While the Zeus variety of malware is nothing new, I heard that it is transitioning from 32-bit to 64-bit. What...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
will this mean in terms of its capabilities and enterprise defense methods?
Transitioning from 32-bit to 64-bit is a run-of-the-mill advancement in malware development. Since most computers and software are moving to 64-bit, it's no big surprise that malware authors would begin to do the same. Criminals likely couldn't care less about the differences between 32-bit and 64-bit when it comes to committing financial crimes using Zeus; they just want their malware to work on all of the systems they attack.
The 64-bit functionality in question was included in a 32-bit malware sample, and it could just be another part of the attack logic used in the malware to compromise the security of the system. For example, if the 32-bit version doesn't work, try the 64-bit version; if the Flash exploit doesn't work, use the Reader exploit; if the Windows exploit doesn't work, use the Mac version, and so on.
A more serious new capability on by default in the newest versions of the Zeus malware is its ability to use Tor as a command-and-control server. While using Tor for C&C is not necessarily new to malware, it's relatively new functionality in Zeus. Using Tor helps hide the criminal that is gathering the captured credentials, accessing the financial sites, and stealing other data from an infected system.
Fortunately, the new features in Zeus (supporting 64-bit systems and using Tor for C&C) should not require enterprises to adjust their defenses. Organizations should already be using antimalware software on their 64-bit endpoints, and any antimalware network devices or network controls should already be detecting Tor connections. Financial institutions may want to block all connections of customers from Tor-connected nodes if they aren't already, but this won't stop a criminal using a VPN connection or compromised proxy.
Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky's techniques and how ...continue reading
The Mazar malware can wipe an entire Android device once it has been installed. Expert Nick Lewis explains how this malware works, and how attacks ...continue reading
MouseJack, a wireless mouse and keyboard security flaw, allows attackers to type malicious commands. Expert Nick Lewis explains how enterprises can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.