Backdoor:Win32/Zonebac.gen!B is a family of Backdoors that modify Internet security settings and can be instructed to perform additional actions by a remote host.
Backdoor:Win32/Zonebac.gen variants are generally packed using the common packer UPX, and install as a single executable file. Other variants may include an accompanying dynamic link library (DLL) to assist with communication and other tasks. Some variants are coded using anti-debugging techniques such as string encryption and code obfuscation.
Installation
In a typical infection scenario, Zonebac checks if it is already installed on the affected system, and terminates if it is found. If not found, Zonebac copies itself to the Windows system folder and modifies the registry so it loads at each Windows startup, as in the following example where the variant has copied itself to <system folder>\spoolsv.exe:
Adds value: Lexmark_X79-55
With data: <system folder>\spoolsv.exe
Within subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This Trojan creates a mutual exclusion object (mutex) with the following unique name, and exits if it already exists to avoid multiple executions: {FA531CC1-0497-11d3-A180-3333052276C3E}.
Zonebac drops the following files for its own use:
%Temp%\abc123.pid
%Temp%\<random 8 characters or numbers 0-9A-F>
The Trojan checks for the presence of the following security-related processes:
ad-watch.exe
cavrid.exe
pavprsrv.exe
webproxy.exe
vir.exe
hsockpe.exe
firewallntservice.exe
spysweeperui.exe
ssu.exe
webrootdesktopfirewall.exe
mctskshd.exe
mpftray.exe
aluschedulersvc.exe
ccetvmgr.exe
spbbcsvc.exe | winssnotify.exe
dpasnt.exe
kav.exe
tsantispy.exe
ashserv.exe
avesvc.exe
sunprotectionserver.exe
sunserver.exe
bdmcon.exe
guardxkickoff.exe
njeeves.exe
zlh.exe
almon.exe
alsvc.exe
scftray.exe |
Payload
Modifies System Security Settings
The Trojan modifies the registry to add these external Web sites to the Internet Explorer trusted site list:
whataboutadog.com
doginhispen.com
88.80.7.66
Zonebac.gen!B modifies the Web browser Internet Explorer security settings by altering numerous values in "Zone 2" of Internet Explorer. Zone 2 is regarded by Internet Explorer as "This zone contains web sites that you trust not to damage your computer or your files." The Trojan alters the following values in Zone 2 in this subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1001
1004
1200
1201
1206
1402
1405
1406
1407
1604
1605
1606
1607
1609
1800
1802
1803
1805
1806
1807
1808
1A00
1A02
1A03
1A04
1A06
1A10
1C00
1E05
2001
2004
2100
2101
2200
2201
2300
It makes further modifications to the following registry entries to lower Internet Explorer security settings to below default levels.
Modifies values:
CurrentLevel = 0x00010000
Flags = 0x00000043
MinLevel = 0x00010000
RecommendedLevel = 0x00010000
Within subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Backdoor Functionality
After Zonebac has lowered the security settings on the compromised machine, it may connect to the following remote sites:
a.whataboutarabit.com
whataboutadog.com
doginhispen.com
88.80.7.66
When connected, it may then attempt to perform the following actions:
Upload general computer configuration information such as operating system, security products installed, service pack or patch level data and other information
Update malware
Download additional files
Additional Information
In an attempt to evade firewalls, depending on its intent, the backdoor contact the sites mentioned previously using Internet Explorer. To prevent users from seeing the Internet Explorer windows, the Backdoor launches Internet Explorer on a different desktop that the backdoor creates named "NEW_DESKTOP".
