Discovered: January 10, 2010
Updated: August 16, 2016 10:49:12 AM
Also Known As: Trojan-Spy:W32/Zbot [F-Secure], PWS-Zbot [McAfee], Trojan-Spy.Win32.Zbot [Kaspersky], Win32/Zbot [Microsoft], Infostealer.Monstres [Symantec], Infostealer.Banker.C [Symantec], Trojan.Wsnpoem [Symantec], Troj/Zbot-LG [Sophos], Troj/Agent-MDL [Sophos], Troj/Zbot-LM [Sophos], Troj/TDSS-BY [Sophos], Troj/Zbot-LO [Sophos], Troj/Buzus-CE [Sophos], Sinowal.WUR [Panda Software], Troj/QakBot-D [Sophos], Troj/Agent-MIR [Sophos], Troj/Qakbot-E [Sophos], Troj/QakBot-G [Sophos], Troj/QakBot-F [Sophos], Troj/Agent-MJS [Sophos], Troj/Agent-MKP [Sophos], Troj/Zbot-ME [Sophos], Troj/Dloadr-CYP [Sophos], Win32/Zbot.WY [Computer Associates], Troj/DwnLdr-IBQ [Sophos], Troj/Zbot-NG [Sophos], W32/Zbot-NI [Sophos], Troj/Zbot-NN [Sophos], Troj/DwnLdr-ICV [Sophos], Troj/DwnLdr-ICY [Sophos], Troj/DwnLdr-IDB [Sophos], Troj/Dldr-DM [Sophos], Troj/Zbot-NR [Sophos], Troj/Zbot-NS [Sophos], Troj/Agent-MWK [Sophos], Troj/FakeAV-BDB [Sophos], Troj/Agent-MYL [Sophos], Troj/Agent-NAX [Sophos], Troj/Zbot-OD [Sophos], Troj/Zbot-OE [Sophos], Troj/Zbot-OT [Sophos], Troj/FakeAV-BGJ [Sophos], Troj/VB-EPV [Sophos], Troj/VB-EQA [Sophos], Troj/Zbot-PE [Sophos], Troj/Zbot-OZ [Sophos], Troj/Zbot-PA [Sophos], Troj/Zbot-OY [Sophos], Troj/FakeAV-BHP [Sophos], Troj/Zbot-OX [Sophos], Troj/Agent-NIV [Sophos], Troj/Zbot-PM [Sophos], Troj/Zbot-PQ [Sophos], Troj/Agent-NKD [Sophos], Troj/Zbot-PP [Sophos], Troj/Zbot-PN [Sophos], Troj/Zbot-PX [Sophos], Troj/Zbot-PW [Sophos], Troj/Zbot-PY [Sophos], Troj/Zbot-PT [Sophos], Troj/Zbot-PV [Sophos], Troj/Zbot-QC [Sophos], Troj/Zbot-QD [Sophos], Troj/Zbot-QK [Sophos], Troj/Zbot-QZ [Sophos], Troj/VB-ERY [Sophos], Troj/Zbot-RA [Sophos], Troj/Zbot-RK [Sophos], Troj/Dloadr-DAD [Sophos], Troj/Zbot-RP [Sophos], Troj/Zbot-RY [Sophos], Troj/Zbot-SC [Sophos], Troj/Zbot-SD [Sophos], Troj/Zbot-SB [Sophos], Troj/Zbot-SF [Sophos], Troj/Zbot-SV [Sophos], Troj/Agent-NUO [Sophos], Troj/Zbot-SP [Sophos], Troj/Meredrop-K [Sophos], Troj/Zbot-SX [Sophos], Troj/Zbot-SY [Sophos], Troj/Zbot-SR [Sophos], Troj/Zbot-TG [Sophos], Troj/Zbot-TQ [Sophos], Troj/Zbot-TY [Sophos], Troj/ZBot-UL [Sophos], Troj/Zbot-VN [Sophos], Troj/Zbot-VM [Sophos], Troj/Zbot-VQ [Sophos], Troj/Zbot-WD [Sophos], Troj/Zbot-WF [Sophos], Troj/Zbot-XA [Sophos], Troj/Agent-OLW [Sophos], Troj/Zbot-XO [Sophos], Troj/Zbot-XN [Sophos], Troj/Zbot-YB [Sophos], Troj/Zbot-YE [Sophos], Troj/Zbot-YO [Sophos], Troj/Zbot-YP [Sophos], Troj/ZBot-ZJ [Sophos], Troj/Zbot-AAN [Sophos], Troj/Zbot-AAM [Sophos], Troj/Zbot-ACI [Sophos], Troj/Zbot-AGC [Sophos], Troj/Zbot-AGJ [Sophos], Troj/Zbot-AHE [Sophos], Troj/Zbot-AHD [Sophos], Troj/Zbot-AIR [Sophos]
Type: Trojan
Systems Affected: Windows

Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.

