Home / malware Win32/Zbot
First posted on 30 May 2012.
Source: MicrosoftAliases :
Win32/Zbot is also known as Zeus (other), Wsnpoem (Symantec).
Explanation :
PWS:Win32/Zbot is a family of trojans that is created/generated by kits known as "Zeus"; these kits are bought and sold on the cyberworld black market.
Commonly, variants of the PWS:Win32/Zbot family may:
- Lower Internet browser security
- Disable the computer's firewall
- Steal user and computer information
- Allow unauthorized access and control of an affected computer
The trojan is often distributed in spam emails, via compromised websites, or may be packaged with other malware families.
It may also hook API addresses and perform webpage injection in order to monitor online banking activities.
Distribution methods
PWS:Win32/Zbot is a widespread and pervasive malware family. It uses several different methods in order to spread and compromise your computer.
Downloaded by other malware
PWS:Win32/Zbot may be installed by other malware. Families such as the following have been observed downloading Zbot as part of their criminal activity to steal information about the infected computer:
- TrojanDownloader:Win32/Bredolab
- Win32/Kelihos
- Win32/Waledac
Spam email
The trojan may arrive as an attachment in a spammed email message.
Below are examples of a few notorious spam runs encountered in the past years:
Subject: <Courier name> Failure Delivery Notification Message
Attachment: SN_122010.zip
Subject: <Social network site> Password Reset Confirmation
Attachment: <Social network site>_Password_e9081.zip
Subject: <Software company> Software Critical Upgrade Notification ID: RA4NFDKPJBD
Attachment: <Software company>Systems-Software_Critica Update_Dec_2011-6PGCF713B.zip
Subject: Important Account Information from <Company name> TRACK-ID: 70341011278
Attachment: <Company name>-Account-Status-Notification-Dec-2011.exe
Subject: Your credit balance is over its limits.
Attachment: balancechecker.zip
Phishing pages and exploit kits
Exploit kits have also been observed generating version of PWS:Win32/Zbot to spread to vulnerable computers.
We observed cases where spam emails contained the following information, including a link to a phishing page that was disguised as a social networking, courier, or online banking site, that redirected users to sites containing PWS:Win32/Zbot generated by exploit kits:
- Subject: New login system
- Subject: Password reset
Below is an example of a spam email known to direct users to phishing pages hosting the trojan:
Subject: your <Company Name> money transfer has been authorized
Image:
Bundled with other malware
Some variants of Zbot have been observed to be bundled with an exploit component detected as Exploit:Win32/CplLnk.B.
Installation
Earlier versions of PWS:Win32/Zbot have been observed dropping copies of itself as any of the following files:
- <system folder>\ntos.exe
- <system folder>\sdra64.exe
- <system folder>\twex.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It also drops the following files, containing encrypted data used by the trojan, to the folder "<system folder>\wsnpoem\":
- audio.dll
- video.dll
It also creates either of the following encrypted log files, in which it may store the stolen data:
- <system folder>\twain_32\user.ds
- <system folder>\lowsec\user.ds
PWS:Win32/Zbot modifies the registry to ensure that its copy is executed at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware file>"
where <malware file> is any of the file names mentioned above.
Recent versions of PWS:Win32/Zbot have been observed dropping copies of itself as a randomly named file:
%APPDATA%\< random letters> \< random letters >.exe
For example:
C:\Documents and Settings\Administrator\Application Data\ecymy\huojq.exe
It modifies the registry to ensure that its copy is executed at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"
For example:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: {449829B8-9322-5694-4C31-974E87EDDDA5}
With data: "C:\Documents and Settings\Administrator\Application data\ecymy\huojq.exe"
Zbot injects code into the address space of all running processes, matching the privilege of the currently logged on user. Otherwise, the trojan will inject its code into all user-level processes (such as "explorer.exe", "iexplore.exe" and so on). This behavior is intended to hide the trojan behavior from security applications.
