Normally, it’s the initial release of malware that has security experts worried, but the free availability of tools to make the ZeusVM banking Trojan could send some firms into a panic.
Source code for the builder of ZeusVM — also known as KINS — as well as its control panel has been online since last month, according to MalwareMustDie!, a blog run by a security research organization of the same name. The binary generated by the builder that was leaked on the Internet is a newer version of the botnet-making tool.
As Computerworld pointed out, anything that helps cybercriminals make their own variant on the ZeusVM malware is a major concern, given its track record of stealing online financial credentials and other sensitive information. Provided they know how to alter the connectivity features of the Trojan’s command-and-control (C&C) server settings or browser URL settings, cybercriminals could create a powerful new weapon.
It’s possible law enforcement authorities or other officials could take down the leaked files, but as The Register suggested, it may already be too late to avoid what it described as a possible “bot-geddon,” or a huge wave of malware based on ZeusVM. Increased awareness among CISOs and their teams may be the only course of action, encouraging banks and other enterprises to be particularly vigilant in their monitoring for new attacks.
Already, at least six new botnets based on ZeusVM have been identified since the leak, SC Magazine reported, and version 3.0 of the malware is reasonably affordable for criminal collectives at a price point of $5,000 on the black market. Before the summer is over, it’s reasonable to expect the number of related threats could increase sharply, given that cybercriminals will probably take note of the news, as well.
Beyond looking over their shoulder, IT departments and security experts may want to study the ZeusVM data leak to see if they could use the information to build their own protection mechanisms. Videos embedded in a Softpedia post showed details on how malware would be hidden inside an encrypted JPEG file as well as an overview for building KINS botnets. It could be a race between malicious attackers and CISOs to see who makes the best use of this information first.
Writer & Editor
Shane Schick is a contributor for SecurityIntelligence.