February 4, 2011

Late last year, online crime forums were abuzz with talk that development of the world’s most notorious banking Trojan — ZeuS — was being retired, after its maker handed the malware’s secret blueprints to a rival developer. The recipient of those plans — the author of the SpyEye Trojan— has been hard at work on a malware strain that blends the two malware families. But new evidence suggests that the source code for the latest ZeuS version may have also been given or sold to a third party who is now reselling it to the highest bidder in the criminal underground, a development that could soon guarantee the production of a whole new ZeuS lineage.

Sources say the ZeuS author — known variously as “Slavik” and “Monstr” on criminal forums — gave the SpyEye author Gribodemon stewardship over the ZeuS code base, on the condition that Gribodemon agreed to provide ongoing support for existing ZeuS clients, a sizable user base that demands considerable care and attention. Sources also believe Slavik may have separately sold the code itself, ostensibly to the same individual shown in the screen shot below.

Established crime forums are built upon reputation, which is earned over a period of time by points awarded from other members for positive or negative transactions — much like eBay’s buyer and seller feedback system. The solicitation in the above screen shot is unlikely to be a fake: It indicates that the seller has been a member of this particular vetted crime forum since June 13, 2009, and has 18 positive reputation points and zero negative.

This seller is offering the full ZeuS source code for the latest version, and warns away members without a significant war chest. But how much could the code actually fetch? Toward the end of last year, the ZeuS author was selling fully-loaded, single-user licenses for up to $10,000 apiece. Aviv Raff, chief technology officer and co-founder of Seculert, said this individual could probably demand at least ten times that amount for the source code, which would give the buyer full rights to sell one-off licenses to others, and/or to continue developing the malware family.

But don’t come bearing gold, credit cards, or even cold hard cash: This seller only accepts payment via an irreversible virtual currency called Liberty Reserve. On top of that, payments must be made through the forum’s escrow service — a feature offered by forum administrators designed to cut down on members ripping one another off — but one which can add considerably to the final price of the item(s) for sale.

46 thoughts on “ZeuS Source Code for Sale. Got $100,000?

  1. JackRussell

    I guess the question is whether this would have any value to the white-hat people or whether they have reverse-engineered enough of it that there wouldn’t be much value in having the sourcecode.

    And a second question – if you had the sourcecode, how much would it help (if at all) in eradicating this eVermin.

    1. JCitizen

      Some of your answers come in another post about the new crime merger going on with the code. I believe some comments from McAfee, Trend Micro, and Trusteer are linked to in that article.

  2. Terrier

    That’s great. Liberty Reserve, a safe place for illegal transactions. Just imagine the slogans they can come up with. Even LR looks a bit scammy suspicious, including misspelled words on their website.

  3. JCitizen

    Great article Brian! I know I probably sound like a broken record saying it; but I’m sure subscribers everywhere are watching this closely, and very appreciative of your work.

  4. 21Euler

    I see from the ad that a buyer needs the latest version of Microsoft’s Visual Studio 2010 for C++. It’s nice to see that the criminals are keeping abreast of the latest development tools.

    Conficker also had the very latest crytographic methods embedded in it. Some countries computer scientists have turned to the dark side.

  5. just saying

    @21Euler: because a warez version of MVS2010 is tough to get? Or using the latest crypto method is that tough? Lets just say some computer scientists have turned to the dark side (cash rules everything…) … country doesn’t matter.

    Hedonist’s footer (From the graphic): “Bank Drops for 100k+ amounts” You know they don’t fear police action when they advertise such things.

    1. 21Euler

      I seem to remember that one of the trojans/worms won’t infect a computer with an IP from Belarus or Ukraine. That’s country specific.

  6. Vladimir

    Unlikely that some random person would sell it in the ‘Unverified’ section, If the source would be for sale it would likely be sold by Harderman

  7. Ryan

    lol @this post. Do you really need to make an article that some guy made a thread on the unverified section of C.biz to sell the Zeus SRC ? Doesn’t look trusted from here. He is either trying to scam people or getting attention. Trolling maybe. Who knows. No details are provided.

