I haven't talked about Zeus in a while, but the Trojan has popped up again with some interesting news. Apparently the code for Zeus has been leaked, which opens the chance for anyone to create the malware. According to an article on eWEEK:
The complete source code for the Zeus malware kit is being freely distributed as a ZIP file on several underground forums, Peter Kruse, a security researcher with Danish security firm CSIS, wrote on the company blog on May 9. Kruse downloaded the ZIP file, compiled the code and confirmed it worked "like a charm."
In response to this news, Brendan Ziolo, vice president of marketing at Kindsight, told me:
With the source code available, criminals could become aggressive and creative in how they repackage Zeus in order to evade detection by anti-virus and other security software. More sophisticated hackers could also modify the code to improve the attack, use the components in new forms of malware, and/or develop attacks that target other e-commerce sites. (Zeus has predominantly targeted banking sites to date.)
The toolkit for Zeus has been available for a long time for anyone who wants to invest the money (about $5000, according to ThreatPost). Now the speculation begins on what this will mean. The eWEEK article points to a senior researcher at ESET, who had this to say about the toolkit's availability:
It "lowered the bar of entry" for malware authors who want to create banking Trojans, Pierre-Marc Bureau, a senior researcher at ESET, told eWEEK, because now they can just download the code and compile it without having to pay for it. Any junior programmer can now easily copy-and-paste desired functionalities and include them in another malware application, thereby creating a new Zeus variant.
And Aviv Raff, CTO of security firm Seculert, told ThreatPost:
Unfortunately, this [leak] means that we will probably see more hybrid malware in the future, and not only the 'SpyZeus' (as in latest SpyEye versions). There are rumors of a new Mac OS X banker Trojan which includes a ZeuS like web injections. The author of this kit might have taken the code of the web injection parsing from this public release.