It has been a week since an official report saying that the infamous ZeuS source code was leaked to the public came out. It was uploaded to a file sharing site and soon virally spread primarily in underground forums. This incident was anticipated months ago. Now that it has happened, it seems like everyone is talking about the leakage’s negative effects, particularly about future attacks. There are, however, some things to consider before such an attack can take place. There may also be ways by which we can make the incident work to the security industry’s advantage.
Fellow threat response engineer Jasper Manuel reviewed the code and said it was authored by someone with a deep understanding of C preprocessor (cpp) and macros. He added that the way by which ZeuS was coded was unconventional and did not use standard libraries. Someone who wishes to modify the code, therefore, should have a similar or the same level of understanding as the original authors. We know that the majority of ZeuS users are fairly inexperienced and wish to earn money through cybercrimes. In addition, ZeuS became mainstream because of its sophistication and of its volume of inexperienced or noncoder cybercriminal users—two vastly opposing factors. If ZeuS’ source code falls into the hands of its existing users, they may not be able to modify it and come up with a more intricate Trojan.
More experienced hackers who can code their own bots, on the other hand, should probably be white hats primary concern. If you think about it though, there must be a reason why ZeuS has become mainstream while other bots have not. This fact suggests that the ZeuS’ author(s)’ skill level is fairly advanced and that only a few can really come up with a sophisticated malware such as ZeuS.
In addition, Jasper also said that the easiest way to update ZeuS is to add modules to it. However, it would take an average coder a long time to really understand the entire code and to modify or use it for future attacks. In cases where modules are added to the base code, existing antivirus solutions may still probably work. Keep in mind as well that the amount of time an average or the majority of black hats spend to understand the code is the same as that which white hats will spend on studying it.
All things considered, the leakage is indeed a big concern for the security industry, as cybercriminals will be able to take advantage of the code. I think it would not serve us any purpose to just get stuck at the thought that this will only put cybercriminals further ahead of us in the race. With the ZeuS source code in our hands, we will know how the mother of banking Trojans was engineered, thus helping us improve our existing solutions. While the black hats spend time updating ZeuS, we will also have time to understand its code and to craft more proactive solutions that will help us combat the ZeuS mutations that may emerge. In the meantime, the battle continues.