This most recent version of Floki Bot, spotted in September, is based on the Zeus 2.0.8.9 source code released in 2011. There have been several incarnations of Floki Bot since then, however this most recent version is being developed, marketed and sold by a shrewd hacker that goes by the same name as the malware.

Zeus 2.0.8.9 Source [LATEST]

This seller is offering the full ZeuS source code for the latest version 2.0.8.9, and warns away members without a significant war chest. But how much could the code actually fetch? Toward the end of last year, the ZeuS author was selling fully-loaded, single-user licenses for up to $10,000 apiece. Aviv Raff, chief technology officer and co-founder of Seculert, said this individual could probably demand at least ten times that amount for the source code, which would give the buyer full rights to sell one-off licenses to others, and/or to continue developing the malware family.

My colleague Jorge Mieres recently found a C&C server of a botnet based on a malicious program called Ice IX. As announced on several user forums, Ice IX is a bot created using the source code of ZeuS 2.0.8.9, which became publicly available in May. The author of the new bot says the program includes substantial enhancements, which should be interesting to those cybercriminals who steal money from users with the help of banking Trojans.

Some security experts have reported that the flokibot malware is based on version 2.0.8.9 of the Zeus source code. "With the leaked ZeuS source code and the multiplication of tutorials and other learning materials in cybercrime communities, the time required to attain a high level of skill and sophistication has been continuously reduced," Kremez says.

The ZeusVM client consists of 903 functions with the size of 229.50 KB (235008 bytes). The original Zeus client consisted of 558 functions with the size of 138.00 KB (141312 bytes). Leveraging the Diaphora plugin, it was identified that there are 371 function best matches (including function hash, bytes hash, perfect match, equal pseudo-code, equal assembly, same rare MD index), 130 function partial matches (including mnemonics same-primes-product, callgraph match, pseudo-code fuzzy hash, same constants, similar small pseudo-code), 55 function unreliable matches (including strongly connected components and same-primes-product), and 345 function unmatched matches in the latest ZeusVM as compared to the leaked Zeus 2.0.8.9 client. The ZeusVM is, by and large, an evolution of the leaked Zeus variant. The ZeusVM binary adds various dynamic API loading methodology with the additional features (e.g., Google Chrome API hooking).

The Zeus banking trojan (originally called PRG or Zbot) was first discovered by the CTU research team in 2007 after it was used in a credential-theft attack targeting the United States Department of Transportation. Since the Zeus 2.0.8.9 source code was stolen and leaked to the underground community in May 2011, nearly every banking trojan contains Zeus features. The relative maturity and broad success of Zeus has provided a model in the weaponization and development of other families of banking trojans. 2ff7e9595c