Video Screencast Help
Security Response
Showing posts tagged with Trojan.Zbot
Showing posts in English
Peter Coogan | 26 Apr 2010 10:50:59 GMT

In an earlier blog entry we mentioned SpyEye as a new, up-and-coming crimeware toolkit to look out for. In that blog we highlighted the Kill Zeus feature, which had just been added to the SpyEye Trojan builder at that time. We can now substantiate that this Kill Zeus feature does actually work. Well, some of the time. In my opinion the Zeus toolkit creators don’t need to lose any of their precious sleep just yet.

Our analysis has shown that the kill Zeus feature seems to work on a limited number of Zeus samples. In March 2010, Symantec alone counted 9,779 new unique samples of what we call Trojan.Zbot. We estimate that only a small percentage of these samples can be successfully removed by SpyEye’s Kill Zeus feature. The samples we observed it working successfully on are most likely created...

Takayoshi Nakayama | 22 Apr 2010 06:52:24 GMT

It is well known that Trojan.Zbot was created by the ZeuS tool kit, and recently it has added the ability to infect files to its bag of tricks. A recently discovered Trojan.Zbot variant searches for executable files in a predefined place and injects the executable files it finds with 512 bytes of code. It then modifies that program's entry point so that it is at the top of the injected code. The injected code is very simple and performs the following actions:

  • Downloads a file from a URL embedded in the code.
  • Executes the downloaded file.
  • Executes the original code.

Part of the injected code

Even though antivirus products may delete the main component of the Trojan, the code remains in the infected file, enabling the Trojan to download...

khaley | 18 Feb 2010 20:57:54 GMT

Recently, Symantec observed some high-profile coverage of a threat being reported as a new type of computer virus known as “Kneber.” In reality Kneber is simply a pseudonym for the Zeus Trojan/botnet. The name Kneber refers to a particular group, or herd, of zombie computers (a.k.a. bots) being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot that also goes by the name Zeus, which has been observed, analyzed, and protected against for some time now.
Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet. Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be...

Hon Lau | 17 Feb 2010 20:28:00 GMT

Since as far back as I can remember there has always been talk of rivalry and wars between various malware creators. The testosterone-fuelled battles may have even been encouraged by the media running stories of how such-and-such botnet “has X million nodes,” egging the botnet herders to try and outwit and outgrow each other in a competition to grab market share.
Take, for example, the Zeus botnet (Trojan.Zbot). This has been around for some time and has now developed into a mature piece of malware that is widely sold and used by wannabe eCriminals to steal information from hapless victims throughout the Internet. The ease of use afforded by the Zeus Trojan builder has helped it achieve its notorious status as one of the most widely seen bots in the world.
As with the gold rush in the previous centuries, some people learned that it was...

Peter Coogan | 04 Feb 2010 18:36:42 GMT

The Zeus crimeware toolkit has been around now for a while and has grown over time to be the most established crimeware toolkit in the underground economy. In late December 2009 a new crimeware toolkit emanating from Russia—known as SpyEye V1.0—started to appear for sale on Russian underground forums. Retailing at $500, it is looking to take a chunk of the Zeus crimeware toolkit market. Symantec detects this threat as Trojan.Spyeye. Since it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the observed rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the crimeware toolkits.

SpyEyeLogo.JPG   ...

Patrick Fitzgerald | 28 Jan 2010 21:25:51 GMT

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change...

Hon Lau | 01 Dec 2009 18:53:34 GMT

Piggybacking (pun intended) on the swine flu pandemic is the Zeus bot crew, whose latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page.
The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine.
The subject lines used in the emails are quite variable; for example, the following have been seen:

•        Instructions on creation of your personal Vaccination Profile

•        Governmental registration program on the H1N1 vaccination

Patrick Fitzgerald | 23 Nov 2009 16:27:01 GMT

Once again Zeus is up to its old tricks with a new twist.  The latest spam run informs users that their latest Social Security statement is available but it may contain errors.  The subject of the mail will be something like “Review annual Social Security statement“ and the body warns of a potential identity theft risk and asks you to review your annual statement at the link they provide.

Figure 1. An example of the Spam

If you follow this link you will arrive at the following page:
Figure 2. This fake page asks for your social...

Mayur Kulkarni | 19 Nov 2009 21:35:04 GMT

We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).


As seen in the message above, the mail attachment is a zipped file named “” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using HTTP, this threat...

Eric Chien | 18 Nov 2009 19:54:37 GMT

Zeus is a botnet package that allows for the easy creation and command and control of a botnet.  We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site. 

Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.

We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional...