Trojan.Zbot.B!inf, which was discovered on October 1st, has functionality to update Trojan.Zbot by using Windows Crypto API. Crypto API is a set of functions that uses PKI bundled with Windows and has been used by several malicious programs in the past. This Trojan horse uses Crypto API to create a URL to download files.
The following figure uses RSA as a cryptographic service provider (CSP) to calculate MD5 hash values. The hash values are calculated by using the compromised computer’s time as a base value.
After the created hash value is extracted with the CryptGetHashParam function, it's converted to a ASCII character string and adds that character sting to a top level domain - .biz, .info, .org, .com, .net – to create a DNS name.
The following URLs are an example of the...