Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Zeus leaks give tools to researchers, attackers

Crimeware leak could aid both the good and bad

The source code and a manual to the popular crimeware creation kit Zeus has been leaked, perhaps giving defenders additional tools to fight infections but also raising concerns that criminals may use the source code to create a rapidly expanding compendium of variants.

Nearly a week ago, copies of the source code to Zeus appeared on the Internet, according to Danish security firm CSIS. The release comes about the same time that a manual describing Zeus's functionality also appeared on the Web. While having access to the source code could be a boon to researchers, security professionals also worried that having access to the code could result in a spurt of innovation among criminals.

"It remains to be seen whether we see different flavors of Zeus appearing over the next few days, weeks or even months," says Paul Wood, senior analyst with Symantec.cloud. "Of course, the ability then is for the other bad guys to take advantage of some of the technology that they don't have in their tool kit and build that into their own technology, because there are certainly a quite a lot of interesting features in the Zeus toolkit."

In 2004, the creator of the Agobot bot software posted his code to the public. Soon after, Agobot variants skyrocketed, turning the code for the software into one of the largest families of malware detected on the Internet.

Zeus is already popular and is frequently used as the means to steal money from victims' bank accounts. Yet, the source code could help criminals create more variations on the source code, says Wood.

The release of the code comes around the same time as the publication of a manual for the software. In a tweet on Wednesday, Mikko Hyponnen, chief research officer for security firm F-Secure, highlighted the document.

"Gives a good idea on how organized these guys are," he posted.

Yet, the public outing of both the source code and manual can help defenders create better ways of detecting variants of the Zeus code, says Symantec.cloud's Wood.

"The other side of the coin really is the ability to understand how these components are generated by looking at the source code, which enables us to put in place better rules to identify that type of malicious activity," Wood says. "If we can understand a bit about how they work, that allows us to build better rules to detect them.

Unfortunately, the code has not yet revealed much about the author or authors. In an analysis posted on Wednesday, Derek M. Jones, a visiting professor at Kingston University focusing on forensics software engineering, concluded that there is a single author who had some professional development experience and had very strong English skills. Extending those conclusions is difficult, he says.

"There has been some research where people have tried to do some author attribution," he says. "But the problem is that people look for patterns, but in code, there is not a lot of patterns."

Or, as F-Secure Hypponen deadpans, " They're Russian. That should help us a lot in finding them."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: F-Secure, Kingston, Symantec, Visa
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: applications, botnets, cybercrime, data protection, Data Protection | Malware, f-secure, legal, malware source code, malware toolkits, Russian cybercrime, software, symantec, Symantec.cloud, zeus
Latest Blog Posts
Whitepapers
  • Case Study: Danske Bank Group improves efficiency and reduces time to market
    Danske Bank Group wanted to deliver new services faster. It sought to reduce time to market from approximately 14 months to nine months and increase IT development efficiency by 10 percent. Find out more.
    Learn more »
  • Securing SOA and Web Services with Oracle Enterprise Gateway
    Companies worldwide are actively deploying service-oriented architecture (SOA) infrastructures using web services, both in intranet and extranet environments. While web services offer many advantages over traditional alternatives (e.g., distributed objects or custom software), deploying networks of interconnected web services still presents key challenges, especially in terms of security and management.
    Learn more »
  • Simplifying branch office security
    Securing your business network is more important than ever. Malware, botnets and other malicious programs threaten your network—at your central offices and your branch offices alike. Yet enforcing consistent network security throughout your enterprise can be challenging—especially for those of you with branch offices with few users and no IT expertise. This paper introduces a new standard—an innovative, unified, cost-effective solution for managing branch office security, with centralised reporting and a clear process for determining return on investment (ROI).
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments