Home / malware

PDF

PWS:Win32/Zbot

First posted on 10 May 2019.
Source: Microsoft

Aliases :

PWS:Win32/Zbot is also known as Zeus, Wsnpoem, Citadel.

Explanation :

PWS:Win32/Zbot is a family of trojans that are created by kits known as "Zeus". These kits are bought and sold on the cyberworld black market.

They can hook API addresses and inject code into webpages to monitor online banking activities.

Distribution methods

PWS:Win32/Zbot is a widespread and pervasive malware family. It uses several different methods to spread and infect your PC.

Downloaded by other malware

PWS:Win32/Zbot might be installed by other malware or exploit families. These families have been observed to download Zbot as part of their criminal activity to steal information about your PC:

TrojanDownloader:Win32/Bredolab TrojanDownloader:Win32/Upatre Win32/Cutwail Win32/Dofoil Win32/Gamarue Win32/Fareit Win32/Kelihos Win32/Kuluoz Win32/Vobfus Win32/Waledac

PWS:Win32/Zbot might also be downloaded as a payload for exploit kits like Blackhole (we detect this as Blacole), and for exploits including:

Exploit:Java/CVE-2011-3544 Exploit:Java/CVE-2012-0507 Exploit:Java/CVE-2012-1723 Exploit:Java/CVE-2013-0422 Exploit:JS/Aimesu Exploit:Win32/Pdfjsc

Spam email

The trojan might arrive in a spam email.

The following are examples of a few notorious spam messages encountered in the past years:

Subject: Failure Delivery Notification Message
Attachment: SN_122010.zip

Subject: Password Reset Confirmation
Attachment: _Password_e9081.zip

Subject: Software Critical Upgrade Notification ID: RA4NFDKPJBD
Attachment: Systems-Software_Critica Update_Dec_2011-6PGCF713B.zip

Subject: Important Account Information from TRACK-ID: 70341011278
Attachment: -Account-Status-Notification-Dec-2011.exe

Subject: Your credit balance is over its limits.
Attachment: balancechecker.zip

Phishing pages and exploit kits

Exploit kits have also been observed generating versions of PWS:Win32/Zbot to spread to vulnerable PCs.

We observed cases where spam emails contained the following information, including a link to a phishing page that was disguised as a social networking, courier, or online banking site, that redirects you to sites containing PWS:Win32/Zbot generated by exploit kits:

Subject: New login system Subject: Password reset

The following is an example of a spam email known to direct people to phishing pages hosting the trojan:

Subject: your money transfer has been authorized
Image:

Bundled with other malware

Some variants of Zbot have been observed to be bundled with an exploit component detected as Exploit:Win32/CplLnk.B.

Remote Desktop Service

If your PC is using Remote Desktop Service (RDS), and connected to other PCs, Zbot might try to install itself on your PC through this channel.

If your PC is running a Remote Desktop Service, Zbot might try to run a process for every connected RDS session and create a copy of itself in the startup folder:

%RDSUserProfilePath%Start MenuProgramsStartup.exe

where %RDSUserProfilePath% is generated by enumerating each user in this registry key using a unique security identifier (SID):

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileList
Sets value: ProfileImagePath

For example:

If the administrator account SID is:

S-1-5-21-1844237615-2111687655-839522115-500

Then the profile path will be:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileListS-1-5-21-1844237615-2111687655-839522115-500

If ProfileImagePath is:

%SystemDrive% Documents and SettingsAdministrator

Then the full drop file will be:

C:Documents and SettingsAdministratorProgramsStartup.exe

This means that, as your PC is remotely connected to other PCs, they risk being infected as well.

Removable, fixed, shared and remote drives

Some variants of Zbot might arrive as an infected file. These infected files are detected as either Virus:Win32/Zbot.C or Virus:Win32/Zbot.C.

Installation

Earlier versions of PWS:Win32/Zbot have been observed dropping copies of itself as any of the following files:


tos.exe sdra64.exe wex.exe

It also drops the following files, containing encrypted data used by the trojan, to the folder wsnpoem:

audio.dll video.dll

It also creates either of the following encrypted log files, in which it can store the stolen data:

wain_32user.ds lowsecuser.ds

PWS:Win32/Zbot changes the registry to ensure that it runs each time you start your PC:

In subkey: HKLMSoftwareMicrosoftWindows NTCurrentversionWinlogon
Sets value: "userinit"
With data: "userinit.exe,"

where is any of the file names mentioned above.

