In announcing the release of the 64-bit version for Chrome last month, Google mentioned that one of the primary drivers of the move was that majority of Windows users are now using 64-bit operating systems. The adoption rate for 64-bit for Windows has been a tad slower than what Microsoft had initially predicted, but it has been steady, and it is evident in the availability of support by software developers.
Unfortunately, however, we’ve been seeing the same adoption being implemented by attackers through 64-bit malware.
We’ve documented several instances of malware having 64-bit versions, including a 64-bit version of ZeuS, and we’ve been seeing the same in terms of targeted attacks. In fact, in our 2H 2013 Targeted Attack Trends report, almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms.
KIVARS: Earlier Versions
One of these malware we’ve found running on 64-bit systems is KIVARS. Based on our findings, early versions of this malware affects only 32-bit systems and is dropped by a malware we detect as TROJ_FAKEWORD.A (SHA1 218be0da023e7798d323e19e950174f53860da15). However, note that all versions of KIVAR used this dropper to install both the loader and backdoor.