Zeus Sourcecode Leak Opens Up New Crimeware Markets: Researchers

Reports circulated last week that code for the latest version of the notorious banking Trojan Zeus was leaked on the Internet in at least three different locations, ensuring that almost any criminal hacker would be able to access the malware for free.

The Zeus banking Trojan is best known for its ability to build customized code penetrating bank accounts and sending users' credentials to remote servers controlled by the botnet owners. Most recently, the Zeus banking Trojan was linked to phishing attacks that spawned numerous illegal, high-dollar wire transfers between the U.S. and China.

Before its release, the Zeus crimeware kit provided a ready-made toolkit for hackers wanting to infiltrate users' banking credentials or accounts, and could sell for thousands of dollars on criminal underground markets, researchers said.

However, researchers say that the sourcecode leak was an indication that the notorious banking Trojan Zeus became commoditized with its wide distribution and prolific usage among the hacker community.

And at least one researcher said that the sourcecode leakage could have been an attempt by entrepreneurial cyber criminals to generate interest and boost pricing for specialized WebInject kits, that tailor banking Trojan malware to a specific bank, such as Bank of America or CitiBank.

Bradley Anstis, vice president of technical strategy for security firm M86, said that many legitimate software vendors, such as manufacturers of antivirus and backup software, employ a premium model that gives away a basic version for free, with the hopes that users will willingly pay a higher price for more advanced versions.

"What I'm thinking that the Zeus guys are doing is that, with more and more competition, they're trying to get back in the marketplace," he said.

Last week, Peter Kruse, a security researcher with Danish firm CSIS Security, told The Register that the leak would compel malware authors to develop newer, more advanced versions of Zeus.

“The sourcecode has until now been shared in very closed communities or bought by criminals with significant funds,” Kruse told The Register. “With the release of the entire code it's obvious we will see new versions/rebrands or improvements in general. If this grows outside of the established underground ecosystem it could have a significant impact.”

However, Anstis said that, congruent with standard economic patterns, the release of the sourcecode was likely a strategic move that put a premium on newer, specialized crimeware.

"This really looks like they're doing a premium model," Anstis said. "(Crimeware) follows the evolution cycle of all software -- when it gets more and more popular, the price eventually comes down. You can see Zeus crimeware starting to follow the path of commercial software."

Anstis said that down the road, it would not be surprising if other cyber criminals followed suit and released sourcecode to other widely distributed malware. "You create your own evolving marketplace that get you market dominance. If we are right, we'll start seeing source code from other Trojans coming out very quickly."