For about two weeks now, the ZeuS source code has been making its way around to different people. Many people have been offering it up for sale on multiple forums, but lots of times it is only pieces of the code and not everything. There are also conflicting reports about important pieces of the code missing, not allowing it to work, or that everything is there except the modules that can be added in.
This has taken a recent turn however, due to the fact that source code was reportedly uploaded to a file sharing site and then the link was posted to a malware forum.
The catch is that the uploaded file is a .RAR file, and is password protected. You can look through the .RAR file and check that everything is there for the source code but you can’t actually look at the contents of the files due to the password protection. Multiple people are taking a crack at trying to bruteforce the password for the .RAR file, but so far no one that I know of has been able to crack it. There are even reports that some people in law enforcement are looking at it.
What does this mean in the long run though?
We are predicting that soon the source code will be in the hands of anyone that wants it. This could be potentially dangerous, but only if it gets into the hands of people who really know how to use it. The source code is written in C++ and requires someone with a fair knowledge of C++ to really figure out the code. It would not be possible for an average person to rip parts of the code out to use in their own malware.
A lot of this code, I have been told, is linked together through macros so if you try to pull out a piece of it then it will not work. Gribodemon , the author of SpyEye, posted a message on a Russian forum saying that the Zeus author, Slavik/monstr, sold the code to another person (for around 15K. Gribodemon also has a copy of the code) , that was supposed to use it and expand on its functionality. Apparently this person really didn’t know how to use the code and instead started to resell it to others. That is what has lead up to where we are now. Trend Micro will continue to keep an eye on this possible threat and update this blog with any new developments.