Home / malwarePDF  

PWS:Win32/Zbot.gen!AD


First posted on 09 August 2011.
Source: SecurityHome

Aliases :

PWS:Win32/Zbot.gen!AD is also known as TR/PSW.Zbot.130560.Y (Avira), Gen:Variant.Zbot.13 (BitDefender), Win32/Spy.Zbot.YW (ESET), Trojan-Spy.Win32.Zbot (Ikarus), Packed.Win32.Krap.hm (Kaspersky), Troj/Zbot-UW (Sophos), TrojanSpy.Zbot.AGZW (VirusBuster), Zeus (other), Zbot (other).

Explanation :

PWS:Win32/Zbot.gen!AD is a password stealer and remote access trojan.
Top

PWS:Win32/Zbot.gen!AD is a generic detection for a malware that infects other files, lowers Internet browser security, steals passwords and allows unauthorized access and control of an affected computer.



Installation

The trojan could be installed by other malware. In the wild, some variants were observed bundled with an exploit detected as Exploit:Win32/CplLnk.B. The trojan could be sent as an attachment to a spammed email message such as in the following examples:

Example 1:



From: <delivery@dhl.com>
To: <recipient>
Date: 12/3/2010 4:53:46 AM
Subject: DHL Failure Delivery Notification Message
Attachment: "SN_122010.zip" (contains "kss.exe")





Example 2:







Example 3:



From: <jim.larkin@careerbuilder.com>
To: <recipient>
Date: 11/29/2010 2:12:31 PM
Subject: Re: invoice
Attachment: "invoice.zip" (contains "invoice.scr")

Here is the invoice you requested
Thank you,
Jim Larkin
Careerbuilder Customer Care Department



When run, PWS:Win32/Zbot.gen!AD drops a modified copy of itself as a randomly named file:

  • %APPDATA%\<random letters>\<random letters>.exe


For example:

  • c:\Documents and Settings\Administrator\Application Data\dopyq\ruro.exe


The registry is modified to run the dropped malware at Windows start.

In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"

If running within a terminal server session, the trojan drops and executes a copy of itself as a randomly named file into one of the following folders:

  • <drive:>\documents and settings\default user\
  • <drive:>\users\default\
  • <drive:>\documents and settings\<user name>\
  • <drive:>\users\<user name>\


The malware injects codes into the address space of the following processes:

  • winlogon.exe
  • taskhost.exe
  • taskeng.exe
  • wscntfy.exe
  • ctfmon.exe
  • rdpclip.exe
  • explorer.exe


In newer variants, however, instead of selecting processes, PWS:Win32/Zbot.gen!AD injects code into the address space of all running processes matching the privilege of the currently logged on user. For example, if the current user is logged on as an administrator account, the trojan will inject its code into all administrator-level processes, such as "winlogon.exe", "smss.exe" and so on.

Otherwise, the trojan will inject its code into all user-level processes (such as "explorer.exe", "iexplore.exe" and so on). Process injection is performed to hide or mask the trojan's presence.

Additionally, PWS:Win32/Zbot.gen!AD hooks the following Windows system APIs to aid in the capture of sensitive data:

  • GetFileAttributesExW
  • HttpSendRequestW
  • HttpSendRequestA
  • HttpSendRequestExW
  • HttpSendRequestExA
  • InternetCloseHandle
  • InternetReadFile
  • InternetReadFileExA
  • InternetQueryDataAvailable
  • HttpQueryInfoA
  • closesocket
  • send
  • WSASend
  • TranslateMessage
  • GetClipboardData
  • PFXImportCertStore
  • OpenInputDesktop
  • SwitchDesktop
  • DefWindowProcW
  • DefWindowProcA
  • DefDlgProcW
  • DefDlgProcA
  • DefFrameProcW
  • DefFrameProcA
  • DefMDIChildProcW
  • DefMDIChildProcA
  • CallWindowProcW
  • CallWindowProcA
  • RegisterClassW
  • RegisterClassA
  • RegisterClassExW
  • RegisterClassExA
  • BeginPaint
  • EndPaint
  • GetDCEx
  • GetDC
  • GetWindowDC
  • ReleaseDC
  • GetUpdateRect
  • GetUpdateRgn
  • GetMessagePos
  • GetCursorPos
  • SetCursorPos
  • SetCapture
  • ReleaseCapture
  • GetCapture
  • GetMessageW
  • GetMessageA
  • PeekMessageW
  • PeekMessageA


PWS:Win32/Zbot.gen!AD hooks the following additional APIs to support FireFox:

  • PR_OpenTCPSocket
  • PR_Close
  • PR_Read
  • PR_Write
Payload

File infection

PWS:Win32/Zbot.gen!AD may spawn a thread to infect executable files (.EXE) in removable, fixed and remote drives. The malware avoids infecting files in the following paths:

  • <drive:>\documents and settings\<user name>\application data\
  • <drive:>\users\<user name>\appdata\roaming\
  • <drive:>\program files\
  • <drive:>\program files (x86)\
  • %windir%\
  • %windir%\system32\


The malware may also spawn a thread that enumerates shared drives and infects files found.

