64 bit ZeuS/ZBOT has arrived with enhanced techniques uses TOR

shutterstock_83488540-550x412

Pic : Shutterstock

As the world moved towards 64 bit operating systems including our mobile phones so as zesus. As per the reports from securelist, they have discovered a 64 bit Zeus hidden inside a 32 bit version. “The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version 

Recently Trendmicro discovered that 64 bit version Zeus has evolved since it was first seen by kaspersky during April 2013 and confirmed they don’t hide within 32bit versions anymore.

Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version.

The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers. This component is embedded at the bottom part of the injected code, along with the 32-bit and 64-bit versions. To initiate this component, the malware suspends the processsvchost.exe and injects it with the Tor component’s code then resumes the process. In doing so, the execution of Tor is masked. It is launched using the following parameters:

“%System%\svchost.exe” –HiddenServiceDir “%APPDATA%\tor\hidden_service” –HiddenServicePort “1080 127.0.0.1:{random port 1}” –HiddenServicePort “5900 127.0.0.1: {random port 2}”

” — as reported by trendmicro

Tor.exe is launched indirectly — ZeuS starts the system svchost.exe application in suspended mode, then injects the tor.exe code into this suspended svchost.exe process, tunes the code to run properly and resumes execution of the suspended svchost,” Tarakanov explains. “As a result, instead of the system svchost.exe, the process actually starts executing tor.exe. The Tor utility under the cover of the svchost.exe process creates an HTTP proxy server listening to the TCP port 9050.“- Kaspersky

Now that’s brilliant by the authors who already thought of the next wave of technology. Although very less number of  users have migrated their browsers to 64 bit and the overall benefit of this migration is limited for zeus masters at this point.  In either case they are already ready for the future which can get as scary as it may be.

Share Button
Tagged with 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>