Late last year, online crime forums were abuzz with talk that development of the world’s most notorious banking Trojan — ZeuS — was being retired, after its maker handed the malware’s secret blueprints to a rival developer. The recipient of those plans — the author of the SpyEye Trojan– has been hard at work on a malware strain that blends the two malware families. But new evidence suggests that the source code for the latest ZeuS version may have also been given or sold to a third party who is now reselling it to the highest bidder in the criminal underground, a development that could soon guarantee the production of a whole new ZeuS lineage.
Sources say the ZeuS author — known variously as “Slavik” and “Monstr” on criminal forums — gave the SpyEye author Gribodemon stewardship over the ZeuS code base, on the condition that Gribodemon agreed to provide ongoing support for existing ZeuS clients, a sizable user base that demands considerable care and attention. Sources also believe Slavik may have separately sold the code itself, ostensibly to the same individual shown in the screen shot below.
Established crime forums are built upon reputation, which is earned over a period of time by points awarded from other members for positive or negative transactions — much like eBay’s buyer and seller feedback system. The solicitation in the above screen shot is unlikely to be a fake: It indicates that the seller has been a member of this particular vetted crime forum since June 13, 2009, and has 18 positive reputation points and zero negative.
This seller is offering the full ZeuS source code for the latest version 18.104.22.168, and warns away members without a significant war chest. But how much could the code actually fetch? Toward the end of last year, the ZeuS author was selling fully-loaded, single-user licenses for up to $10,000 apiece. Aviv Raff, chief technology officer and co-founder of Seculert, said this individual could probably demand at least ten times that amount for the source code, which would give the buyer full rights to sell one-off licenses to others, and/or to continue developing the malware family.
But don’t come bearing gold, credit cards, or even cold hard cash: This seller only accepts payment via an irreversible virtual currency called Liberty Reserve. On top of that, payments must be made through the forum’s escrow service — a feature offered by forum administrators designed to cut down on members ripping one another off — but one which can add considerably to the final price of the item(s) for sale.