Home | Press | Contact da en
Press Contact

Peter Kruse
Partner & Security Specialist
PGP Key ID: 0x49006F37

Secure DNS
2011-03-23 13:49:32 | Peter Kruse

[Updated] - 24.3.2011 15.15 CET

We can confirm that the source for Zbot/ZeuS is circulating. This comes from several different sources so we are confident this is the real deal. ZeuS is out in the open!

Apparently someone using the handle "IOO" is actively trying to sell ZeuS/zbot source code. For the past two weeks we have observed several individuals jumping the bandwagon announcing they have access to the Zbot/ZeuS source code and that it's for sale.

We are currently not able to verify any of these claims however this particular announcement has a picture attached which might prove that parts of the source code are indeed in the hands of IOO.

Prior to this there was several rumors that the Zeus/Zbot code was sold to the creator of SpyEye. This is also currently unconfirmed however what is curtain is the fact that someone besides the author of the ZeuS/Zbot has access to the code - and this we can document.

The screenshot below shows the builder while in the background parts of what appears to be the Zeus source code is shown.

Transcript of the post:



Selling full source code of the latest Zeus Bot from author for cheap price. I do not sell bins.


LR / WMZ / WU (Any verified escrow service accepted)
ICQ 60[removed]9345
JABBER ioo[at]ja[removed].com

PS. Awaiting for admin verification...

You should pay attention to the screen dump (posted above) which on the buttom left side is referring to a file named: "peinfector.cpp". This could be the child project of Zbot known as "Murofet", but again this is pure speculation on our side.

With the risk of starting another flood of rumours related to distribution of Zbot/ZeuS source code, this is very much "AS IS". None of this has been technically verified by CSIS Security Group.