It also hooks the following Windows system APIs to aid in the capture of sensitive data, for example, online banking and shopping, email credentials and network information:
- NSPR.DLL
- PR_OpenTCPSocket
- PR_Close
- PR_Poll
- PR_Read
- PR_Write
- NTDLL.DLL
- ZwCreateThread
- LdrLoadDll
- KERNEL32.DLL
- GetFileAttributesExW
- WININET.DLL
- HttpSendRequestW
- HttpSendRequestA
- HttpSendRequestExW
- HttpSendRequestExA
- InternetCloseHandle
- InternetReadFile
- InternetReadFileExA
- InternetQueryDataAvailable
- HttpQueryInfoA
- InternetSetStatusCallbackW
- InternetSetStatusCallbackA
- InternetSetOptionA
- WS2_32.DLL
- closesocket
- send
- WSASend
- recv
- WSARecv
- GDI32.DLL
- OpenInputDesktop
- SwitchDesktop
- DefWindowProcW
- DefWindowProcA
- DefDlgProcW
- DefDlgProcA
- DefFrameProcW
- DefFrameProcA
- DefMDIChildProcW
- DefMDIChildProcA
- CallWindowProcW
- CallWindowProcA
- RegisterClassW
- RegisterClassA
- RegisterClassExW
- RegisterClassExA
- USER32.DLL
- BeginPaint
- EndPaint
- GetDCEx
- GetDC
- GetWindowDC
- ReleaseDC
- GetUpdateRect
- GetUpdateRgn
- GetMessagePos
- GetCursorPos
- SetCursorPos
- SetCapture
- ReleaseCapture
- GetCapture
- GetMessageW
- GetMessageA
- PeekMessageW
- PeekMessageA
- TranslateMessage
- GetClipboardData
- CRYPT32.DLL
- PFXImportCertStore
If the infected computer is running a Remote Desktop Service (RDS), Zbot may attempt to execute a process for every connected RDS session and drop a copy of itself in the following folders:
- <drive:>\Documents and Settings\Default user\
- <drive:>\Users\Default\
- <drive:>\Documents and Settings\<User name>\
- <drive:>\Users\<User name>\
This means that, as the affected computer is remotely connected to other computers, they risk being infected as well.
It may also access a configuration file in which a list of target websites (often online banking or shopping sites) it wants to monitor are stored.
Payload
Disables the Firewall
Zbot makes the following changes to the registry in order to disable the Windows Firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Modifies value: "EnableFirewall"
With data: "0"
It also terminates the following processes:
- Outpost Firewall - outpost.exe
- Zone Alarm Firewall - zlclient.exe
Lowers Internet Explorer web browser security
PWS:Win32/Zbot lowers Internet Explorer web browser security settings by making the following changes to the registry:
Disables phishing filtering:
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"
Prevents the removal of expired Internet Explorer browser cookies:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Sets value: "CleanCookies"
With data: "0"
Lowers Internet Explorer Internet zone security settings
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Set value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"
Lowers Firefox web browser security
PWS:Win32/Zbot may modify settings for the web browser Mozilla Firefox including the following:
- Disable the clearing of Internet cookies
- Disable the display of warning messages when viewing mixed secured and unsecure webpages
- Disable the display of warning messages when submitting data to unsecure pages
Allows remote access and control
PWS:Win32/Zbot allows varying degrees of remote access and control, depending on the information in the configuration data in each particular variant.
