Ok, so I was reading the article by Michael Kassner “Why isn’t everyone hacked every day” (http://www.techrepublic.com/blog/security/why-isnt-everyone-hacked-every-day/6633) which talks about a paper by Cormac Herley and Dinei Florencio about “Where Do all the attacks go?” (http://research.microsoft.com/pubs/149885/WhereDoAllTheAttacksGo.pdf)
In short the paper gives a plausible explanation of why the internet still works at large even though the security state is a mess (well, not exactly, but almost).
One of the key statement that caught my eye was “Thus, how common a security strategy is, matters at least as much as how weak it is“.
Basically this means if you are a bank and you deploy the same security solution than anyone else, you are more likely to be hit as the fraudsters can just reuse an attack vector.
However it occurred to me that this is obviously also true for the bad guys and if all the bad guys would be using the Zeus trojan to perpetrate their crime, the good guys can obviously be much better prepared to defeat the attacks.
If the bad guys are using a new trojan (with new configuration files, encryption, hooking, …) all the time, then the good guys have a much harder time to provide the same level of protection.
If you use any off-the-mill Zeus trojan service, chances are high that you’ll be detected pretty quickly through zeustracker and lots of services provided by many companies that will give financial institutions an early warning.
However if you either use a different trojan or alter the trojan to make the detection and decryption harder (such as the Zeus variants based on the leaked Zeus source code - http://www.tidos-group.com/blog/?p=429), the chances of not being detected will increase. We have seen this over and over again and when Carberp hit the scene, it made a big impact because nobody really knew what was happening and how things worked.
So while the paper by Herley and Florencio talk about the security industry, the same thing applies to the fraudsters as well and as such I’m sure we’ll always see a proliferation of lots of different trojans for exactly this reason.