Analysis: Top hacker "retires"; experts brace for his return

WASHINGTON (Reuters) - The programer who wrote ZeuS -- malicious software used to steal an estimated $100 million so far this year from U.S. towns, companies and individuals -- says he is retiring.

But security experts believe there is a good chance he will soon emerge with even more powerful ways to steal, a pattern of behavior seen after previous retirements in 2007 and 2008.

ZeuS’ anonymous programer, who lives in Russia and seems to like nice cars and powerful trucks, first introduced ZeuS in 2007 as spyware that would hide in users’ computers and log keystrokes to steal passwords, said Don Jackson, director of threat intelligence at the security firm SecureWorks.

The programer, rather than doing the stealing himself, used a middleman to sell the spyware software to criminal gangs. A basic version would run as low as $1,000 but could be customized for an extra fee. He would also offer 24/7 support.

Thieves who use ZeuS tend to avoid big companies and banks with top-line security, preferring instead smaller companies, townships and even churches. In a recent case, however, they breached and emptied brokerage accounts at E*Trade Financial Corp ETFC.O and TD Ameritrade Inc, according to a criminal complaint filed in New York last month.

"We have seen banks in almost every major country targeted by these (ZeuS) tool kits," said Dmitri Alperovitch, a vice president at security software company McAfee Inc MFE.N.

But there has been pressure on the ZeuS gangs. About a month ago authorities in the United States, Britain and the Ukraine arrested dozens of people allegedly involved in a global cybercrime scheme that used a version of the ZeuS Trojan to steal $70 million from U.S. bank accounts, the FBI said.

Early this month the ZeuS author announced through his main reseller that he’d had enough, said SecureWorks’ Jackson.

Jackson, a ZeuS expert, said that the Trojan program’s author spread the word that he was handing his source code to the author of Spy Eye, an up-and-coming Trojan and a ZeuS competitor. In fact, when the Spy Eye Trojan infected a computer it would clear out ZeuS.

Jackson said he believed the retirement announcement was a ruse. “He probably has a private client set up. They had already made the decision to merge, or to pretend to merge with Spy Eye,” he said.

What little is known about the ZeuS author has been gleaned from online chat rooms where he sometimes uses names based on expensive vehicles.

Some security experts believe there is a possibility the ZeuS programer is really headed for retirement.

"One can only imagine that he's made enough money to take a vacation for a long period of time," said Elias Levy, senior technical director at Symantec SYMC.O Security Response.

He has probably made at least a million and perhaps multiple millions of dollars, said Bill Conner, president and chief executive of computer security firm Entrust.

Gangs who used ZeuS software stole $100 million in 2010 in the United States, said Jackson.


In 2007, the ZeuS author, who goes by the handle Monstr, among others, in online forums, started to feel he was gaining too much notoriety and said at that time that he was stepping aside, but instead went underground to work more discreetly, said Jackson.

In late 2007, security experts started finding a souped-up version of ZeuS doing automated bank frauds. The cycle repeated itself in 2008.

“Once he attracts a lot of attention, he goes underground. Says ‘I’m going to hand it over to some guy and get them to deal with it.’ Tries to push the high-maintenance, second-tier customers onto someone else,” said Jackson.

Last year, ZeuS became so deft that it can now read text messages sent by banks to customers’ phones to inform them of fraudulent transfers. ZeuS intervenes, and prompts the customers to enter codes to confirm the fraudulent transfers.

One of the latest versions of ZeuS allows the Trojan to hide in an executable program, like a word processor. That way, if the ZeuS Trojan is cleared out, it can reinstall itself the next time the word processor is used, said Levy.

Security experts said they planned to monitor ZeuS and Spy Eye for new developments.

“Up until now, they were two completely different Trojans,” said Symantec’s Alperovitch, who said it was possible that the ZeuS author was retiring. “If we start seeing capabilities evolving rapidly in Spy Eye that borrow from the ZeuS functionality then we’ll know that yes indeed he (the Spy Eye author) has access to the ZeuS source code.”

Reporting by Diane Bartz; Editing by Tim Dobbyn