ZeusVM Trojan leak could precede botnet wave
Mon 6 Jul 2015
Security experts are warning of a potential new onslaught of botnet attacks using the ZeusVM Trojan after build and customisation details for the malware were leaked online.
The source code for version 126.96.36.199’s builder and control panel were published on 26th June and offered for free, according to cybersecurity research firm Malware Must Die (MMD). The researchers kept quiet about the discovery attempting to intercept the leaked files, however were ultimately unable to stop their diffusion.
This weekend the research group published an alert to the rest of the industry in order that the community prepares for a predicted wave of hacks by implementing mitigation practices.
ZeusVM is a computer Trojan otherwise known as KINS. It enables the hijacking of browser processes so that hackers can change or steal data from webpages opened by the targets. The malware is most commonly used to acquire online banking details from the victim, but other platforms can also be attacked as long as the hackers detail them in the configuration file downloaded from the internet by the Trojan.
ZeusVM was developed from the Zeus Trojan whose source code was publically revealed in 2011 after years of ruling as the leading online banking fraud malware tool.
The latest leak of the ZeusVM toolkit allows cybercriminals to customise the malware’s binary files used to breach computer systems. Attackers can modify the encryption keys and URLs of the command-and-control servers where the Trojan connects.
MMD has not suggested why the information was published or even who by. The researchers also recently identified a black market offer for the 3.0 version of ZeusVM priced at $5,000 (£3,215).
The research group said in a blog post that the security community can expect to see more ZeusVM (version 188.8.131.52) botnets operating on the internet since the malware and configuration builder is now “FREE as air” and has gone “public.” MMD wrote that attacks will now not only come from the usual cybercrime ‘crooks’, but anyone who has access to the leaked toolkit and uses it to generate ZeusVM 184.108.40.206 binaries.