PWS:Win32/Zbot is a family of trojans that is created/generated by kits known as "Zeus"; these kits are bought and sold on the cyberworld black market.
Commonly, variants of the PWS:Win32/Zbot family may:
- Lower Internet browser security
- Disable the computer's firewall
- Steal user and computer information
- Allow unauthorized access and control of an affected computer
The trojan is often distributed in spam emails, via compromised websites, or may be packaged with other malware families.
It may also hook API addresses and perform webpage injection in order to monitor online banking activities.
Distribution methods
PWS:Win32/Zbot is a widespread and pervasive malware family. It uses several different methods in order to spread and compromise your computer.
Downloaded by other malware
PWS:Win32/Zbot may be installed by other malware or exploit families. Families such as the following have been observed downloading Zbot as part of their criminal activity to steal information about the infected computer:
PWS:Win32/Zbot may also be downloaded as a payload for exploit kits such as blackhole (we detect this as Blacole), and for exploits including:
Spam email
The trojan may arrive as an attachment in a spammed email message.
Below are examples of a few notorious spam runs encountered in the past years:
Subject: <Courier name> Failure Delivery Notification Message
Attachment: SN_122010.zip
Subject: <Social network site> Password Reset Confirmation
Attachment: <Social network site>_Password_e9081.zip
Subject: <Software company> Software Critical Upgrade Notification ID: RA4NFDKPJBD
Attachment: <Software company>Systems-Software_Critica Update_Dec_2011-6PGCF713B.zip
Subject: Important Account Information from <Company name> TRACK-ID: 70341011278
Attachment: <Company name>-Account-Status-Notification-Dec-2011.exe
Subject: Your credit balance is over its limits.
Attachment: balancechecker.zip
Phishing pages and exploit kits
Exploit kits have also been observed generating version of PWS:Win32/Zbot to spread to vulnerable computers.
We observed cases where spam emails contained the following information, including a link to a phishing page that was disguised as a social networking, courier, or online banking site, that redirected users to sites containing PWS:Win32/Zbot generated by exploit kits:
- Subject: New login system
- Subject: Password reset
Below is an example of a spam email known to direct users to phishing pages hosting the trojan:
Subject: your <Company Name> money transfer has been authorized
Image:
Bundled with other malware
Some variants of Zbot have been observed to be bundled with an exploit component detected as Exploit:Win32/CplLnk.B.
Remote Desktop Service
If your computer is using Remote Desktop Service (RDS), and connected to other computers, Zbot may attempt to install itself on your computer through this channel.
If your computer is running a Remote Desktop Service, Zbot may attempt to run a process for every connected RDS session and create a copy of itself in the startup folder:
%RDSUserProfilePath%\Start Menu\Programs\Startup\<random letters>.exe
where %RDSUserProfilePath% is generated by enumerating each user in this registry key using the user's unique security identifier (SID):
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Sets value: ProfileImagePath
For example:
If the administrator account SID is:
S-1-5-21-1844237615-2111687655-839522115-500
Then profile path will be:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-2111687655-839522115-500
If ProfileImagePath is:
%SystemDrive%\Documents and Settings\Administrator
Then the full drop file will be:
C:\Documents and Settings\Administrator\Programs\Startup\<random letters>.exe
This means that, as the affected computer is remotely connected to other computers, they risk being infected as well.
Removable, fixed, shared and remote drives
Some variants of Zbot may arrive as an infected file. These infected files are detected as either Virus:Win32/Zbot.C or Virus:Win32/Zbot.C.
Installation
Earlier versions of PWS:Win32/Zbot have been observed dropping copies of itself as any of the following files:
It also drops the following files, containing encrypted data used by the trojan, to the folder "<system folder>\wsnpoem\":
It also creates either of the following encrypted log files, in which it may store the stolen data:
-
<system folder>\twain_32\user.ds
-
<system folder>\lowsec\user.ds
PWS:Win32/Zbot modifies the registry to ensure that its copy is executed at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon
Sets value: "userinit"
With data: "<system folder>\userinit.exe,<system folder>\<malware file>"
where <malware file> is any of the file names mentioned above.