Recent versions of PWS:Win32/Zbot have been observed dropping copies of itself as a randomly named file:

%APPDATA% .exe %TEMP% .exe

For example:

C:Documents and SettingsAdministratorApplication Dataecymyhuojq.exe

Some variants make the following changes to the registry to ensure that they run each time you start your PC:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentversionRun
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%.exe"

For example:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentversionRun
Sets value: "{449829B8-9322-5694-4C31-974E87EDDDA5}"
With data: "C:Documents and SettingsAdministratorApplication dataecymyhuojq.exe"

Newer variants might make the following changes for the same purpose:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentversionRun
Sets value: ""
With data: "%APPDATA%.exe"

For example:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentversionRun
Sets value: "Kubimiytv"
With data: "c:documents and settingsadministratorapplication dataokhoekeek.exe"

Zbot injects code into the address space of all running processes, matching the privilege of the currently logged on user. Otherwise, the trojan will inject its code into all user-level processes (like "explorer.exe", "iexplore.exe" and so on). This behavior is intended to hide the trojan from security applications.

It also hooks the following Windows system APIs to help it capture sensitive data, for example, online banking and shopping, email credentials and network information:

NSPR.DLL PR_OpenTCPSocket PR_Close PR_Poll PR_Read PR_Write NTDLL.DLL LdrLoadDl NtCreateThread NtCreateUserProcess RtlUserThreadStart ZwCreateThread KERNEL32.DLL GetFileAttributesExW WININET.DLL HttpSendRequestW HttpSendRequestA HttpSendRequestExW HttpSendRequestExA InternetCloseHandle InternetReadFile InternetReadFileExA InternetReadFileExW InternetWriteFile InternetQueryDataAvailable HttpQueryInfoA HttpQueryInfoW InternetSetStatusCallbackW InternetSetStatusCallbackA InternetSetOptionA WS2_32.DLL closesocket send WSASend recv WSARecv WSAGetOverlappedResult GDI32.DLL OpenInputDesktop SwitchDesktop DefWindowProcW DefWindowProcA DefDlgProcW DefDlgProcA DefFrameProcW DefFrameProcA DefMDIChildProcW DefMDIChildProcA CallWindowProcW CallWindowProcA RegisterClassW RegisterClassA RegisterClassExW RegisterClassExA USER32.DLL BeginPaint EndPaint GetDCEx GetDC GetWindowDC ReleaseDC GetUpdateRect GetUpdateRgn GetMessagePos GetCursorPos SetCursorPos SetCapture ReleaseCapture GetCapture GetMessageW GetMessageA PeekMessageW PeekMessageA TranslateMessage GetClipboardData CRYPT32.DLL PFXImportCertStore SSLEAY32.DLL SSL_write SSL_read SECUR32.DLL DeleteSecurityContext EncryptMessage DecryptMessage

If the infected PC is running a Remote Desktop Service (RDS), Zbot creates copy of itself to the default user startup folder as a randomly named file:

ProgramsStartup.exe

Examples of the are:

%USERPROFILE%Default user %USERPROFILE%Default %USERPROFILE% %USERPROFILE% Payload

Downloads other malware, including ransomware

We've seen Win32/Zbot downloading variants from the Trojan:Win32/Crilock family. This is a family of ransomware that will encrypt the files on your PC and then demand money to unlock them.

You can help protect your PC from ransomware by reading more about Trojan:Win32/Crilock.A and our help topics about ransomware in general.

Disables the Firewall

Zbot makes the following changes to the registry to disable the Windows Firewall:

In subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
Changes value: "EnableFirewall"
With data: "0"

It also stops the following processes:

Outpost Firewall - outpost.exe Zone Alarm Firewall - zlclient.exe

Changes Firewall settings

Zbot makes the following changes to the registry to prevent Windows Firewall from blocking the threat's UDP port:

In subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
Changes value: "DisableNotifications"
With data: "1"

In subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPortsList
Changes value: ":UDP"
With data: ":udp:*:enabled:udp "

Lowers Internet Explorer security

PWS:Win32/Zbot lowers Internet Explorer security settings by making the following changes to the registry:

Disables phishing filtering:

In subkey: HKCUSoftwareMicrosoftInternet ExplorerPhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"

Prevents the removal of expired Internet Explorer browser cookies:

In subkey: HKCUSoftwareMicrosoftInternet ExplorerPrivacy
Sets value: "CleanCookies"
With data: "0"

Lowers Internet Explorer Internet zone security settings:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones
Set value: "1609"
With data: "0"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones1
Sets value: "1406"
With data: "0"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones2
Sets value: "1609"
With data: "0"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones3
Sets value: "1406"
With data: "0"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settingsones4
Sets value: "1406"
With data: "0"

Lowers Firefox web browser security

PWS:Win32/Zbot might change settings for the web browser Mozilla Firefox including the following:

Disable your ability to clear Internet cookies Disable the display of warning messages when viewing mixed secured and unsecure webpages Disable the display of warning messages when submitting data to unsecure pages

Lets a malicious hacker access your PC

PWS:Win32/Zbot lets a malicious hacker gain access and control your PC, to varying degrees. Its level of control depends on the information in the configuration data in each particular variant.