    This post in your blog is just so you can get more traffic, there is no point in it. Have a good day.

    1. BrianKrebs Post author

      Ryan, I’m going to guess you have little to no experience dealing with real carding forums. If you’re using the forum’s escrow service, you’re not going to get ripped. That’s the whole point of the service, which you pay extra for: Each side gets to verify that they got what they bargained for.

  8. Putin

    This guy was known to rip people, i highly doubt he even has the source code. He talks alot but hardly delivers anymore. Also this wouldnt be sold on small kiddie forums like that.

    Brian, i am suprised you would post this, you and i both know you know more about this than anybody else being Lord Cyric. Please post articles which have a higher level of factual basis so readers can be aware of the real problems and not just random small unverified posts. P.s i love this website πŸ™‚

    1. BrianKrebs Post author

      Oh lord, not with the Lord Cyric rap again? I hope you’re kidding. Otherwise, you just told me a lot about yourself πŸ™‚

  9. gang1bang

    even banned from posting comments? haha, you think am not right? or the truth makes your eyes bleed?

    1. BrianKrebs Post author

      I don’t mind if you post all the inane comments you want. But if you can’t be civil, and avoid insulting and outright attacking other readers (or the author), then your comments will be removed, and/or you may be banned, yes.

      1. gang1bang

        Clear. This comment chain between us may be removed safely if wish. Next time I’ll try to be more civil, but never the less, hope You’ve got what I was talking about.

        Such forum posts, even if they are posted by a member with a 1year+ old membership, and even if they’re offered as a deal using escrow service can NOT still be trustworthy simply due to the fact that such “goods” will NEVER be sold in public. And we both know this.. So there’s just no need of such posts – they wont help users and/or security vendors in any way. All this is related only to this one article.. The rest of your blog is really helpful as for me and I don’t want You to think of me now as of a bad guy with inane comments. My comments are no more than my own point of view, which I wanted to share with you, Brain.

        1. JCitizen

          To me the point of the story is not whether an actual high-end transaction is taking place; just that in a den of thieves, their are many rather public transactions offered, whether they be ripoffs or not; it is still news to me.

          Anyone with a small piece of brain will know that doing business in this nefarious world will be dangerous to the pocket book, and many posers are out there, and it is simply caveat emptor for the crooks.

          It is still news to me – so yes, Brian – please continue informing the public about this side of the web. We still need to know. Thank you!! πŸ™‚

  10. nogero

    This post gave them more publicity than they ever dreamed of getting from a forum post.

    1. LC

      and you think that people who aren’t already registered on this highly vetted forum are going to do what with the information exactly?

        1. BrianKrebs Post author

          Hey Nogero. The forum this comes from, you need to have two current members vouch for you, and you need to pay a fee via Liberty Reserve or Webmoney. Kind of tall barriers to entry for people who aren’t already in this scene.

          1. nogero

            Oh come on, geesh this place is counter-intuitive. Have you heard the old saying, “Any publicity is good publicity”? How many hits will this post get? Among those hits will be very qualified potential customers.

          2. shiryu

            ROTFL u just need to start offering a service to getit (paying of course) it’s not so hard to get it so don’t talk about “the scene”

          3. helly

            @nogero ignorance isn’t the path to go security, intelligence is. Those with the funds to drop the money asked for in the post, are already well aware of where to make those type of purchases.

          4. Curious

            So which two people would vouch for you to be part of that site?

            Obviously if you are able to enter the site so easily, the barriers aren’t quite that tall…

            1. BrianKrebs Post author

              Haha, well, there was Bubba…such a nice cracker, and then Mr. Shopsalot…

              nice try, Curious. Ah, but could there be a third way?

          5. Kamu

            Another way… another way…hmm…! oh my… Brian is Neo?!?!

  11. Kamu

    I am curious as to how successful these ‘high profile hack’ services are? Are they that good that they can find holes in anything or are they just script kiddies with limited avenues of attack?

  12. neo da matrix

    I know nem for about 2 years now,if he says he got it..then he got it.

  13. Danny

    Well nem is known as a ripper on the wild , and even if he have it , no one would buy it , and i’m sure he don’t have it because that poor kid or maybe he is selling CyberDelia ( Ibank2 ) , he may have it and its like zeus ,
    but 100k is a nice scam , he would scam only 1 person the he is gone and by LR , which is mean no chargeback .
    on all ways Zeus or SpyEye codes wont worse 100k of them , because they’re bullshit , nothing new , just formgrabber IE / FF , and inject , if u’re noob u don’t know how to make it , then just pm me , and i’ll learn for you how to make formgrabber SSL with only 30 line , not even 1000kk lines like u’re thinking .
    it’s not impossible πŸ™‚

    1. omfgwallhax

      “on all ways Zeus or SpyEye codes wont worse 100k of them , because they’re bullshit , nothing new , just formgrabber IE / FF , and inject”
      It’s not like anybody ever said that those are new techniques (they arn’t, Nuclear Grabber did it in like 2004) but it’s also about the quality of the code.

      “how to make formgrabber SSL with only 30 line , not even 1000kk lines like u’re thinking .” Even if the 30-lines-thing was
      only said to make your point clear there is no need to be proud of being capable to make a formgrabber. There are public sources and also with the ability to read MSDN and copy paste some hooking and DLL injection example anyone is capable of making a formgrabber. (You can improve it with relocating and injecting your exe. This requires knowldege of the PE Format and … oh wait there are examples for this too)

      @shiryu: As if they would care. carders.su was known for years and their domain was just kicked recently. The same with maza.

      Also @qwerty: Not if you enable the /NODEFAULTLIB switch.

  14. shiryu

    i’ve noticed no one is the wild net has never told about “darkode.com” why ? brian let’s make an entry πŸ™‚ i can share info bout darkode due to im member

  15. nogero

    Great logic there Helly. Did you call everyone up and ask them to make that incredible proclamation? Maybe Brian can get the forum or the Liberty site to tell what their surge in hit count was after the published report. I’ll take bets it broke a record for hits if any takers. I do sympathize with Brian though, its a tough call whether to publish a link or not. If he doesn’t publish any links readers will always wonder about a story and wish he provide such supporting evidence. I know I have in the past. As for the requirements for membership, I understand what is boasted and hyped is often quite different from reality.

    You readers (groupies) crack me up.

    1. helly

      My post is based entirely on speculation… But it doesn’t seem plausible to me that by linking the site here, potential qualified buyers would be matched up with the seller. If you have the funds and motive to purchase the source code, it doesn’t seem likely that their only connection to the “industry” would be Brian’s blog…

      In which case I would much rather see a link to the site, so I can verify the veracity of the claim myself.

  16. nogero

    The censoring of comments via Like/Dislike has rendered these comments just about useless.

    1. Jane

      You can disable the Like/Dislike “censoring” for any comment you still want to see.

  17. qwerty

    it says the code requires vc++ 2010 which is bs because code compiled with vc++ 2010 only runs on win xp sp 2 or higher (because of Encode/DecodePointer). ZeuS runs on w2k.

    1. ytrewq

      You can use VS2010 as the development environment and set the compiler to VC9 if you want it to run on Windows 2000. Perhaps nem didn’t realize this or something got lost in translation?

  18. S.K.U

    I think the ‘third way’ ie no vouch access to the screencapped site in question..should be obvious. I mean why would you need references then πŸ™‚

  19. JohnyBoy

    Well, it is simple to hook functions and do a formgrabber.. There are indeed tutorials on the net.. But only if you do it through DLL injection!!!
    No one that I know of, has yet published a code that can hook IE8 for ex. without using a DLL.. So, that’s why SpyEyes and Zeuses still sell..

    1. Danny

      No my friends is too easy and also source code of IE formgrabber without DLL is Public πŸ™‚

      and yea most of coders they use DLL to hook , but evil coders always search πŸ™‚

  20. omfgwallhax

    Source code is now for sale at about 7k$.
    bx1 tries to sell it, as the builders get leaked at amazing rates.

  21. satan

    source is now leaked without a pass on the archive. easy to find a download if you know where to look. speaking russian helps πŸ˜‰

Comments are closed.