In May of 2011 it was widely reported in the press that the full source code of the infamous crimeware toolkit, Zeus, had been leaked onto the internet. This followed previous rumours that the Zeus author was discontinuing development and support, effectively killing off Zeus. Since that time the AV industry has continued to see large numbers of samples produced by the Zeus Kit as well as the effects that the source code leak has had on the malware ecosystem.
The Zeus Kit is a highly successful, easy to use suite of tools that allows relatively unskilled criminals to create and manage a botnet capable of stealing a wide variety of information from victims' machines. The real power of Zeus comes from its use of ‘Man in The Browser’ techniques and its advanced web injection engine. All login credentials entered through the browser can be stolen, and through creative use of web injection the victim can be coerced into giving away far more information than they would ordinarily submit.
In this presentation we will examine the impact that the source code leak has had on the malware world. In particular we will look at the various Custom Builds (variants where the source code has been modified and rebuilt) of Zeus that have appeared, how they have been modified, what functionality has been added, what functionality has been altered. This will include encryption algorithm changes, C & C server address masking, peer-to-peer capabilities, and worm functionality. We will also attempt to ascertain which pieces of the Zeus source tree may have made their way into other malware families, concluding with thoughts on what possible future implications there may be for the AV industry and for Web Commerce.