Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Evolution of Zeus Botnet

Created: 22 Oct 2010 10:30:02 GMT • Updated: 23 Jan 2014 18:24:19 GMT • Translations available: 日本語
Shunichi Imano's picture
0 0 Votes
Login to vote

Zbot, otherwise known as the Zeus botnet, has been around for a quite a while and has been called the "King of Bots"; it has infected millions of computers worldwide. The Zbot construction kit is on-sale and widely available in the underground community. Other botnet kits are also being sold and are challenging Zbot peddlers. This means that the Zbot authors have no choice but to update the construction kits to accommodate the needs of their criminal client base to stay ahead of their rivals and hold on to the title of the King of the Bots, the result of which appears to be samples discovered recently that Symantec detects as Trojan.Zbot.B and Trojan.Zbot.B!inf.

The most notable function in the new Zbot is the domain generation algorithm. My colleague Kazumasa Itabashi posted a blog on this but I will explain the mechanism briefly as a recap.

Zbot cycles through a new list of 1,020 domains every day to call home to see which one is hosting the live C&C server. In the case of Trojan.Zbot.B!inf, it tries to connect to the domains in random order and once a file is downloaded and executed, it stops checking. Security researchers register domains that will be used by Zbot.B ahead of time to learn about the bot’s activities and this tactic employed by Zbot is probably to reduce the possibility of pre-registered domains being compromised.

One question that came to mind is whether this vector is an add-on from the original gang behind Zbot or a custom add-on by resellers of the kit? This question remains unanswered. When Zbot.B generates lookup requests, the data is XOR-ed with a specific, hardcoded double word value. So far, we have seen only one hardcoded DWORD value across multiple samples.

Each file downloaded by Zbot.B and Zbot.B!inf has a signature and the threat only runs the downloaded file if the signature is verified by a public key embedded in the threat. This ensures that any Zbot.B malware created by a different construction kit only executes its own file (i.e. a different Zbot client). This is a new protection mechanism introduced by the new Zbot botnet, probably in response to some versions of the Spyeye tool kit that has a “kill Zeus” feature. For details on the Spyeye tool kit, please see our blog posted in February.

It is reasonable to assume that the DWORD value and public key used by the threat should be different for each sold … if the kit was being sold. Since we see only one DWORD value and public key, this may suggest that this attack is a test-run.

In terms of a protection mechanism, Zbot infects .exe files, which are detected as Trojan.Zbot.B inf (it’s worth noting that infection is very simple and not polymorphic), and infected files download a re-packed version of Trojan.Zbot.B. By doing so, even if Trojan.Zbot.B running on the compromised computer is removed, Trojan.Zbot.B!inf downloads another copy and makes sure that the machine stays infected. Business continuity is critical for any company and this is no exception for Zbot clients as their purpose is financially motivated.

A few weeks ago, there was a coordinated arrest, called Operation Triden Beach, made by U.S. and European law agencies in relation to the Zbot operations. According to the statementposted on the FBI Web site, arrests were made in the U.S., the Netherlands, Ukraine, and the United Kingdom. It appears that the arrests were not enough to take down the Zbot operations; in fact far from it. The map below was generated during our research and most of those regions where arrests were made still show signs of active infection.

We are keeping our eyes on the bot’s activities very closely and will post a follow-up blog if anything significant is spotted.