Recent versions of PWS:Win32/Zbot have been observed dropping copies of itself as a randomly named file:
%APPDATA%\<
random letters>
\<
random letters
>.exe
For example:
C:\Documents and Settings\Administrator\Application Data\ecymy\huojq.exe
Some variants modify the registry to ensure that the malware is executed at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"
For example:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: {449829B8-9322-5694-4C31-974E87EDDDA5}
With data: "C:\Documents and Settings\Administrator\Application data\ecymy\huojq.exe"
Newer variants may make the following modification for the same purpose:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: <random letters>
With data: "%APPDATA%\<random letters>\<random letters>.exe"
For example:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "Kubimiytv"
With data: "c:\documents and settings\administrator\application data\okhoe\keek.exe"
Zbot injects code into the address space of all running processes, matching the privilege of the currently logged on user. Otherwise, the trojan will inject its code into all user-level processes (such as "explorer.exe", "iexplore.exe" and so on). This behavior is intended to hide the trojan behavior from security applications.
It also hooks the following Windows system APIs to aid in the capture of sensitive data, for example, online banking and shopping, email credentials and network information:
-
NSPR.DLL
-
PR_OpenTCPSocket
-
PR_Close
-
PR_Poll
-
PR_Read
-
PR_Write
-
NTDLL.DLL
-
LdrLoadDl
-
NtCreateThread
-
NtCreateUserProcess
-
RtlUserThreadStart
-
ZwCreateThread
-
KERNEL32.DLL
-
WININET.DLL
-
HttpSendRequestW
-
HttpSendRequestA
-
HttpSendRequestExW
-
HttpSendRequestExA
-
InternetCloseHandle
-
InternetReadFile
-
InternetReadFileExA
-
InternetReadFileExW
-
InternetWriteFile
-
InternetQueryDataAvailable
-
HttpQueryInfoA
-
HttpQueryInfoW
-
InternetSetStatusCallbackW
-
InternetSetStatusCallbackA
-
InternetSetOptionA
-
WS2_32.DLL
-
closesocket
-
send
-
WSASend
-
recv
-
WSARecv
-
WSAGetOverlappedResult
-
GDI32.DLL
-
OpenInputDesktop
-
SwitchDesktop
-
DefWindowProcW
-
DefWindowProcA
-
DefDlgProcW
-
DefDlgProcA
-
DefFrameProcW
-
DefFrameProcA
-
DefMDIChildProcW
-
DefMDIChildProcA
-
CallWindowProcW
-
CallWindowProcA
-
RegisterClassW
-
RegisterClassA
-
RegisterClassExW
-
RegisterClassExA
-
USER32.DLL
-
BeginPaint
-
EndPaint
-
GetDCEx
-
GetDC
-
GetWindowDC
-
ReleaseDC
-
GetUpdateRect
-
GetUpdateRgn
-
GetMessagePos
-
GetCursorPos
-
SetCursorPos
-
SetCapture
-
ReleaseCapture
-
GetCapture
-
GetMessageW
-
GetMessageA
-
PeekMessageW
-
PeekMessageA
-
TranslateMessage
-
GetClipboardData
-
CRYPT32.DLL
-
SSLEAY32.DLL
-
SECUR32.DLL
-
DeleteSecurityContext
-
EncryptMessage
-
DecryptMessage
If the infected computer is running a Remote Desktop Service (RDS), Zbot creates copy of itself to the default user startup folder as a randomly named file:
<DefaultUserPath>\Programs\Startup\<random letters>.exe
Examples of the <DefaultUserPath> are:
Payload
Disables the Firewall
Zbot makes the following changes to the registry in order to disable the Windows Firewall:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Modifies value: "EnableFirewall"
With data: "0"
It also terminates the following processes:
-
Outpost Firewall - outpost.exe
-
Zone Alarm Firewall - zlclient.exe
Lowers Internet Explorer web browser security
PWS:Win32/Zbot lowers Internet Explorer web browser security settings by making the following changes to the registry:
Disables phishing filtering:
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "Enabled"
With data: "0"
Sets value: "EnabledV8"
With data: "0"
Prevents the removal of expired Internet Explorer browser cookies:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
Sets value: "CleanCookies"
With data: "0"
Lowers Internet Explorer Internet zone security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Set value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1406"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1406"
With data: "0"
Lowers Firefox web browser security
PWS:Win32/Zbot may modify settings for the web browser Mozilla Firefox including the following:
- Disable the clearing of Internet cookies
- Disable the display of warning messages when viewing mixed secured and unsecure webpages
- Disable the display of warning messages when submitting data to unsecure pages
Allows remote access and control
PWS:Win32/Zbot allows varying degrees of remote access and control, depending on the information in the configuration data in each particular variant.
