Feb 7, 2011 05:31 GMT  ·  By

The source code of the infamous ZeuS banking trojan is being offered for sale on the underground market suggesting the malware might continue to be developed independently from SpyEye.

Back at the end of October, rumors appeared that the ZeuS developer, Slavik, aka monstr, is retiring from the malware writing scene and is giving up on the successful information stealing trojan.

Furthermore, signs suggested that he left the ZeuS source code to Gribodemon, aka Harderman, the creator of the rival SpyEye malware, under the promise that he will continue to offer support to existent clients.

It's believed that Gribodemon has since been working on porting the best features of ZeuS to SpyEye, effectively merging the two into a new super trojan.

Security researchers from Trend Micro found some of the first versions of the new SpyEye which borrows several components from ZeuS, earlier this month.

Independent security reporter Brian Krebs, revealed late last week that the source of the ZeuS crimeware toolkit is being offered for sale by someone calling themselves "nem" on an underground trading forum.

"Full ZeuS Souurce code of last v2.0.8.9 (includes everything). Requires MSVC++ 2010. You can create your own HWID licenses and much more," the sales pitch reads.

Looking at the seller's forum stats it appears he is a member since mid-2009 and has a very good reputation, which makes it likely that the offer is legit.

The price is not shown and is probably up for negotiation, like for most cybercriminal goods, however, the seller warns potential buyers to expect a high figure.

Furthermore, he notes that he will only except Liberty Reserve as payment method, through an escrow service that takes a 6% commission.

Liberty Reserve is a virtual currency payment system preferred by cybercriminals because it is irrevocable and is not based in US or Western Europe.

If the ZeuS source code offer is indeed real and someone ends up buying it, the future of the banking trojan might look very different from what security researchers expect. Instead of being merged into SpyEye, independently developed versions might also appear in the future.