The Trojan.Zbot files that are used to compromise computers are generated using a toolkit that is available in marketplaces for online criminals. The toolkit allows an attacker a high degree of control over the functionality of the final executable that is distributed to targeted computers.

The Trojan itself is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized. The user may receive an email message purporting to be from organizations such as the FDIC, IRS, MySpace, Facebook, or Microsoft. The message body warns the user of a problem with their financial information, online account, or software and suggests they visit a link provided in the email. The computer is compromised if the user visits the link, if it is not protected.

This Trojan has primarily been designed to steal confidential information from the computers it compromises. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes.

Confidential information is gathered through multiple methods. Upon execution the Trojan automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within Protected Storage (PStore). However, its most effective method for gathering information is by monitoring Web sites included in the configuration file, sometimes intercepting the legitimate Web pages and inserting extra fields (e.g. adding a date of birth field to a banking Web page that originally only requested a user name and password).

Additionally, Trojan.Zbot contacts a command-and-control (C&C) server and makes itself available to perform additional functions. This allows a remote attacker to command the Trojan to download and execute further files, shutdown or reboot the computer, or even delete system files, rendering the computer unusable without reinstalling the operating system.

Zeus and “Kneber”
On February 18, 2010 news reports appeared about a new botnet called Kneber. The reports claimed there were as many as 75,000 machines compromised by this newly discovered threat. In actuality, Kneber turned out to be a group of computers infected with Trojan.Zbot , controlled by one owner.

On February 23, 2010, one of our DeepSight honeypots was compromised by this latest version of Trojan.Zbot. In this particular case, Trojan.Zbot also downloaded copies of W32.Waledac. DeepSight™ Threat Management System subscribers can read the full report .

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

      Browser protection
      Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

      Intrusion Prevention System

      Antivirus Protection Dates

      • Initial Rapid Release version January 07, 2010 revision 037
      • Latest Rapid Release version September 07, 2016 revision 004
      • Initial Daily Certified version January 07, 2010 revision 049
      • Latest Daily Certified version September 06, 2016 revision 020
      • Initial Weekly Certified release date January 13, 2010

      Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

      Technical Description

      1. Prevention and avoidance
      1.1 User behavior and precautions
      1.2 Patch operating system and software
      2. Infection method
      2.1 Spam emails
      2.2 Drive-by downloads
      3. Functionality
      3.1 Toolkit
      3.2 System modifications
      3.3 Command and control server
      3.4 Information gathering
      3.5 Password stealing
      4. Additional information


      The following actions can be taken to avoid or minimize the risk from this threat.

      1.1 User behavior and precautions

      Trojan.Zbot relies heavily on social engineering in order to infect computers. The spam email campaigns used by attackers attempt to trick the user by referencing the latest news stories, playing upon fears their sensitive information has been stolen, suggesting that compromising photos have been taken of them, or any number of other ruses.

      Users should use caution when clicking links in such emails. Basic checks such as hovering with the mouse pointer over each link will normally show where the link leads to. Users can also check online Web site rating services such as to see if the site is deemed safe to visit.

      1.2 Patch operating system and software
      The attackers behind this threat have been known to utilize exploit packs in order to craft Web pages to exploit vulnerable computers and infect them with Trojan.Zbot.

      As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:

      Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.

      This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.

      2.1 Spam emails
      The attackers behind Trojan.Zbot have made a concerted effort to spread their threat using spam campaigns. The subject material varies from one campaign to the next, but often focuses on current events or attempt to trick the user with emails purported to come from well-known institutions such as FDIC, IRS, MySpace, Facebook, or Microsoft.

      2.2 Drive-by downloads

      The authors behind Trojan.Zbot have also been witnessed using exploit packs to spread the threat via drive-by download attacks. When an unsuspecting user visits one of these Web sites, a vulnerable computer will become infected with the threat.

