Bad news for your inbox and antivirus software: the Internet now has free access to the ZeuS trojan source code (aka Wsnpoem/Zbot). This means anyone can alter the files, compile them together and launch their own tailor-made malware attack without shelling out a single dime.
The news arrives just after Danish security firm CSIS discovered that the ZeuS source code was being sold on at least two "dark market" forums. Now it's clear that the malware has been bought and thrown out into the wild for all potential attackers to enjoy.
"This weekend we found the complete source code for this crime kit being leaked to the masses on several underground forums as well as through other channels," the company said in a blog. "We already collected several addresses from where it is being distributed in a compressed zip archive. We even compiled it in our lab and it works like a charm."
"We can hereby confirm that the complete ZeuS/Zbot source code is freely available for inspection, inspiration or perhaps to be compiled and used in future attacks," the company added.
As if to bolster the discovery, an additional report indicated that ZeuS was beginning to appear as a fake Microsoft security update. The malicious spam first surfaced back on May 6 and has quickly increased in numbers. The messages seem to originate directly from Microsoft using the subject line "URGENT: Critical Security Update." The body itself claims that the attached patch will prevent malicious users from gaining access to the recipient's files. Naturally the ZeuS attachment is the very threat the alleged patch is supposed to prevent.
But now with the ZeuS source code available for anyone to use, scams like the Microsoft patch email may explode in numbers. "ZeuS/Zbot is already considered as being amongst the most pervasive banking Trojan in the global threat landscape. It is an advanced crime kit and very configurable," CSIS said. "With the release and leakage of the source code the ZeuS/Zbot could easily become even more widespread and an even bigger threat than it already is today."
Naturally Internet users should never open attachments from unknown sources. Even if the email looks legit and contains a return address to Steve Ballmer's personal address, users should go directly to the source website and verify any possible updates.
Because we can.
Could someone confirmed that this is the real Zeus Bot?