64-Bit Version of ZeuS Comes with Improved Evasion, Rootkit Capabilities

ZeuS files are visible in the command prompt, but not in File Explorer (click to see full)

Back in December 2013, Kaspersky reported spotting a 64-bit version of the notorious ZeuS banking Trojan. At the time, experts revealed that the threat was relying on Tor in order to protect its command and control infrastructure.

Now, Trend Micro researchers have also analyzed the 64-bit ZeuS and they’ve found some interesting details.

Apparently, the threat comes with improved antimalware evasion tricks. The malware is capable of identifying certain analysis tools such as StudPE, WinHex, OllyDbg and ProcDump. Execution is prevented if any of these tools is detected.

The 64-bit version of ZeuS also has user mode rootkit capabilities. These enable it to hide the malware files, processes and registries.

However, it’s worth noting that user mode rootkit capabilities are not as good as kernel mode rootkit capabilities. In the former case, users can still find and delete the files in Safe Mode.

Additional technical details are available on Trend Micro’s blog.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s