      The particular exploits used to spread the threat vary, largely depending on the proliferation and ease-of-use of exploits available in the wild at the time the Trojan is distributed.

      As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:

      The Zeus threat is actually comprised of three parts: a toolkit, the actual Trojan, and the command & control (C&C) server. The toolkit is used to create the threat, the Trojan modifies the compromised computer, and the C&C server is used to monitor and control the Trojan.

      This video describes these aspects of Zeus:
      Zeus: King of crimeware toolkits

      3.1 Toolkit
      Trojan.Zbot is created using a toolkit that is readily available on underground marketplaces used by online criminals. There are different versions available, from free ones (often back doored themselves) to those an attacker must pay up to $700 USD for in order to use. These marketplaces also offer other Zeus-related services, from bulletproof hosting for C&C servers, to rental of already-established botnets.

      Regardless of the version, the toolkit is used for two things. First, the attacker can edit and then compile the configuration file into a .bin file. Secondly they can compile an executable, which is then sent to the potential victim through various means. This executable is what is commonly known as the Zeus Trojan or Trojan.Zbot.

      The ease of use of the toolkit user interface makes it very easy and quick for nontechnical, would- be criminals to get a piece of the action. Coupling this with the multitude of illicit copies of the toolkit circulating in the black market ensures that Trojan.Zbot continues to be one of the most popular and widely seen Trojans on the threat landscape.

      3.2 System modifications
      While unusual in today’s threat landscape, Trojan.Zbot tends to use many of the same file names across variants. Given the way that the toolkit works, each revision tends to stick to the same file names when the executables are created. While the initial executable can be named whatever the attacker wants it to be, the files mentioned in the following subsections refer to the names used by the currently known toolkits.

      User account privileges
      The location that Trojan.Zbot installs itself to is directly tied to the level of privileges the logged-in user account has at the time of infection. If the user is an administrator, the files are placed in the %System% folder. If not, they are copied to %UserProfile%\Application Data.

      Trojan executable
      Trojan.Zbot generally creates a copy of itself using one of the following file names:
      • ntos.exe
      • oembios.exe
      • twext.exe
      • sdra64.exe
      • pdfupd.exe

      Configuration file
      The threat creates a folder named “lowsec” in either the %System% or %UserProfile%\Application Data folder and then drops one of the following files into it:
      • video.dll
      • sysproc32.sys
      • user.ds
      • ldx.exe

      While the extensions vary here, these are all text-file versions of the configuration file previously created and then compiled into the Trojan using the Zeus toolkit. This file contains any Web pages to monitor, as well as a list of Web sites to block, such as those that belong to security companies. It can also be updated by the attacker using the threat’s back door capabilities.

      Here is a portion of a sample configuration file:

      Entry “DynamicConfig”
      url_loader “http://[REMOVED].com/zeusbot/ZuesBotTrojan.exe”
      url_server “http://[REMOVED].com/zeusbot/gate.php”
      file_webinjects “webinjects.txt”
      entry “AdvancedConfigs”
      entry “WebFilters”
      “https:// [REMOVED].com/*”
      entry “WebDataFilters”
      ; “!http://[REMOVED].ru/*” “passw;login”
      entry “WebFakes”
      ; “http://[REMOVED].com” “http://[REMOVED].com” “GP” “” “”
      entry “TANGrabber”
      “https://[REMOVED].com/*/jba/mp#/” “S3C6R2” “SYNC_TOKEN=*” “*”
      entry “DnsMap”

      Stolen data file

      A second file is dropped into the “lowsec” folder, with one of the following file names:
      • audio.dll
      • sysproc86.sys
      • local.ds

      This file serves as a storage text file for any the stolen information. When a password is obtained by the threat, it is saved in this file and later sent to the attacker.

      Registry subkeys and entries created
      In addition, the threat adds itself to the registry to start when Windows starts, using one of two subkeys:

      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\sdra64.exe"
      • HKEY_CURRENT_USER\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\”userinit” = “%UserProfile%\Application Data\sdra64.exe”

      If the logged-in account at the time of infection has administrative privileges, the first entry is created. If the account has limited privileges, the second is used.

