[Warning] Spreading decrypted version of Zeus source.

1. Introduction

On May 11, 2011 INCA Internet Emergency Response Team detected the source code, final version of Zeus malicious file automation development tool and password from an Indian twitter account. General users need to be careful on using internet.
Zeus builder source codes that were previously found were compressed and encrypted files on the internet, but without decrypt password, those files haven’t been being used so far.
From today, available sources’ sharing officially has been confirmed.

INCA Internet Emergency Response Team already got the original Zeus source code on May 2 which began spreading from May 11, started to develop blocking technique and detailed analysis. When the INCA Internet found the source code, fortunately, the password hasn’t been shared yet.

Since spreading files to release encrypted source code will help user easily decode, variants of Trojan horse targeting online banking will be increased exponentially. In addition, the threats of Bot-Net consisted of malicious files are relatively high.

Therefore, "A comprehensive security review” is required to minimize security threats on online banking involved with Zeus malicious file.

2. Disclose decompressed version Zeus source code

Following figure was captured by INCA Internet Emergency Response Team. It shows that a Indian hacker uploaded Zeus source code in his web site and set the link including encryption password on his twitter. With the retweet function in Twitter, various routes including SNS, hacking forums are now still available.

This following figure is the Zeus source code in certain website.

Downloading is available via shared domain found by us, and password spread on his twitter also can role as a key of that compressed file.

Based on our analysis, comparison between our source code and currently prevalent source code, the source code, compressed file found lately, was almost same but just excluding Russian document file.

In addition, if you trying to build source code, you can see Zeus Package Builder screen as following and can build.



3. Easy to make Zeus variant malicious file

Zeus malicious file can be detected and treated by latest version of nProtect Anti-Virus with the diagnosis name of Zbot. The more worsen is emerging and spreading similar variants of Zbot, and spreading Builder source program will copy variants uncountable.

Furthermore, various versions of builders are used to make malicious file.

Because source code can change the builder tool to be able to develop malicious file, the technique to block at source level is needed.

Following figure shows that leaked source can work. Malicious files configuration is in Actions part and it can aim for various online banking web site.



4. How to respond

We tested simple procedure with using latest malicious file built by this Zeus builder. nProtect KeyCrypt, Keyboard security solution of INCA Internet, protected inputted key with the result of web page password key inputting test.

General user can hardly notice something happened in his PC while spreading malicious file.
To use PC safely from security threats of these malicious files, we recommend following tips "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.