Back in February, Brian Krebs was reporting that the Zeus toolkit source code (whose individual licenses cost as much as $10,000) could sell for up to $100,000.
Well, like a lot of hot commodities today, Zeus has been leaked on the Internet. It took me roughly 5 minutes (including the download time) to get a copy.
It comes as a .rar file called zeus.rar with a password protection (zeus):
The compressed file (9.20 MB) comes to a much larger size when extracted with a lot files:
Here is an overview:
The package includes a user manual in Russian and English.
Here is some technical information about the Zeus bot:
– It is compiled in Visual C++.
– XP/Vista/Seven, as well as 2003/2003R2/2008/2008R2 compatible.
– Windows x64 support.
– It attempts to infect all users in the system.
– It runs a copy of its code in each process of the user (without using a DLL).
– It has unique names of all objects (files, MUTEXes, registry keys) when creating a bot for every user.
– It intercepts HTTP/HTTPS-requests from wininet.dll (Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries.
– It steals credentials from FTP-clients: FlashFXP, CuteFtp, Total Commander, WsFTP, FileZilla, FAR Manager, WinSCP, FTP Commander, CoreFTP, SmartFTP.
and more.
Needless to say, hackers wannabe are going to study this source code and steal ideas to make their own customized bot.
Just what the security community needed.
Jerome Segura
Leave a reply
