Staff member
Perhaps it was inevitable, but a 64-bit version of the Zeus banking trojan has been spotted in the wild – and it now comes enhanced with Tor.
The rise of 64-bit computing platforms means more 64-bit applications – banking applications are early adopters – and, therefore, 64-bit malware.

“If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent,” said Kaspersky Lab expert Dmitry Tarakanov, in an analysis. “And what’s the most notorious banking malware? Zeus, of course – the trendsetter for the majority of today’s banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family.”

That said, Tarakanov noted he was surprised that a 64-bit version has hit the streets so soon, because cybercriminals don’t actually need a 64-bit version. “Zeus is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks,” he explained. “But nowadays people still use 32-bit browsers – even on 64-bit operating systems. So, 32-bit versions of Zeus have been sufficient to keep the thieves satisfied with their earnings.”

Nonetheless, Kaspersky found a 64-bit version that appears to have been present in the wild since at least June, and possibly as early as April. The sample can serve 32-bit or 64-bit malware; it checks the system before injecting the appropriate version.

The proportion of users running 64-bit browsers is still negligible – less than 0.01% among Internet Explorer users, Kaspersky found. Still, support for 64-bit browsers is “a great way to advertise the product and to lure buyers – the botnet herders.”

Read more: http://www.infosecurity-magazine.com/view/36103/64bit-torenabled-zeus-variant-spotted-in-the-wild/