In association with heise online

11 May 2011, 12:48

ZeuS source code freely available on the net

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Trojan An archive has appeared in various places on the internet whose contents turn out to be the source code of ZeuS (version In an interview with The H's associates at heise Security, malware expert Thorsten Holz confirmed the discovery and said that he has known about the archive for more than two weeks. Now, IT security firm CSIS has documented the discovery in a blog posting. Holz considers the RAR file that is available to heise Security as authentic, and CSIS has confirmed that the trojan's source code and matching PHP panel can be compiled. The archive also contains the builder that is required for generating executable malware.

It remains unclear who circulated the source code, and why. One of the archives in circulation is protected by a password AV vendors tend to use when replacing viruses in archives. Whether an AV vendor has accidentally leaked the source code is unknown. Other archives are protected by the password "zeus". That the code has been leaked is also surprising because it first went on sale on an underground forum only less than two months ago. While the author of ZeuS previously sold a full package for around $10,000, security expert Aviv Raff estimated that a price of $100,000 for the code was realistic. However, considerably smaller sums up to about four figures are more likely to have been achieved.

Zoom The ZeuS code is written in Visual C++.
The availability of the source code might breathe new life into ZeuS after things had recently gone comparatively quiet around the malware. Reportedly, ZeuS developer "Slavik" last year handed over his complete source code to SpyEye developer "Harderman" and withdrew from the development of ZeuS. RSA confirmed that SpyEye 1.3 contains some ZeuS source code components. However, Kaspersky said that a new, previously unknown, variant of ZeuS was discovered in March. According to the Kaspersky blog, this is an indication that a developer has provided customer support by integrating new features into the trojan.

It is very likely that various programmers will now take on the available ZeuS program code. Based on the source code, it will be easy for them to create and circulate new versions. However, since the anti-virus vendors have also been familiar with the code base for some time, a new generation of the trojan should be easy prey for any AV scanner.

(Uli Ries / crve)

Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit