Zeus malware gets 64-bit makeover

Kaspersky Lab finds new version of infamous banking malware making the rounds

A 64-bit version of the notorious Zeus family of banking malware has been found, an indication that cybercriminals are preparing for the software industry's move away from older 32-bit architectures.

[Credit report breach has link to Zeus banking malware]

Kaspersky Lab discovered the 64-bit version of Zeus within a 32-bit sample. A code analysis indicates the malware has been circulating the Internet at least since June.

The discovery is considered a milestone because the popularity of Zeus and its variants indicates that 64-bit development in the underground has become mainstream, Kurt Baumgartner, principal security researcher for Kaspersky, said. This means the security industry now has a "certain and real 64-bit problem."

"Researchers and the security community have long anticipated that more and more 64-bit malware would arrive on the scene, and here is one of the most used, most problematic pieces of spyware taking on that challenge," Baumgartner told CSOonline.

To ensure the effectiveness of their creations, cybercriminals typically follow software development trends. After all, the best way to hack into a 64-bit application is with malware built on the same architecture.

So while the move to 64-bits was expected to happen eventually, Kaspersky was surprised to see the beefier version of Zeus so soon. That's because there's no apparent need for such a version yet.

Zeus often does its dirty work through the Web browser, and most browsers in use today are 32-bit. For example, Kaspersky pegs the share of users browsing with 64-bit Internet Explorer (IE) at less than 0.01 percent. IE accounts for more than half of the browser market, according to Net Applications.

Even if the browser is on a 64-bit operating system, Zeus can still capture data related to online banking and wire transactions, such as user names, passwords and cookies. The malware also can modify data to cover its tracks.

Kaspersky speculates that the new Zeus malware may be a "marketing gimmick."

"Support for 64-bit browsers (is) a great way to advertise the product and to lure buyers -- the botnet herders." Kaspersky Lab expert Dmitry Tarakanov said in a blog post Wednesday.

[Researchers warn of increased Zeus malware activity this year]

The latest version of Zeus uses the Tor anonymity network to communicate with the command-and-control server. Some 32-bit versions have had this capability as an option, but the new malware makes Tor communications an inseparable functionality.

"Zeus malware has the ability to work on its own via the Tor network with onion C&C domains, meaning it now joins an exclusive group of malware families with this capability," Tarakanov said.

The way the sample works is the 32-bit version first tries to inject malicious code into the browser. If the latter is 64-bit, then Zeus switches to that architecture.

Zeus set the standard for other banking malware. For example, its capabilities for injecting code in browsers have become a fundamental must-have feature in nearly every banking malware family, Kaspersky says.

In May, security researchers at antivirus vendor Trend Micro reported seeing a significant increase in the use of Zeus, one of the oldest families of financial malware. Also called Zbot, Zeus is no longer developed by its original creator.

In 2011, Zeus source code was leaked on the Internet, resulting in a surge of customized versions. Among the more popular Zeus-based Trojan programs are Citadel and GameOver.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymalwarekaspersky lab

More about CitadelKasperskyKasperskyTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts