It has been a week since the infamous ZeuS Source Code was reported to be officially leaked to the public. It was uploaded to a file sharing site and soon enough the leak spread virally, primarily on underground forums. This incident was anticipated months ago. Now that it has already happened, it seems like everybody is talking about the negative effects of the leak, mostly about the future attacks to come out of it. However, there are some things to consider before such attacks could take place, and that there might be ways where we can make this leakage work to the advantage of the security industry.
My colleague, Jasper Manuel, reviewed the code and said that ZeuS’ code was authored by someone who has a deep understanding in C Preprocessor and macros. He added that the way ZeuS is coded is not conventional and does not use standard libraries. Therefore, someone who wishes to modify the code should also have a similar, or the same level of understanding as the original author. We know that the majority of ZeuS users are fairly inexperienced crooks who wish to earn money through cybercrime. Additionally, ZeuS became mainstream because of its sophistication and the volume of inexperienced/non-coder cybercriminals using it – two very opposing factors. When ZeuS’ source code falls in the hands of its existing users, it isn’t guaranteed that they will be able to modify the code and come up with a more intricate Trojan.
More experienced hackers who are able to code their own bots, on the other hand, are what should probably concern white hats. But if you think about it, there must be a reason why ZeuS is mainstream and other bots are not. It suggests that the skill level of the malware author(s) is fairly advanced and only a few can really pull off such a sophisticated piece of malware such as ZeuS.
In addition, Jasper also mentioned that the easiest way to update ZeuS is to add modules into it, but it would take time before an average coder could really understand the code as a whole and modify or use it for future attacks. In case modules are added to the base code, existing AV solutions would still probably work. Another thing to keep in mind is that in the amount of time it takes for the average or majority of black hat coders to understand it, the white hats will have an equal amount of time to study it also.
All things considered, yes, this leakage is indeed a big concern in the security industry, and that there are cybercriminals that will be able to take advantage of it. However, I think it would not serve us any purpose to just get stuck at the thought that this will only put cybercriminals further ahead of us in the race. With the ZeuS source code on our hands, we will know how the mother of banking Trojans was engineered, thus, helping us improve our existing solutions. While it will take time for black hats to update ZeuS, it will also give us time to understand the code and craft more proactive solutions that will help us combat whatever ZeuS mutations will arise. For the time being, the battle continues.
Leave a reply