Manage Learn to apply best practices and optimize your operations.

Zeus malware: Analyzing next-generation features

An updated, 64-bit version of the Zeus malware leverages Tor for C&C. What does this mean for enterprises? Nick Lewis discusses.

While the Zeus variety of malware is nothing new, I heard that it is transitioning from 32-bit to 64-bit. What will this mean in terms of its capabilities and enterprise defense methods?

Transitioning from 32-bit to 64-bit is a run-of-the-mill advancement in malware development. Since most computers and software are moving to 64-bit, it's no big surprise that malware authors would begin to do the same. Criminals likely couldn't care less about the differences between 32-bit and 64-bit when it comes to committing financial crimes using Zeus; they just want their malware to work on all of the systems they attack.

The 64-bit functionality in question was included in a 32-bit malware sample, and it could just be another part of the attack logic used in the malware to compromise the security of the system. For example, if the 32-bit version doesn't work, try the 64-bit version; if the Flash exploit doesn't work, use the Reader exploit; if the Windows exploit doesn't work, use the Mac version, and so on.

A more serious new capability on by default in the newest versions of the Zeus malware is its ability to use Tor as a command-and-control server. While using Tor for C&C is not necessarily new to malware, it's relatively new functionality in Zeus. Using Tor helps hide the criminal that is gathering the captured credentials, accessing the financial sites, and stealing other data from an infected system.

Fortunately, the new features in Zeus (supporting 64-bit systems and using Tor for C&C) should not require enterprises to adjust their defenses. Organizations should already be using antimalware software on their 64-bit endpoints, and any antimalware network devices or network controls should already be detecting Tor connections. Financial institutions may want to block all connections of customers from Tor-connected nodes if they aren't already, but this won't stop a criminal using a VPN connection or compromised proxy.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.