Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Zeus source code for sale for $100,000

One of the most interesting - and unusual for malware - features of Zeus has been the ability of third-party coders to add routines to the kernel of the trojan on an extensible code basis.

This feature, Infosecurity notes, means that, despite the original malware being around since the middle of 2007, the trojan is still appearing in new variants that cause headaches for IT security vendors and their users.

According to Brian Krebs, the security researcher, late last year it was thought that Zeus was being retired, but it then transpired that Slavik had given the trojan's 'stewardship' to Gribodemon, the author of the rival SpyEye malware.

After some research on the issue, Krebs says that new evidence suggests that the source code for the version of Zeus may have also been given or sold to a third party who is now reselling it to the highest bidder in the criminal underground.

This, he explained in a weekend security blog posting is "a development that could soon guarantee the production of a whole new Zeus lineage."

Krebs asserts that Gribodemon has agreed to provide ongoing support for existing Zeus clients - a sizeable user base that demands considerable care and attention.

"Sources also believe Slavik may have separately sold the code itself", he said, adding that a seller is now offering the full Zeus source code for the latest version 2.0.8.9.

The $100,000 price tag is arrived at, says Krebs, because late last year, the Zeus author was selling single-user licences for up to $10,000 each.

Since then, Aviv Raff, chief technology officer and co-founder of Seculert, said that the seller could probably demand at least ten times that amount for the Zeus source code, which would give the buyer full rights to sell one-off licenses to others, and/or to continue developing the malware family.

"But don't come bearing gold, credit cards, or even cold hard cash: This seller only accepts payment via an irreversible virtual currency called Liberty Reserve", he said.

"On top of that, payments must be made through the forum's escrow service, a feature offered by forum administrators designed to cut down on members ripping one another off - but one which can add considerably to the final price of the item(s) for sale", he added.

What’s Hot on Infosecurity Magazine?