Bank-robbing ZeuS Trojan returns: Is it just good business?
'Leaked' source code could be a marketing ploy, just like legitimate software companies do
Source code for the venerable and sophisticated ZeuS Trojan malware became available free on the Internet recently after having been leaked. Or was it leaked? At least one researcher thinks it could have been released intentionally as freeware as part of a marketing ploy to create demand for peripheral code and services.
So far that isn’t certain, said Bradley Anstis, vice president of technical strategy for M86 Security. “There is no hard evidence for any of the theories that have come out,” he said.
But the model is not a new one for legitimate software. The VMware hypervisor is available for a free download, for example, and the company makes money on selling support and other tools. There haven’t been examples of this model for malware yet, Anstis said, but in recent years the underground market for malicious code, services and ill-gotten gain has paralleled the legitimate software and services market.
Phony White House e-card the work of spies?
How the most common cyber exploits could be prevented
This could mean that the ZeuS malware, already implicated in the theft of tens of millions of dollars from banks, could become even more prevalent on the Web.
ZeuS, also known as Zeus, Zbot, Wsnspem and Gorthax and recently affiliated with SpyEye, was first identified in 2007 and has evolved to become one of the most sophisticated Trojans, specializing in the theft of bank account information. Its botnets contain millions of compromised computers, and the FBI last year arrested more than 100 “mules” who were being used to launder and move money that had been stolen from bank accounts via ZeuS.
ZeuS crimeware kits were reported selling online for from $700 to $15,000. Then, early in May, it was reported that the source code was in the open. Peter Kruse, partner at the Danish security firm CSIS, said in a blog post that the code was being distributed on several online sites.
“We even compiled it in our lab and it works like a charm,” Kruse wrote. “We can hereby confirm that the complete ... source code is freely available for inspection, inspiration or perhaps to be compiled and used in future attacks.”
Anstis said the free availability is likely to make ZeuS the default malware code for developing new attacks, which could in turn create a larger market for add-on services that the developers could profit from.
Marketers of crimeware already sell services, including support and maintenance, and ZeuS is no exception. Websites already are commonly offering webinjects for ZeuS and SpyEye to help users tailor their attacks against specific targets. Ready-to-use injects for U.S. targets available on one site include eBay, PayPal, Verizon Wireless, Valley National Bank, Bank of America, Chase and American Express.
“We can develope [sic] webinjects to your needs if you provide logins for testing it,” the site says. “Injects can be made on for any country and any language if you provide details for it. All injects are tested on accounts before selling.”
The market for these products, as well as for support and maintenance contracts, is likely to grow if ZeuS becomes even more popular with the bad guys. Reducing the cost of entry from $15,000 to zero could attract not only lots of new customers, but also customers with fewer skills who are more likely to need add-ons and support.
“It could be a really smart move,” Anstis said.
In the end, it might not matter a lot whether the release of the ZeuS code was intentional, but it is disturbing to think that the bad guys are using our own business models against us.