan used for stealing online banking credentials and other sensitive information is now out there for anyone to take, tweak, or use in an attack.

Denmark-based security firm CSIS Security Group blogged yesterday that it had discovered the source code was being leaked through various underground forums and places on the Internet. Peter Kruse, partner and security specialist with CSIS, says Zeus code now can be easily enhanced or modified. "We believe this will be used as both inspiration for new and complex banking Trojan variants, as well as abused in future attacks," he says.

The freely available code also makes it easier for script kiddies and hackers without the financial means to license the crimeware kit to now easily use Zeus or some new variant for infecting machines and stealing sensitive information. Liam O Murchu, manager of operations for Symantec Security Response, says his team has a copy of the source code and is currently analyzing it. "We've even seen some of the code being reused in other threats," Murchu says.

The big concern is that the freely available Zeus source code will lead to a flood of new Zeus variants as various malware writers clamor to customize it. Murchu says it could follow the path of the Sbot malware family from nearly five years ago, when the Sbot source code was released and various malware writers added their own functionality to it, some making it plug-ins or other features.

"We saw slight variants of the same code being released with slightly different configurations or modules -- some made it faster, some more lightweight ... It became just a huge flood of slightly different variants of these worms," he says. "It could be that we see that again with Zeus ... It becomes an open-source project where everyone adds their own functionality. We haven't seen that yet, but it's a possibility."

Aviv Raff, CTO of Seculert, says he has seen a copy of the source code, as well. He says recent posts about the new Mac OS X malware that includes a Zeus-like Web injection feature indicates it could have been based on the leaked source code. Raff says the Zeus user guide included with the source code includes support for Windows XP, Vista, Windows 7, and Windows 2003/2003R2/2008/2008R2.

The Zeus user guide says the Trojan also doesn't require administrative rights to operate on XP and with UAC enabled on Vista and Windows 7, Raff says.

Meanwhile, CSIS first noticed back in March that the crimeware kit was for sale in at least two black market forums.

"ZeuS/Zbot is already considered as being amongst the most pervasive banking Trojan in the global threat landscape. It is an advanced crime kit and very configurable. With the release and leakage of the source code the ZeuS/Zbot could easily become even more widespread and an even bigger threat than it already is today," Kruse wrote in the company's blog post yesterday.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.