Skip to content

Zeus Attracts Developer Ecosystem

January 6, 2010
tags: ,
by Robert Lemos

For the entry-level cybercriminal, the Zeus do-it-yourself botnet creation kit has become the go-to program for getting a modest botnet up and running.

An entire business ecosystem has evolved to serve the needs of would-be cybercriminals. Their draw to Zeus: Ease of use, a competitive marketplace, and lots of customization. The result is that cybercriminal networks based on the Zeus kits account for about one-in-ten botnets, according to security firm Damballa.

And the demand is feeding more development and competition, says Gunter Ollmann, Damballa’s vice president of research.

“While, a year ago, Zeus could have been tracked down to a single vendor, in the last twelve months, many different vendors have begun selling it,” says Ollmann.

Among the characteristics of Zeus is the readily available plugins for the code. Fraudsters interested in specific tasks can tailor the Zeus creation kit to churn out appropriate code, says Ollmann.

An Ad for Zeus

Forums prominently advertise Zeus-related information and places to buy the software.

“There are a bunch of third party plugins that people can buy and download,” he says. “If you want to focus on phishing the customers of Canadian banks, for example, you can download a plugin to help you out.”

Ollmann estimates that 100 to 200 plugins are currently offered for Zeus, selling anywhere from a few dollars to $70. The latest versions of Zeus are priced between $400 and $700, a fee that rapidly declines as pirates steal the code and undercut the original developer. Posts on one online forum had sellers claiming to have earlier versions of Zeus available for $50 to $200.

The Zeus creation kit is definitely commodity bot software. Versions of the program are available for free from some sites. Ollmann believes that it will dominate the market for entry-level cybercriminals because of its low cost. Some underground groups are even offering support for the software.

“There are a lot of other kits that are more advanced or have better exploits,” Ollmann says. “But they are not as well known, are more expensive, or are harder to get a hold of.”

Yet, affordable does not mean the software is easy to detect or remove by defenders. The software apparently has no trouble avoiding security scanners, with even old versions defying recognition by almost half of all antivirus clients, notes Damballa.

The company sees only more resources dedicated to Zeus in 2010.

“I think we will see, later this year and next year, an open platform for development — we have already seen a lot of exploit packs,” Ollmann says. “There is a lot of money in this business. From the development of the exploit themselves to the managed services that support it, I think we will see a lot of development — and faster development — of these services.”

A nod to reader Ben Koehl for passing along a link to one Zeus forum.

from → Botnets, Cybercrime, Security, Trojan Horses

Comments are closed.