64-bit Zeus Trojan version found and analyzed

Infamous banking Trojan Zeus can now be used to steal information via 64-bit versions of web browsers, and has the capability of connecting to its C&C server via the Tor anonymity network, Kaspersky Lab researchers have shared.

The 64-bit agent is contained in the malware’s 32-bit version, and has been since June 2013 at least, when the sample was first found in the wild.

“The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version,” says Kaspersky Lab expert Dmitry Tarakanov.

“We ran tests to see how the 64-bit ZeuS works inside a 64-bit Internet Explorer and it demonstrated the usual ZeuS functionality: in any case, the web injects functioned as usual.”

There are some small bugs, he says, but all in all this version mostly works as it should.

But the real question is, why would Zeus developers bother with making the 64-bit version if, according to statistics, an extremely small percentage of users have switched to 64-bit browsers?

“Admittedly, it doesn’t look too complicated from our side – the source code is available, some fixes are required to make it work in 64-bit processes and to compile it as a 64-bit application,” says Tarakanov.

But even if they are wrong, and it is difficult, they obviously took the time to do it. “Perhaps it’s just a marketing gimmick – a new feature, even if it is mostly useless, with a bit of “wow’ factor! Support for 64-bit browsers – a great way to advertise the product and to lure buyers – the botnet herders,” he points out.

This version also has additional advantages. It includes a slew of programs that the malware can function on, and they are not all online banking clients, but FTP and VPN software, Bitcoin wallets, and online payment software as well:

It also has the ability to create an HTTP proxy server on the target computer, so that when the bot communicates with its Tor-based C&C server, it does so via the proxy.

Finally, it also creates a Tor hidden service on the infected machine, but not for the sake of other Tor users.

“It creates a Tor configuration folder for each infected host, generating a unique private key for the hidden service and, consequently, an exclusive domain name. In turn, tor.exe enables the hidden service with a unique onion domain name,” Tarakanov explains.

“When running in an infected system ZeuS listens to the ports that were generated randomly and remembered during the first launch of malware. The botnet operator will be aware of the generated onion domain related to every infected machine as the malware informs the C&C about its Tor domain name.”

“So, when an infected machine is online the botnet operator can reach it connecting to its unique onion domain via the Tor network. One purpose of this approach is the remote control of the infected host. For example, one of these ports specifically listens to in the VNC function of ZeuS, obviously meaning that ZeuS provides remote desktop control to the operator via this port.”