Q

Zeus malware: Analyzing next-generation features

An updated, 64-bit version of the Zeus malware leverages Tor for C&C. What does this mean for enterprises? Nick Lewis discusses.

While the Zeus variety of malware is nothing new, I heard that it is transitioning from 32-bit to 64-bit. What will this mean in terms of its capabilities and enterprise defense methods?

Transitioning from 32-bit to 64-bit is a run-of-the-mill advancement in malware development. Since most computers and software are moving to 64-bit, it's no big surprise that malware authors would begin to do the same. Criminals likely couldn't care less about the differences between 32-bit and 64-bit when it comes to committing financial crimes using Zeus; they just want their malware to work on all of the systems they attack.

The 64-bit functionality in question was included in a 32-bit malware sample, and it could just be another part of the attack logic used in the malware to compromise the security of the system. For example, if the 32-bit version doesn't work, try the 64-bit version; if the Flash exploit doesn't work, use the Reader exploit; if the Windows exploit doesn't work, use the Mac version, and so on.

A more serious new capability on by default in the newest versions of the Zeus malware is its ability to use Tor as a command-and-control server. While using Tor for C&C is not necessarily new to malware, it's relatively new functionality in Zeus. Using Tor helps hide the criminal that is gathering the captured credentials, accessing the financial sites, and stealing other data from an infected system.

Fortunately, the new features in Zeus (supporting 64-bit systems and using Tor for C&C) should not require enterprises to adjust their defenses. Organizations should already be using antimalware software on their 64-bit endpoints, and any antimalware network devices or network controls should already be detecting Tor connections. Financial institutions may want to block all connections of customers from Tor-connected nodes if they aren't already, but this won't stop a criminal using a VPN connection or compromised proxy.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

This was first published in June 2014

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close