Zeus Crimeware Kit Source Code Leaked 121
Trailrunner7 writes "The source code to the infamous Zeus crimeware kit, which has been sold on underground forums for years, has been leaked and is now available for anyone to see if they know where to look. Security researchers over the weekend noticed that files appearing to contain the source code for the Zeus crimeware kit were starting to pop up on various forums frequented by attackers and cyber-criminals. The Zeus exploit kit is perhaps the most well-known kit of its kind right now, and has been used by a variety of attackers for numerous malware campaigns and targeted attacks."
This story is useless (Score:4, Informative)
This story is useless without the actual source code attached to it.
Re:This story is useless (Score:5, Informative)
http://www.thehackernews.com/2011/05/finally-source-code-of-zeus-crimeware.html
You're welcome.
Re: (Score:3)
PWS-Zbot.gen.ds trojan detected (Score:5, Funny)
Says "PWS-Zbot.gen.ds trojan detected" here ...
Re: (Score:3, Funny)
Duh.
Re: (Score:3)
F:\zeus\ZeuS 2.0.8.9\output\builder\zsb.exe: Trojan.Spy.Zbot-142 FOUND
F:\zeus\ZeuS 2.0.8.9\output\client32.bin: Trojan.Spy.Zbot-142 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 950447
Engine version: 0.97
Scanned directories: 49
Scanned files: 436
Infected files: 2
Data scanned: 36.92 MB
Data read: 34.83 MB (ratio 1.06:1)
Time: 15.219 sec (0 m 15 s)
So, basically the zeus.rar archive contains a few precompiled executables that I assume were created with the pro
Re: (Score:2)
Big deal, open the application in a sandbox, take a look at the log's. and as the poster above commented, most likely examples.
Missing The Point: GP Wants To Run Code (Score:2)
I think the gp poster may have been interested in *running* the code, ergo Ubuntu in itself ain't gonna help. However, a sandbox to play in running *within* Ubuntu, that would give me a warm fuzzy... unless Zeus is known to try to climb out of VMs.
Re: (Score:1)
I really don't know why people bother with all this MS-based virus-infected crap when they can run debian/ubuntu/mint and have 25000+ tested, verified apps from a trustworthy source.
Like OpenSSL [debian.org] and UnrealIRCD [linux.com]?
Re: (Score:2)
Well, no reason to bother with an MD5 for this download; you know it's what it says it is...
Re: (Score:3)
Re: (Score:1)
Google Translate: That Someone Is You (Score:2)
There are several different ways to have Google Translate do the heavy lifting for you. I'll bet that the machine translation will be good enough for you to get the gist of the message.
Re: (Score:2)
I find it hilarious that the download links are almost all broken.
Re: (Score:2)
I thought you programmer types enjoyed learning new languages.
(I do speak a little Russian, but nowhere near enough to even consider trying something like this.)
Mod up (Score:2)
Re: (Score:1)
Both good and bad news... (Score:4, Insightful)
The ironic part about charging people for access was that it kept the number of criminals with access to the world's best crimeware kit down, and now the floodgates have opened.
Re:Both good and bad news... (Score:4, Funny)
Re: (Score:2, Funny)
My company is on it...after a year through our processes, zeus will be so broken and useless no one will want to use it.
Re: (Score:2)
Bob, I told you to stay off of Slashdot while you're suppose to be "working". We all know you don't do much of anything, but referencing your coworkers as incompetent slackers really doesn't make you any new friends.
Now get back to work. You've been doing that "simple" change for 2 months now. Get it done with so we can present it to the customer.
Re: (Score:2)
My company is on it...after a year through our processes, zeus will be so broken and useless no one will want to use it.
So, who do you work for? Apple or Microsoft?
Re: (Score:2)
My company is on it...after a year through our processes, zeus will be so broken and useless no one will want to use it.
A year? WOW we only get three months per project! Where do you work?
Re: (Score:1)
Re: (Score:2)
Are you saying that you keep the product managers and marketing from feature bombing you 3 days from code complete by employing some magical force barrier? DO WANT!
No.. they just won't let us leave until it's finished.
Re: (Score:2)
I see a the dawn of a new era for the script kiddies of the dark corners of the interwebs.
I give it till tomorrow before we see new variants popping up if we are lucky.
Re: (Score:2)
Is this related to the http://www.eweek.com/c/a/Security/Crimeware-Kit-Targeting-Mac-OS-X-Mimics-Zeus-and-Spyeye-Features-642093/ [eweek.com]
"develop malware specifically for Mac OS X that uses the same templates as Zeus and Spyeye."
ie same "idea" or is the code base shared? Thanks
Re: (Score:2)
It's only bad for "the rest of us" if by "the rest of us" you mean "Windows users, the vast majority of computer users" because Microsoft will inevitably drag its feet in fixing its vulnerabilities (if it is even able to fix them) even though it now has a direct window into how Windows machines are being attacked.
That is because it is open source.
Re: (Score:1)
That is because it is open source.
I'm not following you.
Re: (Score:2)
That is because it is open source.
I'm not following you.
Those guys don't like open source, and that might stop them.
Re: (Score:2)
You know what? I'm not entirely convinced.
It may lead to stronger heuristics, but I can also see it leading to about a thousand variants, all just different enough to avoid tripping a scanner.
Re: (Score:2)
Re: (Score:2)
Packed executable code has to be unpacked at some point before it is executed, and if the virus scanner is actively monitoring processes it can detect it at that point.
Re: (Score:2)
Re: (Score:2)
Which is why virus scanners also monitor processes' behavior. The malicious code has to interact with the real system somehow, no matter how deeply it's virtualized or obfuscated.
Re: (Score:1)
I Tried that....
But I cant for the life of me figure out what FUDGE has to do with viruses.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I looked at that, and the first thing I noticed was where he puts two constructs in one line, like so:
for (;;) if()
{
}
Well shit... I do that. Isn't it obvious? There's only one block of statements; it will execute for each item in the list if the condition is true for that item. Why waste an extra level of indentation?
Success! (Score:3, Insightful)
Chalk up another victory for Open Source!
Err wait...
Re:Success! (Score:5, Funny)
Cool, now maybe we can get a Linux port (Score:5, Funny)
Re: (Score:2)
With all of the money and PR behind Windows, surely it can't be for the lack of trying.
Although to be fair I had a Linux box rooted back in 2001, due to some carelessness on my own part. Still have the trojan code, too...
Re: (Score:2)
Still have the trojan code, too...
While it shouldn't be confusing, do you have it running as some sort of 'honey pot', or are you just a bit hoarder?
One of the things that people often tout about Linux is it's strong security model; however, I'll believe it's a true advantage when I even see a majority of system admins avoid the use of root for day to day activities/ process users.
Re:Cool, now maybe we can get a Linux port (Score:4, Interesting)
Meh. Like any security model, it's only good if it gets used properly in the real world.
Windows has a perfectly good security model, it's only when exposed to real-world use it falls over horribly. Make it too complex and people will do everything in their power to undermine it.
Re: (Score:2)
Re: (Score:2)
Windows bug number 1: Users.
Re: (Score:2)
I can up you on that one. Well, kinda.
I worked for a company that had "free hosting" servers. They were honestly free for customers that used our payment system. Since anyone could sign up, anyone did. We had all kinda of neat root kits, PHP shells, back doors, and the like installed. I'd sweep on a regular basis looking for them. We were locked down tight enough so they never broke very much of anything The worse would be someone would exploit something a user install
Re: (Score:2)
Re:Cool, now maybe we can get a Linux port (Score:4, Insightful)
Why do Windows users get all kinds of great software like this, now with the source, maybe we can finally get some really great malware for Linux.
You jest, but your joke is confused. A "Linux port" would mean that users of Linux would be able to use the attack toolkit -- not that they would suddenly become susceptible to the Windows exploit vectors.
Thus a port wouldn't enable us to create malware targeting Linux any more than a Windows port of GCC suddenly makes MS Visual Studio better.
Re: (Score:2)
It depends on what parts of it you do the porting on. Where there is a piece of code that attacks some Windows exploit, you have to "port it" so that it attacks some Linux exploit. That's probably harder to do, but not impossible. Create enough incentive (like getting 100 million moms with credit cards to use Linux), and it will be solved in no time.
Re: (Score:2)
where is the code? where is the code?
What is google?
