Zeus Botnet / Zbot
Original issue date:
February
16, 2010
Updated: August 20,2010
Win32/Zbot , also commonly known as Zeus bot , is a family of information -stealing trojan which aims to capture infected users banking login credentials and send them back to a remote server in real time.
This Trojan arrives on the system as a file downloaded from malicious web pages or as attachment with spammed messages claiming to be critical updates, fake alerts, from social networking sites etc, as shown below:
It may also injects HTML content into the pages rendered by the browser , so that its own contents are displayed together (or instead of ) the genuine pages from the bank's web server. It also contains backdoor functionality that allows unauthorized access and control of an infected machine.
The Zbot-trojan starts its main information-stealing function by opening a connection to a remote server and downloading an encrypted configuration file. This file contains the address where the trojan will later upload the information it has stolen; an address where it can download a new version of itself; and the address of another configuration file. This file also defines what websites the trojan will target for information theft.
It steals data from clipboard, Windows protected storage, certificates stored in the system, FTP,POP3 credentials as well as capture screens and log key strokes.
Some of the recent variants are found to have been using autorun techniques to spread by dropping autorun.inf and worm copy in the root of removable /fixed drives.
Also known with a pseudo name Kneber-the email ID used to register the domains.
Aliases:
Win-Trojan/Zbot (AhnLab), Win32/Kollah (CA),Win32/Spy.Zbot (ESET), Trojan-Spy.Win32.Zbot(Kaspersky), PWS-Zbot (McAfee), Avalanche botnet (other),Wsnpoem (other),Zeus botnet (other)
Upon execution the worm variants ,
- Drops the following files
- %Windir%\%SYSDIR%\ntos.exe or sdra64.exe
or twex.exe (worm copy)
- %Windir%\%SYSDIR%\wsnpoem\audio.dll
(stores stolen information)
- %Windir%\%SYSDIR%\wsnpoem\video.dll
(copy of configuration file)
- %Root%\RECYCLER\S-1-5-21-4616592079-
8080907928-828616482-2104\ Sysdate.exe
or Wuaclt.exe
- %Windir%\%SYSDIR%\twain_32\user.ds
- %APPDATA%\<random letters>\<random letters>.exe
- Modifies the registry(automatic start up)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =
"%System%\Userinit.exe,%System%\ntos.exe,"
- Creates the following registry entries
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Network UID = "{computer name}
_{random numbers}"
- HKEY_USERS\.DEFAULT\Software\Microsoft\Protected
Storage System Provider
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Internet Settings\ ProxyEnable
= 0x00000000
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon \Taskman\
%Root%\RECYCLER\S-1-5-21-4616592079-8080907928-828616482-2104\[Filename].exe
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\
CurrentVersion\Explorer\
{19127AD2-394B-70F5-C650-B97867BAA1F7}
{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
{4B19E1F3-5B47-C615-C75A-E0FD63DB477F}
- Hooks the following APIs:
GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,
HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,
InternetReadFile,InternetReadFileExA,InternetQuery
DataAvailable,HttpQueryInfoA, closesocket,send,WSASend,
TranslateMessage,GetClipboardData,PFXImportCertStore
- Creates one of the following mutexes to ensure that only one copy of the threat is running on the computer
- __SYSTEM__23D80F10__
- __SYSTEM__45A2F601__
- __SYSTEM__64AD0625__
- __SYSTEM__7F4523E5__
- __SYSTEM__91C38905__
- Request to the following domain over UDP port11223
- butterfly.[removed].biz
- http://195.{BLOCKED}.{BLOCKED}.4/avp
- butterfly.[removed].es
- qwertasdfg.[removed].es
- blatundalqik.ru/panama/odess[REMOVED]
- blatundalqik.ru/panama/odess[REMOVED]
- blatundalqik.ru/panama/kiev[REMOVED]
- wfrules.ru/wfrule[REMOVED]
- Terminates itself if firewall related processes (zclient.exe, outpost.exe) are running
- Steals credentials from the following FTP clients:
FlashFXP,Total Commander,ws_ftp,FileZilla.FAR/FAR2,
winscp,FTP Commander,CoreFTP,SmartFTP
- Injects its code in the following processes:
- explorer.exe
- lsass.exe
- svchost.exe
- winlogon.exe
- taskhost.exe
- taskeng.exe
- wscntfy.exe
- ctfmon.exe
- rdpclip.exe
In view of rapid propagation of the Zbot , users are advised to implement the following countermeasures:
- Search for the malicious files ,registry entries created worm and delete the same
- Install and maintain an updated anti-virus software at gateway and desktop level
- Use caution when opening attachments and accepting file transfers
- Disable autorun.
- Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
- Install and maintain Firewall at Desktop level
- Use caution when clicking on links to Web pages
References http://vil.nai.com/vil/content/v_143802.htm
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Win32/Zbot
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=PWS%3aWin32%2fZbot
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_ZBOT.QT&VSect=T
http://www.symantec.com/security_response/writeup.jsp?docid=
2008-072400-0415-99&tabid=2
http://www.symantec.com/connect/blogs/zeus-king-underground-
crimeware-toolkits
http://www.symantec.com/security_response/writeup.jsp?docid=
2007-040208-5335-99&tabid=2
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=PWS%3aWin32%2fZbot.gen!Y
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
