The infamous Zeus banking Trojan has gone 64-bit. But why?
Researchers at Kaspersky Lab’s Global Research and Analysis Team spotted a new version of the malware that behaves much like its 32-bit contemporaries: it too uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and even log keystrokes. It also communicates with its command and control servers over the Tor anonymity network, another new feature of the 64-bit variety of Zeus.
The 64-bit quandary is perplexing. As Kaspersky researcher Dmitry Tarakanov points out, fewer than 1 percent of IE users are on the 64-bit version, and even those running 64-bit versions of operating systems are running 32-bit browsers.
“Perhaps it’s just a marketing gimmick—a new feature, even if it is mostly useless, with a bit of ‘wow’ factor,” Tarakanov wrote today on Securelist. “Support for 64-bit browsers—a great way to advertise the product and to lure buyers—the botnet herders.”
While 64-bit support may be a bit of overkill for today, it does set the prolific malware up for future success. And its use of Tor as a communication platform, while not unique, does bring it into some exclusive company.
“Whatever the intentions were of the malware author that created this piece of Zeus—be it a marketing ploy or the groundwork for some future needs—a pure 64-bit Zeus does finally exist, and we can conclude that a new milestone in the evolution of Zeus has been reached,” Tarakanov said.
The Zeus source code has been available online since the Spring of 2011. Since then, numerous tweaks have been made to the Trojan, including versions that communicate over peer-to-peer networks. The malware hooks into a user’s browser via a number of malicious Web injects that trigger when a victim visits their online banking account. The malware logs the user’s credentials and sends them to the hacker, either directly via a backdoor connection to a central server or through hops on a P2P chain. This version’s use of Tor brings a new level of stealth capabilities to the malware, one that even frustrates the NSA.
Tarakanov said Kaspersky researchers spotted the 64-bit Zeus sample tucked away inside a 32-bit version in June; the compile date on the malware was April 29. He said the 64-bit version of Zeus launches Tor.exe indirectly, first starting the svchost application in suspended mode and then injecting the Tor code into that process. Zeus then tunes the process to run Tor under the cover of svchost. The malware tells the browser to run traffic through TCP port 9050 and the stolen data will eventually land in an onion domain, egzh3ktnywjwabxb[.]onion, Tarakanov said.
Tarakanov said that Zeus also will create a hidden service that creates a configuration file for each infected host that includes unique private key for the service and an exclusive domain.The botmaster is then able to connect to the unique onion domains when they are online and use a remote desktop control feature in Zeus to control the victim’s machine.
This version of Zeus also includes a list of more than 100 programs that will trigger execution if present on victim machines.
“There are different types of programs, but all of them contain valuable private information that cybercriminals would love to steal—login credentials, certificates and so on,” Tarakanov said, adding that Zeus also logs keystrokes pre- and post-encryption. “So when operating inside these programs, Zeus is able to intercept and forward a lot of valuable information to the botnet operator.”