1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
2. Infection method
2.1 Spam emails
2.2 Drive-by downloads
3. Functionality
3.1 Toolkit
3.2 System modifications
3.3 Command and control server
3.4 Information gathering
3.5 Password stealing
4. Additional information
1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.
1.1 User behavior and precautions
Trojan.Zbot relies heavily on social engineering in order to infect computers. The spam email campaigns used by attackers attempt to trick the user by referencing the latest news stories, playing upon fears their sensitive information has been stolen, suggesting that compromising photos have been taken of them, or any number of other ruses.
Users should use caution when clicking links in such emails. Basic checks such as hovering with the mouse pointer over each link will normally show where the link leads to. Users can also check online Web site rating services such as
safeweb.norton.com to see if the site is deemed safe to visit.
1.2 Patch operating system and software
The attackers behind this threat have been known to utilize exploit packs in order to craft Web pages to exploit vulnerable computers and infect them with Trojan.Zbot.
As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.
2. INFECTION METHOD
This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.
2.1 Spam emails
The attackers behind Trojan.Zbot have made a concerted effort to spread their threat using spam campaigns. The subject material varies from one campaign to the next, but often focuses on current events or attempt to trick the user with emails purported to come from well-known institutions such as FDIC, IRS, MySpace, Facebook, or Microsoft.
2.2 Drive-by downloads
The authors behind Trojan.Zbot have also been witnessed using exploit packs to spread the threat via drive-by download attacks. When an unsuspecting user visits one of these Web sites, a vulnerable computer will become infected with the threat.
The particular exploits used to spread the threat vary, largely depending on the proliferation and ease-of-use of exploits available in the wild at the time the Trojan is distributed.
As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:
3. FUNCTIONALITY
The Zeus threat is actually comprised of three parts: a toolkit, the actual Trojan, and the command & control (C&C) server. The toolkit is used to create the threat, the Trojan modifies the compromised computer, and the C&C server is used to monitor and control the Trojan.
This video describes these aspects of Zeus:
Zeus: King of crimeware toolkits
3.1 Toolkit
Trojan.Zbot is created using a toolkit that is readily available on underground marketplaces used by online criminals. There are different versions available, from free ones (often back doored themselves) to those an attacker must pay up to $700 USD for in order to use. These marketplaces also offer other Zeus-related services, from bulletproof hosting for C&C servers, to rental of already-established botnets.
Regardless of the version, the toolkit is used for two things. First, the attacker can edit and then compile the configuration file into a .bin file. Secondly they can compile an executable, which is then sent to the potential victim through various means. This executable is what is commonly known as the Zeus Trojan or Trojan.Zbot.
The ease of use of the toolkit user interface makes it very easy and quick for nontechnical, would- be criminals to get a piece of the action. Coupling this with the multitude of illicit copies of the toolkit circulating in the black market ensures that Trojan.Zbot continues to be one of the most popular and widely seen Trojans on the threat landscape.
3.2 System modifications
While unusual in today’s threat landscape, Trojan.Zbot tends to use many of the same file names across variants. Given the way that the toolkit works, each revision tends to stick to the same file names when the executables are created. While the initial executable can be named whatever the attacker wants it to be, the files mentioned in the following subsections refer to the names used by the currently known toolkits.
User account privileges
The location that Trojan.Zbot installs itself to is directly tied to the level of privileges the logged-in user account has at the time of infection. If the user is an administrator, the files are placed in the %System% folder. If not, they are copied to %UserProfile%\Application Data.
Trojan executable
Trojan.Zbot generally creates a copy of itself using one of the following file names:
- ntos.exe
- oembios.exe
- twext.exe
- sdra64.exe
- pdfupd.exe
Configuration file
The threat creates a folder named “lowsec” in either the %System% or %UserProfile%\Application Data folder and then drops one of the following files into it:
- video.dll
- sysproc32.sys
- user.ds
- ldx.exe
While the extensions vary here, these are all text-file versions of the configuration file previously created and then compiled into the Trojan using the Zeus toolkit. This file contains any Web pages to monitor, as well as a list of Web sites to block, such as those that belong to security companies. It can also be updated by the attacker using the threat’s back door capabilities.
