Zeus FaaS Comes to a Social Network Near You

By Limor S. Kessem, Cybercrime and Online Fraud Communications Specialist, RSA

FaaS: Never a Dull Moment

The cybercriminal practice of operating Trojans and botnets has a long history on the Internet, an especially thriving one since the release of the first commercial banking Trojan, Zeus, in 2007.

Since then, the ever-evolving world of financial malware has seen many turns of the tide with new banking Trojans released, then disappear in dramatic underground events.

Through it all, the one constant has been cybercrime’s Fraud-as-a-Service offerings market, enabling the sale of Trojan bits and bites, or entire package deals, to those who could not afford a complete kit, or had no idea where to begin.

Typical Trojan FaaS deals offer a Trojan like Zeus, SpyEye, Ice IX, or even Citadel for a few hundred dollars instead of the full kit price going for a few thousands rather. FaaS deals sweeten the pot with bulletproof hosting at a discount, free set-up services, hands-on tutoring and malware-campaign help wrapped into affordable combos.

While it is beyond doubt a thriving economy, Fraud-as-a-Service mostly remained hidden in the deep enclaves of dark online markets, only advertised to those who were in the know, sought in the right place, or knew the right people. But that’s all a thing of the past, it seems. Social networks are such a great place for malware infections and phishing, why not just market the botnet directly from there?

Zeus FaaS Comes to a Social Network Near You

A recent discovery by RSA researchers shows a new FaaS offering that is being marketed directly via a popular social network. The sale item: a customized botnet panel programmed to work with the Zeus Trojan – both reworked by what appears to be an Indonesian-speaking malware developer.

Beyond having compiled a working Zeus Trojan kit, the developer customized an attractive control panel for the admin (basic and familiar in functionality, and taken from previous Zeus versions), the developer and his team created a demo website for potential buyers – which they have no qualms about sharing publicly, and best of all—a Facebook page with frequent updates and information about botnets, exploits, cybercrime, and their own product (Zeus v

Why is This New or Interesting?

New Crime Products

Since the Zeus code leak in mid-2011, the world of information security foretold the coming development of new breeds of the malware and the compilation of working variants from the source code in the hands of those versed in malware programming. Seeing new customized Zeus Trojans out in the wild is very common, but seeing someone marketing a Zeus v1 kit is not.

This case shows that the code leak, leading to the availability of the Trojan, makes for an even more diverse crimeware market, one that gives room to new offerings, especially at a time when all the major developers are staying away from the commercial arena.

No Fear

Marketing cybercrime in such an open and accessible manner is not something common. Cybercriminals usually fear for their freedom and will not expose their endeavors online to potential undercover cyber-police officers and security research. Those who would take such a chance, in favor of selling their wares to a larger audience, do so because they trust the anti-digital crime laws in their counties are more forgiving or downright absent.

What’s The Overall Effect?

The cybercrime underground may have lost most of the access it had to the major commercial Trojans after Zeus, SpyEye, Ice IX and Citadel’s developers all decided to quit vending their malware freely, but it seems that FaaS is definitely keeping things alive in the crime world.

With affordable kits and readily available developers selling it, even an old Trojan like Zeus v1 can do the job, enticing would-be criminals to try their hand at harvesting bank credentials and online financial fraud scenarios.

Laws and Punishment – Best Deterrents

Cybercrime is a rampant phenomenon, and while it is known that policing is not yet up to par in its ability to control crime on the Internet, the most evident deterrents to online crimes are the law’s long-reaching, heavy arms.

International investigation efforts and collaborations leading to the arrests of numerous cybercriminals, botnet operators, fraudsters and online gangs have been the driver for malware developers to minimize their publicly-available operations and find a hiding place to continue their illicit activities.

Laws and actual punishments are developing all over the world; the more people understand that digital crimes can be investigated, uncovered, proven and lead to jail time, the more they would hesitate before deciding to dabble in cybercrime.

A social networking page dedicated to potential buyers and those interested in botnets, exploits and cybercrime
A social networking page dedicated to potential buyers and those interested in botnets, exploits and cybercrime


Demo website allowing potential buyers to look at the botnet control panel and options they can use
Demo website allowing potential buyers to look at the botnet control panel and options they can use


Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter.

No Comments