64-bit, Tor-enabled Zeus Variant Spotted in the Wild

The rise of 64-bit computing platforms means more 64-bit applications and, therefore, 64-bit malware
The rise of 64-bit computing platforms means more 64-bit applications and, therefore, 64-bit malware

The rise of 64-bit computing platforms means more 64-bit applications – banking applications are early adopters – and, therefore, 64-bit malware.

“If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent,” said Kaspersky Lab expert Dmitry Tarakanov, in an analysis. “And what’s the most notorious banking malware? Zeus, of course – the trendsetter for the majority of today’s banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family.”

That said, Tarakanov noted he was surprised that a 64-bit version has hit the streets so soon, because cybercriminals don’t actually need a 64-bit version. “Zeus is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks,” he explained. “But nowadays people still use 32-bit browsers – even on 64-bit operating systems. So, 32-bit versions of Zeus have been sufficient to keep the thieves satisfied with their earnings.”

Nonetheless, Kaspersky found a 64-bit version that appears to have been present in the wild since at least June, and possibly as early as April. The sample can serve 32-bit or 64-bit malware; it checks the system before injecting the appropriate version.

The proportion of users running 64-bit browsers is still negligible – less than 0.01% among Internet Explorer users, Kaspersky found. Still, support for 64-bit browsers is “a great way to advertise the product and to lure buyers – the botnet herders.”

And speaking of botnets, this version of Zeus now comes with a botnet favorite: the Tor privacy network. Botnets can make use of Tor’s anonymizing functionality to build giant networks and remain untrackable.

“Zeus malware has the ability to work on its own via the Tor network with onion CnC domains, meaning it now joins an exclusive group of malware families with this capability,” Tarakanov said.

But there’s more to it than evading trackers. This version of Zeus creates a Tor hidden service on the infected machine for communicating to command-and-control (CnC) servers. It creates a Tor configuration folder for each infected host, generating a unique private key for the hidden service and, consequently, an exclusive domain name. In turn, tor.exe enables the hidden service with a unique onion domain name. The botnet operator will be aware of the generated onion domain related to every infected machine as the malware informs the CnC about its tor domain name. So, when an infected machine is online, the botnet operator can reach it connecting to its unique onion domain via the Tor network.

“One purpose of this approach is the remote control of the infected host,” Tarakanov explained. “For example, one of these ports specifically listens to in the VNC function of Zeus, obviously meaning that Zeus provides remote desktop control to the operator via this port.”

He noted that Zeus working via Tor is nothing new, reviewing samples with signs of Tor communications dating back to 2012 when, along with a Zeus infection, the Tor proxy and Tor hidden service were rolled out on infected machines. But now, it’s built in.

“Whatever the intentions were of the malware author that created this piece of Zeus – be it a marketing ploy or the groundwork for some future needs – a pure 64-bit Zeus does finally exist, and we can conclude that a new milestone in the evolution of Zeus has been reached,” Tarakanov concluded.

What’s hot on Infosecurity Magazine?