Zeus banking malware resurfaces in 64-bit version

A 64-bit version of the notorious Zeus family of banking malware has been found, an indication that cybercriminals are preparing for the software industry’s move away from older 32-bit architectures.

Kaspersky Lab discovered the 64-bit version of Zeus within a 32-bit sample. A code analysis indicates the malware has been circulating the Internet at least since June.

The discovery is considered a milestone because the popularity of Zeus and its variants indicates that 64-bit development in the underground has become mainstream, Kurt Baumgartner, principal security researcher for Kaspersky, said. This means the security industry now has a “certain and real 64-bit problem.”

”Researchers and the security community have long anticipated that more and more 64-bit malware would arrive on the scene, and here is one of the most used, most problematic pieces of spyware taking on that challenge,” Baumgartner told CSOonline.

To ensure the effectiveness of their creations, cybercriminals typically follow software development trends. After all, the best way to hack into a 64-bit application is with malware built on the same architecture.

So while the move to 64-bits was expected to happen eventually, Kaspersky was surprised to see the beefier version of Zeus so soon. That’s because there’s no apparent need for such a version yet.

Zeus often does its dirty work through the Web browser, and most browsers in use today are 32-bit. For example, Kaspersky pegs the share of users browsing with 64-bit Internet Explorer (IE) at less than 0.01 percent. IE accounts for more than half of the browser market, according to Net Applications.

Even if the browser is on a 64-bit operating system, Zeus can still capture data related to online banking and wire transactions, such as user names, passwords and cookies. The malware also can modify data to cover its tracks.

Boosting the malware's profile

Kaspersky speculates that the new Zeus malware may be a “marketing gimmick.”

”Support for 64-bit browsers (is) a great way to advertise the product and to lure buyers—the botnet herders.” Kaspersky Lab expert Dmitry Tarakanov said in a blog post Wednesday.

The latest version of Zeus uses the Tor anonymity network to communicate with the command-and-control server. Some 32-bit versions have had this capability as an option, but the new malware makes Tor communications an inseparable functionality.

”Zeus malware has the ability to work on its own via the Tor network with onion C&C domains, meaning it now joins an exclusive group of malware families with this capability,” Tarakanov said.

The way the sample works is the 32-bit version first tries to inject malicious code into the browser. If the latter is 64-bit, then Zeus switches to that architecture.

Zeus set the standard for other banking malware. For example, its capabilities for injecting code in browsers have become a fundamental must-have feature in nearly every banking malware family, Kaspersky says.

In May, security researchers at antivirus vendor Trend Micro reported seeing a significant increase in the use of Zeus, one of the oldest families of financial malware. Also called Zbot, Zeus is no longer developed by its original creator.

In 2011, Zeus source code was leaked on the Internet, resulting in a surge of customized versions. Among the more popular Zeus-based Trojan programs are Citadel and GameOver.

Subscribe to the Security Watch Newsletter

Comments