While the Zeus variety of malware is nothing new, I heard that it is transitioning from 32-bit to 64-bit. What...
will this mean in terms of its capabilities and enterprise defense methods?
Transitioning from 32-bit to 64-bit is a run-of-the-mill advancement in malware development. Since most computers and software are moving to 64-bit, it's no big surprise that malware authors would begin to do the same. Criminals likely couldn't care less about the differences between 32-bit and 64-bit when it comes to committing financial crimes using Zeus; they just want their malware to work on all of the systems they attack.
The 64-bit functionality in question was included in a 32-bit malware sample, and it could just be another part of the attack logic used in the malware to compromise the security of the system. For example, if the 32-bit version doesn't work, try the 64-bit version; if the Flash exploit doesn't work, use the Reader exploit; if the Windows exploit doesn't work, use the Mac version, and so on.
A more serious new capability on by default in the newest versions of the Zeus malware is its ability to use Tor as a command-and-control server. While using Tor for C&C is not necessarily new to malware, it's relatively new functionality in Zeus. Using Tor helps hide the criminal that is gathering the captured credentials, accessing the financial sites, and stealing other data from an infected system.
Fortunately, the new features in Zeus (supporting 64-bit systems and using Tor for C&C) should not require enterprises to adjust their defenses. Organizations should already be using antimalware software on their 64-bit endpoints, and any antimalware network devices or network controls should already be detecting Tor connections. Financial institutions may want to block all connections of customers from Tor-connected nodes if they aren't already, but this won't stop a criminal using a VPN connection or compromised proxy.
Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ... Continue Reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common... Continue Reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.