Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with Trojan.Zbot
Showing posts in English
Kazumasa Itabashi | 18 Oct 2010 16:17:41 GMT

Trojan.Zbot.B!inf, which was discovered on October 1st, has functionality to update Trojan.Zbot by using Windows Crypto API. Crypto API is a set of functions that uses PKI bundled with Windows and has been used by several malicious programs in the past. This Trojan horse uses Crypto API to create a URL to download files.

The following figure uses RSA as a cryptographic service provider (CSP) to calculate MD5 hash values. The hash values are calculated by using the compromised computer’s time as a base value.

After the created hash value is extracted with the CryptGetHashParam function, it's converted to a ASCII character string and adds that character sting to a top level domain - .biz, .info, .org, .com, .net – to create a DNS name.

The following URLs are an example of the...

Peter Coogan | 04 Oct 2010 07:13:51 GMT

The Zeus Trojan is back in the media spotlight once more, and for good reason. Last week the FBI’s  Operation Trident Breach made worldwide headlines with over 100 arrests related to organized cybercrime operation activities  in the US, UK, and the Ukraine. The arrests relate to Cybercriminals and  money mules involved in stealing up to $70m from bank accounts through the use of the Zeus crimeware toolkit. The operation initiated by the FBI involved unprecedented partnerships between international law enforcement, such as the Netherlands...

Samir_Patil | 13 Aug 2010 15:56:06 GMT

Symantec Security Response is currently monitoring a wave of email spam that contains a threat detected by Symantec as Trojan.Zbot. This Trojan arrives as a .zip attachment in an email that purports to contain a legitimate attachment, such as a birthday invitation, photos, or resume. However, the attached zipped executable file is a malicious threat. The attachment file size is 119 KB and can have a pseudo-random file name such as “lance,” “NH ESS Access Guidelines (2).zip,” “,” “,” “,” “,” "ARICertificate-C4H736 +," or "Inv 2985 Cool Cash"

This Trojan has primarily been designed to steal confidential information, such as online credentials or banking details, but it can be customized to gather any sort of...

Karthik Selvaraj | 03 May 2010 20:35:39 GMT

Zeus/Zbot is one of the most widely known Internet threats today. It’s been around since 2007 and has evolved over time, and is still in a constant state of being developed into a stronger, more prolific Trojan.
A few weeks ago we came across a variant of Zbot representing the fact that it has undergone code refactoring and some functional changes in the Trojan's infection technique and behavior. The variant is now known as version 2.0 (named after the Trojan builder kit version).
In overview, for the common PC user, new changes mean that:

  • Your PC could have multiple infections of Zbot, thereby sending your personal information to multiple Zbot controllers.
  • Zbot is aiming for information from different browsers, including Firefox.
  • Zbot is expanding its ability to run in newer operating systems such as Windows 7.
  • Zbot is in constant development, so it might be around for...
Peter Coogan | 26 Apr 2010 10:50:59 GMT

In an earlier blog entry we mentioned SpyEye as a new, up-and-coming crimeware toolkit to look out for. In that blog we highlighted the Kill Zeus feature, which had just been added to the SpyEye Trojan builder at that time. We can now substantiate that this Kill Zeus feature does actually work. Well, some of the time. In my opinion the Zeus toolkit creators don’t need to lose any of their precious sleep just yet.

Our analysis has shown that the kill Zeus feature seems to work on a limited number of Zeus samples. In March 2010, Symantec alone counted 9,779 new unique samples of what we call Trojan.Zbot. We estimate that only a small percentage of these samples can be successfully removed by SpyEye’s Kill Zeus feature. The samples we observed it working successfully on are most likely created...

Takayoshi Nakayama | 22 Apr 2010 06:52:24 GMT

It is well known that Trojan.Zbot was created by the ZeuS tool kit, and recently it has added the ability to infect files to its bag of tricks. A recently discovered Trojan.Zbot variant searches for executable files in a predefined place and injects the executable files it finds with 512 bytes of code. It then modifies that program's entry point so that it is at the top of the injected code. The injected code is very simple and performs the following actions:

  • Downloads a file from a URL embedded in the code.
  • Executes the downloaded file.
  • Executes the original code.

Part of the injected code

Even though antivirus products may delete the main component of the Trojan, the code remains in the infected file, enabling the Trojan to download...

khaley | 18 Feb 2010 20:57:54 GMT

Recently, Symantec observed some high-profile coverage of a threat being reported as a new type of computer virus known as “Kneber.” In reality Kneber is simply a pseudonym for the Zeus Trojan/botnet. The name Kneber refers to a particular group, or herd, of zombie computers (a.k.a. bots) being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot that also goes by the name Zeus, which has been observed, analyzed, and protected against for some time now.
Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet. Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be...

Hon Lau | 17 Feb 2010 20:28:00 GMT

Since as far back as I can remember there has always been talk of rivalry and wars between various malware creators. The testosterone-fuelled battles may have even been encouraged by the media running stories of how such-and-such botnet “has X million nodes,” egging the botnet herders to try and outwit and outgrow each other in a competition to grab market share.
Take, for example, the Zeus botnet (Trojan.Zbot). This has been around for some time and has now developed into a mature piece of malware that is widely sold and used by wannabe eCriminals to steal information from hapless victims throughout the Internet. The ease of use afforded by the Zeus Trojan builder has helped it achieve its notorious status as one of the most widely seen bots in the world.
As with the gold rush in the previous centuries, some people learned that it was...

Peter Coogan | 04 Feb 2010 18:36:42 GMT

The Zeus crimeware toolkit has been around now for a while and has grown over time to be the most established crimeware toolkit in the underground economy. In late December 2009 a new crimeware toolkit emanating from Russia—known as SpyEye V1.0—started to appear for sale on Russian underground forums. Retailing at $500, it is looking to take a chunk of the Zeus crimeware toolkit market. Symantec detects this threat as Trojan.Spyeye. Since it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the observed rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the crimeware toolkits.

SpyEyeLogo.JPG   ...

Patrick Fitzgerald | 28 Jan 2010 21:25:51 GMT

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change...