Arsgera - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

What's the effect of a financial malware tool going public?

A malware tool that helped to compile the Zeus Trojan has been leaked on the Web. Expert Nick Lewis explains what this means for enterprise security teams.

I read that the source code for the financial malware ZeusVM was leaked and it is expected to spur a flurry of new botnets. What are the consequences of financial malware source code like this going public, and is there anything security teams should do when this happens? Could this ultimately be a good thing, since security researchers can now examine the ZeusVM source code?

Cybercriminals often find out when the security of one of their systems was compromised the same way that enterprises find out: They are notified by a third party. The source code for the infamous Zeus Trojan has been leaked before -- in 2011 -- but in this case, the source code to the financial malware was not released. The antimalware group Malware Must Die found a copy of the ZeusVM malware tool being shared on underground forums; the ZeusVM malware tool, also known as KINS, is used for compiling the malware and making configurations. The steps for setting up the compilers and configurations tools are often difficult for novice programmers, so ZeusVM can help beginners create and deploy financial malware like this.

It's unclear why the ZeusVM code was leaked or who was behind, but the Malware Must Die researchers decided to announce that the code was freely available on the Web to raise awareness of the potential threat. There are closed-trusted communities of security professionals for legitimately sharing threat intelligence, malware, or other analysis of offensive attack data that could be used by good guys to add detection or prevention measures to security tools. This sharing benefits the security community, but the closed nature is problematic at times. The sharing of the ZeusVM code in underground forums does increase the number of people with the financial malware tool, but without the Zeus Trojan source code, it's of little use.

The ZeusVM appears to be a powerful financial malware tool that makes it easier to operate the full lifecycle of the malware, but does not fundamentally change the risk from Zeus attacks. Security teams did not implement new security controls because of the publication of the ZeusVM or KINS code. But they should monitor Zeus developments to identify if new exploits or techniques are included in the financial malware.

Next Steps

Discover how to adapt your security program to address emerging threats

Read about Vawtrak banking malware and how it bypasses security measures

Find out if there are bigger threats hiding in click fraud malware

This was last published in February 2016

Dig Deeper on Hacker tools and techniques: Underground hacking sites