With this new release, ZeuS v3 also included peer-to-peer as a command and control protocol--and Slavik began referring to his new ZeuS v3 creation as P2PZeuS. Suddenly, the real reasons behind the silence in development and competition-turned-coopetition became evident: Slavik was tired of selling software as a kit. As more and more people joined his client base, the more time he had to spend supporting them.
According to underground chatter analyzed by Fox-IT, some of the people purchasing his kit had no clue as to what they were doing; their attacks would fail and they would blame Slavik's software. Slavik was forced to go underground to undo the damage caused by these claims, turning the blame back around to the "idiotic" customers. It is suspected that this was extremely time-consuming, exhausting, and left Slavik susceptible to attack and piracy.
With his new MaaS business model, Slavik could own the infrastructure and control how the software was used. In this environment, his customers were less likely to make mistakes and less likely to lash out at Slavik and his wares. It turns out that the Gribodemon hand-off of the perpetual kit was simply a way for Slavik to transfer the ongoing, overwhelmingly-expensive support for the ZeuS kit over to Gribodemon--so Slavik could focus on his new business model.
With the new service up and running, Slavik didn't join Gribodemon as described underground. Instead, he became part of a gang using P2PZeuS to go after high-value accounts. Fox-IT has some individual examples where the gang handed some large amounts. In September 2012, there was an attempt to steal $465K from a small US company and send the fund to an account in a Chinese bank.
In a second example, also from September 2012, a US printing company was hit by an attempt for no less than $2M--with plans for the money to be transferred (presumably through Cyprus) back to the gang. Fox-IT also found information supporting the theory that large attempts like these were tried more often around that date. For both examples, Fox-IT can't confirm if they were ultimately successful.
However, it is known that P2PZeuS was successful in pulling off many heists like these. With large sums like these in the cards, Slavik made more money as part of the gang than he could have by selling and supporting his malware kit on the black market. Slavik benefitted tremendously through his decision to steal away to work on P2PZeuS and to use it himself with his gang while also renting it out to friends and family.
By moving away from the ZeuS kit, Slavik also alleviated the unwelcome attention associated with the underground chatter. Perhaps worth more than the cost savings associated with eliminating the support efforts was the hand-off of the FBI-oriented attention to this cybercriminal activity. Gribodemon may have done well to look a little closer at the mouth of that gift horse. Since the transfer of the kit and the added attention from the FBI transferred to Gribodemon, the market has no longer seen anything from Gribodemon. He is no longer active on the scene; it is presumed he has retired--or vanished.
Sign up for CIO Asia eNewsletters.