The trojan could perform, but is not limited to, any of the following actions:
- Reboot/shut down affected computer
- Uninstall/update Zbot variant and configuration file
- Enable/disable HTTP injection
- Traverse the directory
- Search/remove files and directory
- Log off the current user
- Execute a program
- Steal Internet Explorer browser cookies
- Steal/delete certificates
- Block/unblock URLs
- Set Internet Explorer home page
- Steal FTP credentials
- Steal email login credentials
Downloads configuration data file
Earlier variants of PWS:Win32/Zbot.gen have been known to download a configuration file from a remote server, and send captured data to a predefined FTP or email server, for example:
secondconcert<blocked>ru/zpx<blocked>/obama009.jpg
Newer variants of this Zbot generate up to 1020 pseudo-randomly named domains, and attempt connections with the generated list to download a configuration file. The generated domain names are based on the system date and time and have one of the following suffixes:
- .com
- .net
- .org
- .info
- .biz
Some examples include:
- ghdukiopkkljbdyy <dot> com/news/?s=<random set of numbers>
- sdynjotsnjpojl <dot> biz/news/?s=<random set of numbers>
- kkrtfpqrsnslo <dot> net/news/?s=<random set of numbers>
- kkrtfpqrsnslo <dot> com/news/?s=<random set of numbers>
- nppuxmsnpfnkpphr <dot> info/news/?s=<random set of numbers>
- nppuxmsnpfnkpphr <dot> com/news/?s=<random set of numbers>
- mqjowjsgrpvmpr <dot> biz/news/?s=<random set of numbers>
- mqjowjsgrpvmpr <dot> org/news/?s=<random set of numbers>
The configuration file contains data used by the malware such as the following:
- URL to download updates of PWS:Win32/Zbot
- URL for additional configuration data files to download
- Bot build version
- URL of targeted online financial institutions
- HTML and JavaScript code for parsing target webpages
Recent variants have been observed to improve their communication methodology by adapting peer-to-peer (P2P) architecture (earlier variants communicated using command and control (C&C)), in order to receive commands, update and download the configuration file and upload stolen information.
The infected computer, instead of accessing the C&C server instantly, first checks a predefined list that contains IP addresses of other infected computers. Upon successful contact, the configuration file containing the C&C server will be received.
Steals sensitive information
PWS:Win32/Zbot hooks APIs used by Internet Explorer and Mozilla Firefox; it does this to monitor the online activities performed in the Internet browsers. It also injects HTML code into target websites to steal login credentials, when they are visited by affected users.
The trojan steals the following sensitive information from the affected computer:
- Digital certificates
- Internet Explorer cookies
- Cached passwords
It also monitors online activity by intercepting targeted websites listed in the configuration file, in order to steal user personal information like user name, password and credit card details.
The following are some of the target websites found in the configuration file of Zbot:
- amazon.com
- blogger.com
- flickr.com
- livejournal.com
- myspace.com
- youtube.com
- microsoft.com
- facebook.com
- ktt.key.com/ktt/cmd/logonFromKeyCom
- ktt.key.com/ktt/cmd/validatePinForm
- feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&
- us.hsbc.com
Steals FTP credentials
The trojan collects FTP credentials (IP, port, user name, and passwords) from the following FTP software:
- FlashFXP
- Total Commander
- ws_ftp
- FileZilla
- FAR/FAR2
- winscp
- FTP Commander
- CoreFTP
- SmartFTP
Steals Windows Mail and Windows Live mail credentials
If the infected computer is running on Windows XP or below, Win32/Zbot uses COM libraries "msoeacct.dll" and "wab32.dll" to capture the following details:
- Windows mail account name
- Email address
- Server
- User name
- Password
The DLL files are searched in the directory defined in the registry key below:
HKLM\SOFTWARE\Microsoft\WAB\DLLPath\
Otherwise, if running on Windows Vista and above, the trojan captures the credentials by parsing the Windows mail folder, specified in this registry subkey:
HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\
Steals "Full Tilt Poker" credentials
Win32/Zbot may capture logon credentials for the online gaming program "Full Tilt Poker". The trojan resets logon data by deleting the following registry value:
HKCU\Software\Full Tilt Poker\UserInfo\UserName
The malware then monitors for logon activity for the game, and captures credentials entered by the user.
It also logs keystrokes and gets desktop and window snapshots of the infected computer.
Analysis by Zarestel Ferrer
Last update 30 May 2012