The trojan could do, but is not limited to, any of the following actions:

Reboot/shut down your PC Uninstall Zbot Update Zbot and its configuration file Search and remove files and directories Log you off your PC Run a program Steal or delete Internet Explorer cookies Steal or delete certificates Block or unblock URLs Change the Internet Explorer homepage Steal your FTP credentials Steal your email login credentials Steal your Flash Player credentials

Downloads configuration data file

Some variants of Zbot download a configuration file from a remote server that determines how the trojan will behave. The trojan can generate up to 1020 pseudo-randomly named domains, and tries to connect with the generated list to download a configuration file. The generated domain names are based on the system date and time and have one of the following suffixes:

biz com info net org ru

Some examples include:

dhqwyelbpndaqwljampjsoea.info hbixougjfqxkftswinlfbars.org jvklraqgyofcqhikfbazlltauhi.biz ofvgupbpsgaumfvkbuobevceuv.ru rvowslrmvnfkblkfyttpfemwx.com tsljnihhusyxzddltpci.net

The configuration file contains data used by the malware like the following:

Locations from which to download updates for Zbot Locations from which to download additional data files The version of the malware Online financial institutions to target HTML and JavaScript code for doing its data stealing payload

Your PC checks a predefined list that contains 20 IP addresses and ports of other infected PCs. Upon successful contact, the configuration file containing the C&C server will be fetched from the other infected PCs (the "peers"). The list of peers will be updated whenever other peers contact the installed copy of Zbot. The information of up to 100 peers, IP addresses, and UDP port combinations can be stored.

If none of the initial 10 peers respond, the trojan can generate up to 1000 pseudo-randomly named domains, and tries to connect with the generated list to download a new peer list. The data read from the domain is RSA-signed and validated through the public key store in the trojan's body.

Steals sensitive information

PWS:Win32/Zbot hooks APIs used by Internet Explorer and Mozilla Firefox; it does this to monitor your online activities. It also injects HTML code into target websites to steal login credentials, when you visit these websites.

The trojan steals the following sensitive information from your PC:

Digital certificates Internet Explorer and Firefox cookies Cached passwords Logged keystrokes Images of screen and window captures Passwords and other details (like credit card numbers), as you enter them in to targeted websites Bitcoin wallet credentials (through monitoring Bitcoin clients bitcoin-qt.exe and bitcoind.exe)

It also monitors online activity by intercepting targeted websites listed in the configuration file to steal your personal information like user name, password and credit card details.

The following are some of the target websites found in the configuration file of Zbot:

amazon.com blogger.com flickr.com livejournal.com myspace.com youtube.com microsoft.com facebook.com ktt.key.com/ktt/cmd/logonFromKeyCom ktt.key.com/ktt/cmd/validatePinForm feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback& us.hsbc.com

Steals FTP credentials

The trojan collects FTP credentials (IP, port, user name, and passwords) from the following FTP software:

FlashFXP Total Commander ws_ftp FileZilla FAR/FAR2 winscp FTP Commander CoreFTP SmartFTP

Steals Windows Mail and Windows Live mail credentials

If your PC is running on Windows XP or below, Win32/Zbot uses the COM libraries "msoeacct.dll" and "wab32.dll" to capture the following details:

Windows mail account name Email address Server User name Password

The DLL files are searched in the directory defined in the registry key:

HKLMSOFTWAREMicrosoftWABDLLPath

Otherwise, if running on Windows Vista, Windows 7, or Windows 8, the trojan captures the credentials by parsing the Windows mail folder, specified in this registry subkey:

HKCUSOFTWAREMicrosoftWindows MailStore Root

Steals "Full Tilt Poker" credentials

Win32/Zbot might capture logon credentials for the online gaming program "Full Tilt Poker". The trojan resets logon data by deleting the following registry value:

HKCUSoftwareFull Tilt PokerUserInfoUserName

The malware then monitors for logon activity for the game, and captures any credentials you enter.

It also logs keystrokes and gets desktop and window snapshots of the infected PC.

Tampers with Trusteer security components

If the Trusteer DLL components rooksbas.dll and rapportgp.dll exist on your PC, the trojan might try to patch the DLLs in memory to avoid being detected.

Analysis by Rodel Finones & Zarestel Ferrer

Last update 10 May 2019

 

TOP