Home / malware Trojan-Spy:W32/Zbot
First posted on 10 September 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Spy:W32/Zbot.
Explanation :
This type of trojan secretly installs spy programs and/or keylogger programs.
right]The primary payload of Zbot-trojans is focused on stealing online banking information. They also have limited backdoor and proxy-capabilities.
Once the trojan has established itself in the user's system, it opens a connection to a remote server and downloads an encrypted configuration file. This file contains the address where the trojan will later upload the information it has stolen; an address where it can download a new version of itself; and the address of another configuration file. This file also defines what websites the trojan will target for information theft.
Once the configuration file is downloaded, any confidential banking data the victim types in is compromised. If the victim enters account information on an online banking site, the trojan intercepts the data in the webform and uploads it to the server defined in the trojan's configuration file. To gather more information, the malware author can even create additional fields, which are then injected into a targeted webpage for the unsuspecting victim to fill in.
Zbots are also capable of presenting the victim with a fake version of a webpage. Victims trying to browse specific webpages will be presented with a modified copy of the website from a server controlled by the attacker, rather than the correct webpage from the legitimate server. Again, any information entered is captured by the attacker.
Keylogging, stealing data from the clipboard and taking screenshots of the desktop are also in Zbots arsenal. Zbot-trojans steal the content of the Windows Protected Storage, as well as certificates stored on the infected system. Username and password information for POP3 and FTP protocols are also stolen.
Zbots have limited backdoor functionality, which mainly involve executing a file already on the system or downloading a new version of itself. A Zbot can also act as a proxy-server. Other miscellaneous functionality includes the ability to modify the content of %windir%system32drivershosts, to redirect or block access to websites.Last update 10 September 2008