Zeus

Zeus Source Code Leaked

Brief overview

11.05.2011 - After it was widely reported yesterday that source code for one of the most prolific banking Trojans of all time, ZeuS (A.K.A ZBot), was released online, security researchers at Promon have now been able to corroborate this claim, after initially finding the source code available on several underground forums in a password protected RAR archive, with the password supplied. Alarmingly, since this news has received much press attention, researchers at Promon have observed the sources being distributed via several social networking sites, such as Twitter, and in a more complete form than initially observed, and therefore expect to see even more widespread distribution over the coming days. Currently there appear to be 4 distinct versions of ZeuS 2.0.8.9 in source code form circulating on the internet.

As for the implications of the leak, it is now likely that we will see a significant increase in the volume of ZeuS related malware, owing to the fact that cyber criminals can now easily obtain and modify the sources to create more complex or tightly integrated attack vectors, spreading mechanisms and obfuscation techniques for hiding the malware. However, malware authors will not have the luxury of updates and technical support that was offered with the paid version of the ZeuS toolkit. On the flip side, this is also good news for security researchers, who now have the opportunity to investigate ZeuS more in-depth, and utilise the original sources to assist in the complex task of reversing engineering the trojan, especially the heavily encrypted configuration files, giving the anti-malware industry a brief chance to play catch up before the inevitable modifications arrive.

Technical overview

Having seen several versions of the 2.0.8.9 sources in distribution, it is quite clear that the code has been repackaged with varying degrees of completeness. Here is a rough overview of what is contained in the SDK;

Bin directory

Contains executables for PHP, 7Zip, UPX and FASM.

Config directory

Contains various build configuration files.

Include directory

Contains include files automatically generated by the MIDL compiler.

Lib directory

Contains x86/64 libraries for ntdll and a length disassembler.

Output directory

Contains built bot binaries, the configuration toolkit and C&C server PHP files.

Source directory

Contains all source code for the bot, toolkit, plugins, C&C server and preconfigured webinjects for targeting websites.

Temp directory

Contains all intermediate build output, such as object files, map files and the C&C server PHP sources. Below is a directory listing for the root folder in the SDK;



The SDK also contains a wealth of documentation, and some very useful user guides for assisting with configuring, installing, updating and controlling ZeuS. It has to be said that this leak has given the security industry an invaluable insight into how these types of bots are designed and developed, and it will be highly relevant to follow closely on how malware authors adapt the code to their own purposes over the coming weeks and months.