Zeus,software as a service – Implications for civil and military

Pierluigi Paganini January 24, 2012

As previously said the cyber crime industry is proving to be invoiced in a thriving company that knows no crisis. The reasons are countless, high profits and unpunished crimes most often the main reasons. What amazes is, however, the organization managing the criminal business. Operations managed as projects and malware designed as products of large companies with a maniacal attention to the quality. Just the life cycle of products is the most amazing aspect, from design to release, to after sales support each stage is designed in every detail with care and attention.
On more than one occasion we read of malware designed with complex solutions to meet the most demanding requirements of implementing effectiveness and scalability, evidence that there are high skills behind these projects probably coming from legal industry.

Just recently I read the news on the commercial distrubution on the of the famous Zeus Trojan, a malware designed as an open project that can be customized with new features to meet customer demands. Zeus Trojan is an agent able to steal banking information by logging keystrokes and form grabbing, It is spread mainly through phishing and drive-by downloads schemes. Consider that the several Zeus botnets are estimated to include millions of compromised computers (around 3.6 million in the United States). As of October 28, 2009 over 1.5 million phishing messages sent on Facebook Were with the purpose of spreading the Zeus’ Trojan . Regarding ZeuS diffusion I suggest the consultation of the web site

https://zeustracker.abuse.ch/ that provide updated statistics on the localizzation of the Command&Control servers of the botnet based on the agent. Between the huge quantity of statistics presents I have found a couple of issue that I consider really indicative the Average Antivirus detection rate (last 60 days) and the list of the Top C&C servers.


An important factor is that cybercrime’s financial and geographic growth shows no slowdown during the global economic crisis indeed, it probably took advantage of the crisis factor, to undermine the business much more profitable. Lack ofawareness of the threat, and contraction of investment in prevention and awareness have played in favor of cyber crime. No company or organization is immune.

What amazed me is the news that in many underground forums many users have posted numerous complaints related to the leak of support for the developing of new feature for the popular Trojan.  Very interesting is the organizzation of sales and support channels, in many ways more responsive to those used for legal products. Forums and social networks used to collect information on bugs and request information regarding the commercial development of new features, a shortcut between developers and end users.
No doubt this approach raises a lot of concern because of the unpredictable evolution that the agents may have their own community by supporting open development.
The apparent evolutionary leap made ​​by this type of products and its marketing have been identified different ways of selling their products can be purchased in packages that provide ongoing support and evolutionary maintenance of Trojans to meet changing customer needs.

Always with an eye on the malware distribution model and support services, commonly referred to as “software-as-a-service”, I point out the ZeuS offshoot, Citadel, to true web store advertised on several members-only forums that proposed malicious hackers developments .


Which are the main services offered by the Citadel’s owners? Standing to their declaration they propose a common platform for content sharing based on a social network model.

  • A social network for customers, Citadel CRM Store, to allows users to be active player in the in product development .
  • Report bugs and other errors in software with a ticketing systems.
  • Code Sharing platform. Each client can share its module and software code with other. creating new modules or improvements.
  • Promoting of public proposal for software improvements and new features.
  • Efficient jabber instant message communication channel.

The model described is essentially a model applicable to all kind of malware from the moment it is divulged its source code. Group of developers can then operate in the autonomous communities that take charge improvement of the product to meet business needs. This is the critical transition from malware business opportunity.

Regarding the specific case of Citadel, I quote digit numbers drawn in article published Krebson Security

The basic Citadel package — a bot builder and botnet administration panel — retails for $2,399 + a $125 monthly “rent,” but some of its most innovative features are sold as a la carte add-ons. Among those is a $395 software module that allows botmasters to sign up for a service which automatically updates the bot malware to evade the last antivirus signatures. The updates are deployed via a separate Jabber instant message bot, and each update costs an extra $15.

Citadel also boasts a feature that hints at its creator’s location(s). According to the authors, if the malware detects that the victim’s machine is using a Russian or Ukrainian keyboard, it will shut itself down. This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan’s creators if there are no local victims.

Another necessary reflection is related to the implementation of this model of development that could benefit even government organizations for the recruitment of hackers experts in the development of malware. Platforms such as that described in fact allow to have high skills and evolutionary supports relatively easy to handle, potentially lethal if concentrated on the development of cyber weapon.

How do it? Recall the case of Tilded platform, the malware development platform , recognized as the basis for the development of agent like Stuxnet and Duqu.

What would happen if a government decides to engages hackers to build a community dedicated to the develope of similar platform? Hackers have the perception to work on a generic platform for malware development than once terminated could be personalized by governmental personnel with modules developed internally to attack strategic targets.
Scenarios like this are as terrifying as possible, it is important to remain vigilant.

We are assisting an impressive growth of the cyber crime difficult to stop, a relentless progression that requires us to implement, in both Government and private sectors, a series of measures to contain the threat.

First step is to become aware of the threat and risks … second step, action!

Pierluigi Paganini



you might also like

leave a comment