India Insights with Varun Haran

ZeusVM Leak Means Botnet Surge

Build a Botnet? Minimum Skills Now Required
ZeusVM Leak Means Botnet Surge

Beware a surge in the number of ZeusVM Banking Trojan-based botnets operating in the wild, since the tools for building and customizing the cybercrime malware are now available for free.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

That's because a toolkit designed to build the ZeusVM malware - also known as KINS - and the source code for the ZeusVM botnet control panel have been leaked online, White Hat research group Malware Must Die reports in a blog post.

This significantly reduces the barrier to entry for using such malware tools - to zero, effectively. A malware/botnet kit as powerful as Zeus freely available to anyone with a penchant for being a 'hacker' today is bad news indeed.

KINS Builder

The leaked toolkit - named KINS builder - can be used to compile the binary for the ZeusVM Trojan v2.0.0.0. But on the upside, there is no indication that the source code for the ZeusVM malware itself has been leaked, which means that "black hats" will not be able to create more powerful variants. However, access to the ZeusVM builder and control panel source code is sufficient to enable any would-be attacker to set up their own ZeusVM botnet, experts warn.

The Malware Must Die researchers add that the leaked control panel mimics the classic Zeus botnet panel, complete with reports on the number of infected machines and active bots. While ZeusVM is primarily used to steal banking credentials, it can also be programmed to target other websites when the Trojan downloads its configuration files from its command and control server.

The latest not-free version of the ZeusVM malware, by comparison, costs $5,000 in the underground cybercrime market, researchers say. Accordingly, it is safe to assume that unscrupulous criminals and script kiddies will be taking the free variant out for a spin. In fact the researchers report that active botnets based on the leaked malware have already been spotted in the wild.

The Darker Side

The most sinister side of the ZeusVM leak of this powerful malware toolkit is its ability to inject the encrypted configuration code for ZeusVM v2 into any jpeg image file to camouflage it, using a process known as steganography. "Steganography has been used since the World War II era to obfuscate messages within images," says security expert and ex-CISO Dhananjay Rokde.

This makes it extremely difficult for an anti-virus program to detect traces of the Trojan, and even if blocked, the infection can persist while the configuration code or payloads remain concealed within images, making it a pain to mitigate.

As its name suggests, ZeusVM is based on the infamous Zeus banking Trojan, the source code for which was leaked in 2011. Zeus has been among the de facto standard malware tools used by cybercriminals since the early 2000s. "I have seen many DIY viruses and Trojans, but I find Zeus is a very different animal," Rokde says. "It can mutate into a natural .exe file, circumventing most heuristics-based anti-virus/anti-malware tools."

The ZeusVM Trojan can infect virtual machines as well as all major operating systems, Rokde says. While the free availability of this malware toolkit will encourage many wannabe hackers and script kiddies to download and try to deploy their own botnets, what most people who download this tool don't realize is that they may be turning themselves into bots as well, he says.

But there is a silver lining. Analysts at iSight partners expect the revenues for paid botnet software to drop in the wake of this leak. "The leak will probably financially harm the operators of ZeusVM, as malicious actors use the free builder and panel rather than purchase a copy," they say.

However, they add that KINS' established place in the underground marketplace and the fact that the source code for KINS 3.0 was not leaked, the operators will likely continue to upgrade the Trojan to convince actors to use a purchased copy of KINS.[Also read: Fighting 'Cybercrime as a Service']

The leak does mean that we can expect volumes of botnet attacks can be expected to increase, at least in the short term.[Also read:9 Principles to Battle Botnets]

The DIY Malware Culture

The proliferation of powerful malware toolkits like ZeusVM is going to give a boost to the script-kiddie culture and encourage casual cybercrime, Rokde warns. That's because these malware toolkits have become increasingly user-friendly and can encourage teenagers and children today to test them out, perhaps by compromising a friend's or family member's PC.

In fact, Zeus is so user friendly that that there is a drop-down menu with a list of banks, allowing you to choose which bank's customers you would like to target, Rokde says. Now, of course, the leak of ZeusVM means that this Zeus variant isn't just easy to use, but also free. And when it comes to cybercrime, that's a bad combination.

Botnet infections in India are going to increase significantly, Rokde predicts, given the abundance of unpatched/unprotected systems and the low level of awareness. Even as Indians have started preferring Internet-based services over traditional business models, awareness is lagging far behind, he says. And with tools like ZeusVM now freely available, it could end up being a free-for-all.



About the Author

Varun Haran

Varun Haran

Managing Director, Asia & Middle East, ISMG

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.