Re: (Score:1)
How is babby formed? (Score:2)
How is babby formed?
Wonder if the devs of zeus... (Score:2)
... are going to sue any one for leaking their code?
=)
Re: (Score:1)
PLEASE DO NOT FEED THE TROLL
Re: (Score:2)
If you're as pedantic as GP, that's still not a question.
"I wonder if the devs of zeus are going to sue anyone for leaking their code."
jam3s? (Score:3, Interesting)
Doing a little forensics on the solutions file for the visual studio project, we can see that the username the hackers users on his Windows box is "jam3s". There are several strings in the solutions file that reference this username:
C : \ U s e r s \ j a m 3 s \ D e s k t o p \ Z e u s \
C : \ U s e r s \ j a m 3 s \ D e s k t o p \ Z e u s \ s o u r c e \ c l i e n t \ c o r e . c p p
I've seen this handle before in a lot of other malware designed to steal logon credentials and financial data.
Re: (Score:2)
C : \ U s e r s \ j 4 | \ / | 3 5 \ D e s k t o p \ Z e u s \ ... yeah, no. | \ / are illegal/reserved characters in a Windows pathname...
Re: (Score:3)
He can't read your comment - for some reason his firewall isn't letting him load this page anymore. Something about malware.
Re: (Score:1)
Re: (Score:2)
He can't read your comment - for some reason his firewall isn't letting him load this page anymore. Something about malware.
Maybe if he goes to the right place, then the malware will infect him with the source.
--
Luke use the souce.
Re: (Score:1)
funny... there's a jam3s on twitter [twitter.com] who appears to be an intern [itspj.com] at Intel [foursquare.com] in the UK. but surely that must just be a coincidence.
Re: (Score:1)
I think it might be this guy:
http://www.jam3s.net/
"Computers ~
I have a passion for computers and I learned about many different aspects of computers in terms of dialup service, networking, software, anti-virus / malware, website design, databases, servers, etc. I am always learning stuff with computers as computers are ever-changing. I have designed a few websites for different nonprofit organizations and companies. Microsoft sadly is my least favorite software company, however at the same time it is my fav
Re: (Score:2)
Doing a little forensics on the solutions file for the visual studio project, we can see that the username the hackers users on his Windows box is "jam3s". There are several strings in the solutions file that reference this username:
So, are we dealing with jamtrees that jam some sweet jazz music, or are those trees that produce jam (and if so, which flavour)?
Re: (Score:1)
Dude, the executable is essentially public. It's malware; it literally wants to spread. I could go to any of the dozen PC's currently in our "compromised" VLAN and pull off the Zeus binary.
Now, I have access to the source code too. I have access to information, I can use that to build understanding. That will only make my job of keeping the malware off our systems easier, ... because the binary is already frickin' everywhere.
Just wondering (Score:1)
seriously, I dont know what it is.
Re: (Score:1)
Re: (Score:2)
Could offer options like: "The kit supports Web injects and form grabbing in Firefox. The templates used are identical to the ones used in Zeus and Spyeye, according to Kruse. The forms seamlessly inject fraudulent fields into legitimate Websites that are intended to trick users into entering additional sensitive information. When the data is entered, it is automatically transmitted back to the ma
Re: (Score:1)
http://lmgtfy.com/?q=Zeus+Crimeware+Kit [lmgtfy.com]
Re: (Score:1)
OK I will explain.
Since the rise of modern religions like Christianity and Judaism, The Gods of the older religions, such as the Norse Gods and the Greek Gods have gotten left behind.
With nothing to do some of them have taken up hobbies.
Hestia has her own show on the Food network. Good recipes btw, although she tends to over use the Greek yogurt to much for my tastes.
Aphrodite started a marriage consoling service with Hera.
Poseidon opened up a water park, the rides were great but it was shut down due to leg
Re: (Score:1)
But who would let it out (Score:2)
Thinking about this over dinner, I came to a thought about HOW this got put into general availability.
This crimeware kit is like $10,000 a go. If I where the developer, I would be very careful about where copies go and security on the local machine. So either this guy, or his backups got hacked, or the other potential way it got out is through a trusted client or similar.
It would be sweet irony if the malware developer got pawned by another piece of malware, but I guess we will never know.