The trojan could perform, but is not limited to, any of the following actions:
- Reboot/shut down your computer
- Uninstall Zbot
- Update Zbot and its configuration file
- Search and remove files and directories
- Log you off your computer
- Run a program
- Steal or delete Internet Explorer cookies
- Steal or delete certificates
- Block or unblock URLs
- Change the Internet Explorer homepage
- Steal your FTP credentials
- Steal your email login credentials
- Steal your Flash Player credentials
Downloads configuration data file
Some variants of Zbot download a configuration file from a remote server that determines how the trojan will behave. The trojan may generate up to 1020 pseudo-randomly named domains, and attempt connections with the generated list to download a configuration file. The generated domain names are based on the system date and time and have one of the following suffixes:
Some examples include:
-
dhqwyelbpndaqwljampjsoea.info
-
hbixougjfqxkftswinlfbars.org
-
jvklraqgyofcqhikfbazlltauhi.biz
-
ofvgupbpsgaumfvkbuobevceuv.ru
-
rvowslrmvnfkblkfyttpfemwx.com
-
tsljnihhusyxzddltpci.net
The configuration file contains data used by the malware such as the following:
- Locations form which to download updates for Zbot
- Locations from which to download additional data files
- The version of the malware
- Online financial institutions to target
-
HTML and JavaScript code for performing its data stealing payload
Recent variants have been observed to improve their communication methodology by adapting peer-to-peer (P2P) architecture (earlier variants communicated using command and control (C&C)), in order to receive commands, update and download the configuration file and upload stolen information.
The infected computer, instead of accessing the C&C server instantly, first checks a predefined list that contains IP addresses of other infected computers. Upon successful contact, the configuration file containing the C&C server will be received.
Older variants used a centralized command and control method (thus, reaching out to a single specific server to receive instruction).
Steals sensitive information
PWS:Win32/Zbot hooks APIs used by Internet Explorer and Mozilla Firefox; it does this to monitor the online activities performed in the Internet browsers. It also injects HTML code into target websites to steal login credentials, when they are visited by affected users.
The trojan steals the following sensitive information from the affected computer:
- Digital certificates
-
Internet Explorer and Firefox cookies
- Cached passwords
- Logged keystrokes
- Images of screen and window captures
- Passwords and other details (such as credit card numbers), as you enter them in to targeted websites
It also monitors online activity by intercepting targeted websites listed in the configuration file, in order to steal user personal information like user name, password and credit card details.
The following are some of the target websites found in the configuration file of Zbot:
-
amazon.com
-
blogger.com
-
flickr.com
-
livejournal.com
-
myspace.com
-
youtube.com
-
microsoft.com
-
facebook.com
-
ktt.key.com/ktt/cmd/logonFromKeyCom
-
ktt.key.com/ktt/cmd/validatePinForm
-
feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&
-
us.hsbc.com
Steals FTP credentials
The trojan collects FTP credentials (IP, port, user name, and passwords) from the following FTP software:
-
FlashFXP
-
Total Commander
-
ws_ftp
-
FileZilla
-
FAR/FAR2
-
winscp
-
FTP Commander
-
CoreFTP
-
SmartFTP
Steals Windows Mail and Windows Live mail credentials
If the infected computer is running on Windows XP or below, Win32/Zbot uses COM libraries "msoeacct.dll" and "wab32.dll" to capture the following details:
-
Windows mail account name
- Email address
- Server
- User name
- Password
The DLL files are searched in the directory defined in the registry key below:
HKLM\SOFTWARE\Microsoft\WAB\DLLPath\
Otherwise, if running on Windows Vista and above, the trojan captures the credentials by parsing the Windows mail folder, specified in this registry subkey:
HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\
Steals "Full Tilt Poker" credentials
Win32/Zbot
may capture logon credentials for the online gaming program "Full Tilt Poker". The trojan resets logon data by deleting the following registry value:
HKCU\Software\Full Tilt Poker\UserInfo\UserName
The malware then monitors for logon activity for the game, and captures credentials entered by the user.
It also logs keystrokes and gets desktop and window snapshots of the infected computer.
Analysis by Rodel Finones & Zarestel Ferrer
