This Content Component encountered an error
This Content Component encountered an error
This Content Component encountered an error

While the Zeus variety of malware is nothing new, I heard that it is transitioning from 32-bit to 64-bit. What...

will this mean in terms of its capabilities and enterprise defense methods?

Transitioning from 32-bit to 64-bit is a run-of-the-mill advancement in malware development. Since most computers and software are moving to 64-bit, it's no big surprise that malware authors would begin to do the same. Criminals likely couldn't care less about the differences between 32-bit and 64-bit when it comes to committing financial crimes using Zeus; they just want their malware to work on all of the systems they attack.

The 64-bit functionality in question was included in a 32-bit malware sample, and it could just be another part of the attack logic used in the malware to compromise the security of the system. For example, if the 32-bit version doesn't work, try the 64-bit version; if the Flash exploit doesn't work, use the Reader exploit; if the Windows exploit doesn't work, use the Mac version, and so on.

A more serious new capability on by default in the newest versions of the Zeus malware is its ability to use Tor as a command-and-control server. While using Tor for C&C is not necessarily new to malware, it's relatively new functionality in Zeus. Using Tor helps hide the criminal that is gathering the captured credentials, accessing the financial sites, and stealing other data from an infected system.

Fortunately, the new features in Zeus (supporting 64-bit systems and using Tor for C&C) should not require enterprises to adjust their defenses. Organizations should already be using antimalware software on their 64-bit endpoints, and any antimalware network devices or network controls should already be detecting Tor connections. Financial institutions may want to block all connections of customers from Tor-connected nodes if they aren't already, but this won't stop a criminal using a VPN connection or compromised proxy.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

This was last published in June 2014
This Content Component encountered an error



Find more PRO+ content and other member only offers, here.

This Content Component encountered an error

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.
This Content Component encountered an error