      Service injection
      Depending on the level of privileges, Trojan.Zbot will inject itself into one of two services. If the account has administrative privileges, the threat injects itself into the winlogon.exe service. If not, it attempts to do the same with the explorer.exe service.

      The threat also injects code into an svchost.exe service, which it later uses when stealing banking information.

      3.3 Command and control server
      When Trojan.Zbot is installed, it reports back to the C&C server that is referenced in the configuration file when the executable was created using the toolkit. The first thing it checks for is an updated version of its configuration file.

      Back door
      The back door to the C&C server provides the attacker with a versatile set of options for how he or she can use the compromised computer. For example, attackers can perform any of the following actions, if they so wish:
      • Restart or shut down the computer
      • Delete system files, rendering the computer unusable
      • Disable or restore access to a particular URL
      • Inject rogue HTML content into pages that match a defined URL
      • Download and execute a file
      • Execute a local file
      • Add or remove a file mask for local search (e.g. hide the threat’s files)
      • Upload a file or folder
      • Steal digital certificates
      • Update the configuration file
      • Rename the bot executable
      • Upload or delete Flash cookies
      • Change the Internet Explorer start page

      The domains that the back door connects to vary, depending on what the attacker has included in the configuration file.

      Server-side control panel
      The C&C server not only allows the attacker to perform a number of functions on a compromised computer, but also gives them the ability to manage a botnet of Zeus-infected computers. An attacker can monitor statistics on the number of infected computers he or she controls, as well as generate reports on the stolen information the bots have gathered.

      3.4 Information gathering
      Once installed Trojan.Zbot will automatically gather a variety of information about the compromised computer, which it sends back to the C&C server. This information includes the following:
      • A unique bot identification string
      • Name of the botnet
      • Version of the bot
      • Operating system version
      • Operating system language
      • Local time of the compromised computer
      • Uptime of the bot
      • Last report time
      • Country of the compromised computer
      • IP address of the compromised computer
      • Process names

      3.5 Password stealing
      The core purpose of Trojan.Zbot is to steal passwords, which is evident by the different methods it goes about doing this.

      Upon installation, Trojan.Zbot will immediately check Protected Storage (PStore) for passwords. It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.

      A more versatile method of password-stealing used by the threat is driven by the configuration file during Web browsing. When the attacker generates the configuration file, he or she can include any URLs they wish to monitor. When any of these URLs are visited, the threat gathers any user names and passwords typed into these pages. In order to do this, it hooks the functions of various DLLs, taking control of network functionality. The following is a list of DLLs and the APIs within them that are used by Trojan.Zbot:

      • HttpSendRequestW
      • HttpSendRequestA
      • HttpSendRequestExW
      • HttpSendRequestExA
      • InternetReadFile
      • InternetReadFileExW
      • InternetReadFileExA
      • InternetQueryDataAvailable
      • InternetCloseHandle

      WS2_32.DLL and WSOCK32.DLL
      • send
      • sendto
      • closesocket
      • WSASend
      • WSASendTo

      • GetMessageW
      • GetMessageA
      • PeekMessageW
      • PeekMessageA
      • GetClipboardData

      Trojan.Zbot can also inject other fields into the Web pages it monitors. To do this, it intercepts the pages as they are returned to the compromised computer and adds extra fields. For example, if a user requests a page from their bank’s Web site, and the bank returns a page requiring a user name and password, the threat can be configured to inject a third field asking for the user’s Social Security Number.

      For more information relating to this threat family, please see the following resources:


      Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

      • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
      • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
      • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
      • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
      • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
      • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
      • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
      • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
      • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
      • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
      • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
      • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
      • For further information on the terms used in this document, please refer to the Security Response glossary.


      You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

      Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

      If you are a Norton product user, we recommend you try the following resources to remove this risk.

      Removal Tool

      If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

      How to reduce the risk of infection
      The following resources provide further information and best practices to help reduce the risk of infection.

      If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

      Identifying and submitting suspect files
      Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

      Removal Tool

      If you have an infected Windows system file, you may need to replace it using the Windows installation CD .

      How to reduce the risk of infection
      The following resource provides further information and best practices to help reduce the risk of infection.
      Protecting your business network

      The following instructions pertain to all current Symantec antivirus products.

      1. Performing a full system scan
      How to run a full system scan using your Symantec product

      2. Restoring settings in the registry
      Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

      Writeup By: Ben Nahorney and Nicolas Falliere