Matsuda Posted December 11, 2013 Share Posted December 11, 2013 The infamous Zeus banking Trojan has gone 64-bit. But why?Researchers at Kaspersky Lab’s Global Research and Analysis Team spotted a new version of the malware that behaves much like its 32-bit contemporaries: it too uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and even log keystrokes. It also communicates with its command and control servers over the Tor anonymity network, another new feature of the 64-bit variety of Zeus.The 64-bit quandary is perplexing. As Kaspersky researcher Dmitry Tarakanov points out, fewer than 1 percent of IE users are on the 64-bit version, and even those running 64-bit versions of operating systems are running 32-bit browsers.“Perhaps it’s just a marketing gimmick—a new feature, even if it is mostly useless, with a bit of ‘wow’ factor,” Tarakanov wrote today onSecurelist. “Support for 64-bit browsers—a great way to advertise the product and to lure buyers—the botnet herders.”While 64-bit support may be a bit of overkill for today, it does set the prolific malware up for future success. And its use of Tor as a communication platform, while not unique, does bring it into some exclusive company.“Whatever the intentions were of the malware author that created this piece of Zeus—be it a marketing ploy or the groundwork for some future needs—a pure 64-bit Zeus does finally exist, and we can conclude that a new milestone in the evolution of Zeus has been reached,” Tarakanov said.The Zeus source code has been available online since the Spring of 2011. Since then, numerous tweaks have been made to the Trojan, including versions thatcommunicate over peer-to-peer networks.The malware hooks into a user’s browser via a number of malicious Web injects that trigger when a victim visits their online banking account. The malware logs the user’s credentials and sends them to the hacker, either directly via a backdoor connection to a central server or through hops on a P2P chain. This version’s use of Tor brings a new level of stealth capabilities to the malware, one that even frustrates the NSA.Tarakanov said Kaspersky researchers spotted the 64-bit Zeus sample tucked away inside a 32-bit version in June; the compile date on the malware was April 29. He said the 64-bit version of Zeus launches Tor.exe indirectly, first starting the svchost application in suspended mode and then injecting the Tor code into that process.Zeus then tunes the process to run Tor under the cover of svchost. The malware tells the browser to run traffic through TCP port 9050 and the stolen data will eventually land in an onion domain, egzh3ktnywjwabxb[.]onion, Tarakanov said.Tarakanov said that Zeus also will create a hidden service that creates a configuration file for each infected host that includes unique private key for the service and an exclusive domain.The botmaster is then able to connect to the unique onion domains when they are online and use a remote desktop control feature in Zeus to control the victim’s machine.This version of Zeus also includes a list of more than 100 programs that will trigger execution if present on victim machines.“There are different types of programs, but all of them contain valuable private information that cybercriminals would love to steal—login credentials, certificates and so on,” Tarakanov said, adding that Zeus also logs keystrokes pre- and post-encryption. “So when operating inside these programs, Zeus is able to intercept and forward a lot of valuable information to the botnet operator.”Source Link to comment Share on other sites More sharing options...
janedoe Posted December 13, 2013 Share Posted December 13, 2013 (edited) The 64-bit quandary is perplexing. As Kaspersky researcher Dmitry Tarakanov points out, fewer than 1 percent of IE users are on the 64-bit version, and even those running 64-bit versions of operating systems are running 32-bit browsers.Metro IE in 64-bit Win8.x is 64-bit, and desktop IE 10 onwards in 64-bit Win7 and Win8.x is completely 64-bit if Enhanced Protected Mode is enabled (otherwise tabs only are 32-bit for plugin compatibility). Also some people at least are using 64-bit Firefox nightlies, Pale Moon, Waterfox and so on. So the question is, why not make the trojan compatible with 64-bit browsers? If I was the developer of the trojan (who is surely a good coder) why would I prevent 64-bit browser users, however few in number (but growing), from enjoying the trojan-y goodness of my latest release? :P Edited December 13, 2013 by janedoe Link to comment Share on other sites More sharing options...
Recommended Posts