Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Help! Trojan Zbot Domain Detected

Created: 13 Jul 2009 • Updated: 21 May 2010 | 5 comments

Hello,
I keep getting a warning message that says:

Symantec Endpoint Protection
[SID: 23374] HTTP Trojan Zbot Domain detected

What does this mean?

I have Live Update which I manually check at least every other day.
I have ran a full virus scan and nothing was found.

What do I do now?
Thanks!

Comments 5 CommentsJump to latest comment

Beppe's picture

Hi,

what you see is an IPS detection, it means that our firewall detected a malicious network activity.

this is what I found:
http://www.symantec.com/business/security_response...

In the SEP client open: view logs > client management > security log..., you can find more details about this detection for example the other involved IP. Scan the other PC as well.
Investigate on Zbot's behavior and try to find the malicious samples in your network. Maybe you have a new variant not detected yet by the AV.
If you our help you should call our Support to speed up the troubleshooting and learn the procedure to submit malicious samples to Symantec.

If this is answer is enough for you, you can mark this post as solution.

Regards,

Regards,

Giuseppe

Beppe's picture

Hi,

is there any update regarding this issue?

Regards,

Regards,

Giuseppe

hal.dll's picture

Hi Giuseppe,

I, too, am experiencing the same issue.  The suggestion you made is incorrect, as this is not an infection of another machine on a user's network, but on the machine itself.

I have followed all of the Symantec removal instrructions, but it appears this trojan has latched on to the svchost.exe in the C:\WINDOWS\system32 folder, and can not be removed.

This trojan, or at least the one infecting my HP Netbook, attempts to contact a static IP, 174.133.104.203 via an outgoing TCP port.  The port itself is not specified in the Security Log.  An IP lookup points to theplanet.com as the host provider.

This trojan was acquired while running SEP.  Apparently, an uniformed user bought in to a web-popup "virus scan requirement" while viewing unsafe sites.  I believe the installer and popup was entitled XP Deluxe Protecor.  Though I killed and removed all references to the service, the current and disturbing issue is still at hand.  Again, SEP was running and enabled with the default OOB functions when this occurred.

Immediately after being infected by this trojan, I/we received a call from Chase, informing us that over $1,000 of credit card fraud was identified on one of our credit cards in Albania.  The scammers had apparently captured financial details, and cloned our card, as several of the transactions were recorded as a swiped card, and the only two cards we have ever had are in our immediate possession, and have not used said cards for over 6 months - fortunately, we were able to verify the illegimate charges rapidly by this fact, in addition, Albania is not one of the countries I currently provide services to, only the UAE, EU, and US.

I am very dissappointed with Symantec for not having resolved this issue to date.  I am running SEP 11.0.4202.75, and frankly, I find this absolutely unacceptable.  My only recourse at this point is to low level format my Netbook, and reinstall the OS and programs.

If this issue can be resolved in the next week, I will certainly provide any insight or assistance to you.  However, if no resolution is available, I will be wiping the entire machine.

Any / all communication would be greatly appreciated... Again, if Symantec has not picked up on this, I have great concern, as well as the corporate sounding board(s) for the international commmunity if no resolution is provided immediately.

hal.dll

Beppe's picture

Hi,

the suggestion I made is the only one I can make with the information provided by the owner of this discussion. We still does not know what is written in the Security Logs and it is the same of your issue. Regarding your issue, I hope you already have a case open with our Support to properly investigate on it.

Regards,

Regards,

Giuseppe

Senrats's picture

I would suggest a re-install of the OS or software that can detect rootkits (in addition to Symantec).

I got this information from SC Magazine:
www.scmagazineus.com

The banking trojan Zbot, which is one of today's most prevalent financially motivated trojans, is not detected or removed by most anti-virus programs because of its ability to morph, according to a report issued Wednesday by internet security firm Trusteer.

An analysis of 10,000 Zbot-infected computers, conducted this month, revealed that a majority were running an up-to-date AV program, Mickey Boodaei, CEO and founder of Trusteer, told SCMagazineUS.com on Wednesday. Fifty-five percent of Zbot-infected computers analyzed were running up-to-date AV programs, 31 percent had no AV and 14 percent had AV that was current, researchers at Trusteer found.

Even so, the company concluded that having an up-to-date AV product will only protect against Zbot 23 percent of the time. AV providers likely are having a tough time protecting users because the trojan has sophisticated morphing and rootkit mechanisms that allow it to penetrate deep into operating systems. Also, it protects itself from detection and removal, Boodaei said.

Zbot, also commonly known as Zeus, has been circulating since at least 2006, was most recently propagated through spam messages claiming to be a critical update for Microsoft Outlook. The information-stealing trojan aims to capture infected users' banking login credentials and send them back to the malware writers.  

No single AV engine was any better than another at protecting users from the trojan, Boodaei said.

“All the AV vendors have difficulties in detecting and removing Zeus," he said. "It's not limited to specific vendors."

Angela Moscaritolo
September 16, 2009

"Trust, but verify."