Fraud News Flash – The Downfall of the Mighty – Zeus Trojan’s Source Code Leaked and Now Available Everywhere

Categories: Fraud Intelligence

Word of yet another historical moment in cybercrime is quickly spreading through the fraud underground and through the legitimate web – the Zeus Trojan’s source code has been made public and is now freely available to anyone wanting a piece of the infamous old “King of Trojans.”

It appears that the Zeus source code has been leaked almost in full – either due to a mishap of some sort, or intentionally exposed by its current owner – hacker and coder “Gribodemon”/ “Harderman”. The entire source code, minus one interesting folder titled “Worm”, has been made available online, reaching even as far as malware researcher chat groups on some social networking sites.

The mere fact that code has somehow been leaked has raised some eyebrows; RSA Research Lab engineers have raised a suspicion that “Harderman” is behind an intentional leak, aiming to abolish the Zeus code’s value once and for all and increasing the sale of his hybrid SpyEye Trojan. The fact that the newest feature was missing from the leaked source code – most probably a replication mechanism planned for the Zeus Trojan – seems to hint to the possibility of an intentional leak.

By exposing Zeus this way a few developments may follow:

  • Malware code writers, other than those on “Harderman’s” team, may pick up where Zeus’ original coder left off and attempt to further develop the code, continuing to sell it to fraudsters.
  • Code writers may freely create and sell Zeus Trojan builders – for a fraction of its original price tag.
  • Zeus binaries may increasingly be sold by long time Zeus owners in SaaS mode, priced “per variant”
  • The Zeus code could be dispersed into the hands of many, causing its corruption and devaluation, rendering it obsolete.
  • SpyEye may continue rising as the Trojan of the chosen few – a crimeware tool par excellence made for cyber criminals who can afford the best.
  • SpyEye will likely replace Zeus as the only advanced crimeware code commercially available, along with support, upgrades and a strong development team running the arms race against online banking fraud prevention.

RSA Research Lab engineers have noticed the source code was oddly written in C++ while using the logic used in the much older “C” programming style. The binary compilation was written in PHP which may possibly hint that the coder is more proficient in writing PHP. The source code package includes a PHP pre-processor (php.exe), designed to allow executing PHP scripts ‘on the fly’, even on computers on which a PHP server is not installed.

The source code contains very detailed commentary for each function written by the coder as well as in-line commentary to clarify obscure code sections; a rather professional manner of handling the code writing. Writing commentary is more commonly used in ongoing projects, written over time and by multiple coders.

The developments concerning Zeus’ future are yet to be observed. One may keep in mind that most fraudsters do not possess the knowledge required to use the source code, let alone further developing the code.

The source code leak also necessarily means that Zeus is now fully exposed to research, meaning that anyone using parts of the source code for their own Trojan creations will make it easier for malware researchers to analyze and reverse-engineer the code.

RSA FraudAction Research Labs

The RSA FraudAction Research Lab is made up of some of RSA's most experienced internet security researchers, engineers and intelligence professionals with expertise in vulnerability research, reverse engineering and in-depth malware analysis. In this blog we report real-time developments in electronic crime, those who perpetrate it and the tools and methods they use. Research Lab blog posts bring you this diverse team's unprecedented insight, findings and opinions on topics including Underground Economy and fraud trends, fresh news from the world of cybercrime, information about Trojans, Phishing techniques, Botnets and how fraud from the online realm touches day-to-day life in the real world. Subscribe to The RSA Fraud Action Research Lab's RSS feed