Here is a portion of a sample configuration file:
Entry “DynamicConfig”
url_loader “http://[REMOVED].com/zeusbot/ZuesBotTrojan.exe”
url_server “http://[REMOVED].com/zeusbot/gate.php”
file_webinjects “webinjects.txt”
entry “AdvancedConfigs”
;
end
entry “WebFilters”
“!http://[REMOVED].com”
“https:// [REMOVED].com/*”
“!http://[REMOVED].ru/*”
end
entry “WebDataFilters”
; “!http://[REMOVED].ru/*” “passw;login”
end
entry “WebFakes”
; “http://[REMOVED].com” “http://[REMOVED].com” “GP” “” “”
end
entry “TANGrabber”
“https://[REMOVED].com/*/jba/mp#/SubmitRecap.do” “S3C6R2” “SYNC_TOKEN=*” “*”
end
entry “DnsMap”
;127.0.0.1
end
end
Stolen data file
A second file is dropped into the “lowsec” folder, with one of the following file names:
- audio.dll
- sysproc86.sys
- local.ds
This file serves as a storage text file for any the stolen information. When a password is obtained by the threat, it is saved in this file and later sent to the attacker.
Registry subkeys and entries created
In addition, the threat adds itself to the registry to start when Windows starts, using one of two subkeys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\sdra64.exe"
- HKEY_CURRENT_USER\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\”userinit” = “%UserProfile%\Application Data\sdra64.exe”
If the logged-in account at the time of infection has administrative privileges, the first entry is created. If the account has limited privileges, the second is used.
Service injection
Depending on the level of privileges, Trojan.Zbot will inject itself into one of two services. If the account has administrative privileges, the threat injects itself into the winlogon.exe service. If not, it attempts to do the same with the explorer.exe service.
The threat also injects code into an svchost.exe service, which it later uses when stealing banking information.
3.3 Command and control server
When Trojan.Zbot is installed, it reports back to the C&C server that is referenced in the configuration file when the executable was created using the toolkit. The first thing it checks for is an updated version of its configuration file.
Back door
The back door to the C&C server provides the attacker with a versatile set of options for how he or she can use the compromised computer. For example, attackers can perform any of the following actions, if they so wish:
- Restart or shut down the computer
- Delete system files, rendering the computer unusable
- Disable or restore access to a particular URL
- Inject rogue HTML content into pages that match a defined URL
- Download and execute a file
- Execute a local file
- Add or remove a file mask for local search (e.g. hide the threat’s files)
- Upload a file or folder
- Steal digital certificates
- Update the configuration file
- Rename the bot executable
- Upload or delete Flash cookies
- Change the Internet Explorer start page
The domains that the back door connects to vary, depending on what the attacker has included in the configuration file.
Server-side control panel
The C&C server not only allows the attacker to perform a number of functions on a compromised computer, but also gives them the ability to manage a botnet of Zeus-infected computers. An attacker can monitor statistics on the number of infected computers he or she controls, as well as generate reports on the stolen information the bots have gathered.
3.4 Information gathering
Once installed Trojan.Zbot will automatically gather a variety of information about the compromised computer, which it sends back to the C&C server. This information includes the following:
- A unique bot identification string
- Name of the botnet
- Version of the bot
- Operating system version
- Operating system language
- Local time of the compromised computer
- Uptime of the bot
- Last report time
- Country of the compromised computer
- IP address of the compromised computer
- Process names
3.5 Password stealing
The core purpose of Trojan.Zbot is to steal passwords, which is evident by the different methods it goes about doing this.
Upon installation, Trojan.Zbot will immediately check Protected Storage (PStore) for passwords. It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.
A more versatile method of password-stealing used by the threat is driven by the configuration file during Web browsing. When the attacker generates the configuration file, he or she can include any URLs they wish to monitor. When any of these URLs are visited, the threat gathers any user names and passwords typed into these pages. In order to do this, it hooks the functions of various DLLs, taking control of network functionality. The following is a list of DLLs and the APIs within them that are used by Trojan.Zbot:
WININET.DLL
- HttpSendRequestW
- HttpSendRequestA
- HttpSendRequestExW
- HttpSendRequestExA
- InternetReadFile
- InternetReadFileExW
- InternetReadFileExA
- InternetQueryDataAvailable
- InternetCloseHandle
WS2_32.DLL and WSOCK32.DLL
- send
- sendto
- closesocket
- WSASend
- WSASendTo
USER32.DLL
- GetMessageW
- GetMessageA
- PeekMessageW
- PeekMessageA
- GetClipboardData
Trojan.Zbot can also inject other fields into the Web pages it monitors. To do this, it intercepts the pages as they are returned to the compromised computer and adds extra fields. For example, if a user requests a page from their bank’s Web site, and the bank returns a page requiring a user name and password, the threat can be configured to inject a third field asking for the user’s Social Security Number.
4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