Infected files are detected as Virus:Win32/Zbot.B or Virus:Win32/Zbot.C.

Downloads configuration data file
PWS:Win32/Zbot.gen!AD hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials when a user visits certain websites. Earlier variants of PWS:Win32/Zbot.gen download a configuration file from a remote server (for example, "dairanet.cn") and captured data will be sent to a predefined FTP or e-mail server.

Newer variants of this malware generate up to 1020 pseudo-randomly named domains and attempt connections with the generated list to download a configuration file. The generated domain names are based on the system date and time and have one of the following suffixes:

  • .com
  • .net
  • .org
  • .info
  • .biz


The configuration file contains data used by the malware such as the following:

  • URL to download updates of PWS:Win32/Zbot.gen!AD
  • URL for additional configuration data files to download
  • bot build version
  • URL of targeted online financial institutions
  • HTML and JavaScript code for parsing target web pages


Steal sensitive data
The trojan collects FTP credentials (IP, port, username, and passwords) from the following FTP software:

  • FlashFXP
  • Total Commander
  • ws_ftp
  • FileZilla
  • FAR/FAR2
  • winscp
  • FTP Commander
  • CoreFTP
  • SmartFTP


PWS:Win32/Zbot.gen!AD steals the following sensitive information from the affected computer:

  • certificates
  • IE cookies
  • cache passwords


The trojan also logs keystrokes and gets a snapshot of the infected system.

Steals Windows Mail and Windows Live mail credentials
If running on Windows XP and below, PWS:Win32/Zbot.gen!AD uses COM libraries "msoeacct.dll" and "wab32.dll" to capture Windows mail account name, email address, server, username, and password.

The libraries are defined in the registry key:

  • HKLM\SOFTWARE\Microsoft\WAB\DLLPath\


Otherwise if running on Windows Vista and above, the trojan captures the credentials by parsing the Windows mail folder, specified in this registry subkey:

  • HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\


Steals "Full Tilt Poker" credentials
PWS:Win32/Zbot.gen!AD could capture logon credentials for the online gaming program "Full Tilt Poker". The trojan resets logon data by deleting the following registry value

  • HKCU\Software\Full Tilt Poker\UserInfo\UserName


The malware then monitors for logon activity for the game and captures credentials entered by the user.

Lowers Internet Explorer web browser security
PWS:Win32/Zbot.gen!AD lowers Internet Explorer web browser security settings by modifying registry data.

  • Disables phishing filtering:
    In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
    Sets value: "Enabled"
    With data: "0"
    Sets value: "EnabledV8"
    With data: "0"
  • Disables clearing Internet Explorer browser cookies:
    In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
    Sets value: "CleanCookies"
    With data: "0"
  • Disables Internet Explorer Internet zone security settings
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    Set value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    Sets value: "1406"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    Sets value: "1609"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "1406"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    Sets value: "1406"
    With data: "0"


Lowers Firefox web browser security
PWS:Win32/Zbot.gen!AD could modify settings for the web browser Mozilla Firefox including the following:

  • Disable the clearing of Internet cookies
  • Disable the display of warning messages when viewing mixed secured and unsecure web pages
  • Disable the display of warning messages when submitting data to unsecure pages


Allows remote access and control

PWS:Win32/Zbot.gen!AD allows varying degrees of remote access and control, depending on certain configuration data. The trojan could perform, and is not limited to, any of the following actions:

  • reboot/shut down affected computer
  • uninstall/update Zbot
  • enable/disable HTTP injection
  • get current path
  • search/remove files
  • log off
  • execute a program
  • steal Internet Explorer browser cookies
  • steal certificates
  • block/unblock URLs
  • set Internet Explorer home page
  • steal FTP credentials (details above)
  • steal credentials stored by Macromedia Flash Player by parsing "flashplayer.cab" with SOL (Flash Local Shared Object File) files located at "%APPDATA%\Macromedia\Flash Player".
Additional Information

PWS:Win32/Zbot.gen!AD appends the following headers when invoking the hooked APIs "HttpSendRequestA", "HttpSendRequestExW" and "HttpSendRequestExA":

  • Accept-Encoding: identity
  • TE:
  • If-Modified-Since:




Analysis by Matt McCormack

Last update 09 August 2011

 

TOP