Earlier this week, news broke that the source code for the Zeus Toolkit, arguably the most significant tool being used by cybercriminals this decade, was released to the public.
With the release many have sounded the alarm, and rightfully so, but is this really a game changer?
We can’t deny the fact that Zeus has been an incredibly profitable tool for cybercriminals. The wild success was illustrated following the bust of a cybercriminal ring last fall that used a Zeus botnet in attempt to steal up to $220 million, successfully grabbing $70 million from victims’ bank accounts, according to the FBI.
So what does having the Zeus tookit source code “in the wild” really mean to the security industry?
“There are DIY kits for everything from Twitter controlled Botnets to videogame specific DDoS attacks, and as more individuals from lower down the food chain get their hands on the released Zeus source code, there could be some unforeseen consequences,” said Chris Boyd, senior threat researcher at GFI Software. “Not so long ago a bug in the official release allowed individuals to hijack Botnet Command and Control channels; I’d be surprised if this doesn’t happen with the many variants we’ll likely see over the coming months,” Boyd added.
But Wade Williamson from network security company Palo Alto Networks doesn’t think this event should send the industry into a frenzy. “In terms of who will benefit, there will likely be some immediate, but probably short term benefit to criminal organizations who can now get ZeuS essentially for free. But it is probably not that much of a game-changer for banks simply because the ZeuS kits were not that expensive to begin with (starting in the $500 range),” Williamson said.
Beyond having access to the Zeus toolkit and distributing the malware, fully capitalizing on it can be resource intensive. “Running a successful ZeuS operation requires a good deal of organization, setting up money mules for moving the money that is stolen and things of that nature. The cost of the kit is not really the big gating factor in most cases,” Williamson added. For those looking to simply collect and sell card numbers and banking credentials to those with the appropriate resources to cash out, however, it can be valuable.
Williamson also suggests that both security researchers and cybcriminal developers are likely to benefit from the release, indicating this may be somewhat of a double-edged sword. “The real benefit will be to malware researchers and crimeware developers. The whitehat researchers will be able to dig into the precise inner workings of ZeuS to provide better protection for enterprises from ZeuS and its variants, and the blackhat developers will be able to take the blueprints of the one of the most financially successful bots ever and design new threats for the future,” Williamson said. “It’s a significant development in that it should certainly accelerate the cat and mouse game between the good guys and bad guys, but since both sides should benefit from the source code, its unlikely to tip the balance of power in the long-run,” he concluded.
“Now that the Zeus source code is out in the wild, it’s guaranteed that more cybercriminals will launch their own more complicated variants of Zeus,” Stephan Chenette, Principal Security Researcher for Websense told SecurityWeek. “The less technical cybercriminals now have access to read and learn from one of the most well-known malware kits. And because of that, we will definitely see an uptick in the malware targeting the banking industry.” GFI’s Chris Boyd agrees that having the code in hands of less technical fraudsters or “script kiddies” could change things a bit. “Inexperienced coders modifying Zeus could end up releasing exploit prone versions into the wild, and as a result we could see a rash of cannibalized command channels constantly changing hands thanks to poor coding,” Boyd said.
While we may experience an uptick in malware targeting the banking industry, some believe the implications could stretch beyond banks being targeted. Brendan Ziolo, vice president of marketing at Kindsight, a company that uses Deep Packet Inspection to identify threats, agrees that different variants will emerge, but believes new versions will target other organizations such as e-commerce companies. “The source code leak of the Zeus Banking Trojan is a serious threat and we are likely to see new variants of the Zeus attack in the coming weeks. We believe hackers will look to repackage Zeus to avoid detection from anti-virus software, tweak the code to improve the attack, and/or develop attacks that target e-commerce sites,” Ziolo told SecurityWeek.
Additionally, with Zeus variants being be compiled differently, it may prove to be more challenging for anti-virus software to catch. However, Ziolo suggested that the communications protocol that Zeus uses with its command-and-control (C&C) servers is not likely to change. Because of this, Ziolo believes network-based security solutions may be better positioned to identify these attacks sooner and more effectively than anti-virus software.
Interestingly, back in 2009, data coming from Trusteer revealed that 55% of systems infected with Zeus had up-to-date anti-virus software installed. Malware detection for Zeus has improved since, but this still demonstrates Zeus’ ability to evade many malware detection products.
“From a vendor point of view, when this sort of thing occurs, we must be ready to respond to customer and public queries about any countermeasures and safeguards that we can offer,” Jim Walter from McAfee stated. “Having said that, Zeus is not ‘new,’ and we constantly (and have for years) been dealing with compiled binaries and output from this kit. The current technologies in our tool belt (AV, NIPS, HIPS, app control/whitelisting, firewall, etc.) all provide protection against the output, traffic, and noise from the Zeus toolkit,” Walter adds.
So is this source code leak really a game changer? I argue that it really isn’t. Sure, the toolkit will end up in the hands of more on the dark side. But really, the toolkit was never really out of reach for those who wanted to get their hands on it, and even with a moderate price tag, a few “borrowed” credit card numbers weren’t hard to come by for those having the toolkit on their wish list. We’ll certainly see an uptick in instances and variants of Zeus being circulated, but this shouldn’t be considered a game changer for the security industry.