PWS:Win32/Zbot.gen!AF

Installation

When run, PWS:Win32/Zbot.gen!AF drops a copy of itself as a randomly named file in the following format:

• %APPDATA%\<random letters>\<random letters>.exe - for example, "C:\Documents and Settings\Administrator\Application Data\ecymy\huojq.exe"

The registry is modified to run the trojan at each Windows start.

In subkey: HKCU\Software\Mirosoft\Windows\CurrentVersion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"

This trojan injects code into the address space of all running processes matching the security privilege of the logged on user, otherwise the malware will inject its code into all user-level processes (such as "Explorer.exe", "Iexplore.exe" and so on).

Note: Code injection is commonly used by malware as an attempt to hide from security software.

PWS:Win32/Zbot.gen!AF hooks the following Windows system APIs to aid in the capture of sensitive data such as login credentials for online financial transactions, email credentials and network information:

• NSPR.DLL
   PR_OpenTCPSocket
   PR_Close
   PR_Poll
   PR_Read
   PR_Write
• NTDLL.DLL
   ZwCreateThread
   LdrLoadDll
• KERNEL32.DLL
   GetFileAttributesExW
• WININET.DLL
   HttpSendRequestW
   HttpSendRequestA
   HttpSendRequestExW
   HttpSendRequestExA
   InternetCloseHandle
   InternetReadFile
   InternetReadFileExA
   InternetQueryDataAvailable
   HttpQueryInfoA
   InternetSetStatusCallbackW
   InternetSetStatusCallbackA
   InternetSetOptionA
• WS2_32.DLL
   closesocket
   send
   WSASend
   recv
   WSARecv
• GDI32.DLL
   OpenInputDesktop
   SwitchDesktop
   DefWindowProcW
   DefWindowProcA
   DefDlgProcW
   DefDlgProcA
   DefFrameProcW
   DefFrameProcA
   DefMDIChildProcW
   DefMDIChildProcA
   CallWindowProcW
   CallWindowProcA
   RegisterClassW
   RegisterClassA
   RegisterClassExW
   RegisterClassExA
• USER32.DLL
   BeginPaint
   EndPaint
   GetDCEx
   GetDC
   GetWindowDC
   ReleaseDC
   GetUpdateRect
   GetUpdateRgn
   GetMessagePos
   GetCursorPos
   SetCursorPos
   SetCapture
   ReleaseCapture
   GetCapture
   GetMessageW
   GetMessageA
   PeekMessageW
   PeekMessageA
   TranslateMessage
   GetClipboardData
• CRYPT32.DLL
   PFXImportCertStore

PWS:Win32/Zbot.gen!AF could install its code to other PCs when connected via Remote Desktop Services (RDS). If the affected computer is running RDS, the malware attempts to execute a process for every connected RDS session and drops a copy of the trojan into the following directories:

• <drive:>\documents and settings\default user\
• <drive:>\users\default\ 
• <drive:>\documents and settings\<user name>\ 
• <drive:>\users\<user name>\

Payload

Lowers Internet Explorer security

PWS:Win32/Zbot.gen!AF lowers Internet Explorer web browser security settings by modifying registry data.

• Disables phishing filtering:
  
  In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
  Sets value: "Enabled"
  With data: "0"
  Sets value: "EnabledV8"
  With data: "0"
   
• Disables system behavior to remove expired Internet Explorer browser cookies:
  
  In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
  Sets value: "CleanCookies"
  With data: "0"
   
• Lowers Internet Explorer Internet zone security settings
   
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  Set value: "1609"
  With data: "0"
  
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  Sets value: "1406"
  With data: "0"
  
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  Sets value: "1609"
  With data: "0"
  
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  Sets value: "1406"
  With data: "0"
  
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  Sets value: "1406"
  With data: "0"

Lowers Firefox web browser security

PWS:Win32/Zbot.gen!AF could modify settings for the web browser Mozilla Firefox including the following:

• Disable the clearing of Internet cookies
• Disable warning messages that are displayed when viewing mixed secured and unsecure web pages
• Disable warning messages that are displayed when submitting data to unsecure pages

Downloads configuration data

Earlier variants of PWS:Win32/Zbot.gen download a configuration file from a remote server (for example, "dairanet.cn"). Newer variants of this malware generate a list of up to 1020 pseudo-randomly named domains and attempt connections with each to download a configuration file. The list of domain names that are generated are based on the system date and time, and also have one of the following suffixes:

• .com
• .net
• .org
• .info
• .biz

Examples include some of the following:

• ghdukiopkkljbdyy <dot> com/news/?s=<random set of numbers>
• sdynjotsnjpojl <dot> biz/news/?s=<random set of numbers>
• kkrtfpqrsnslo <dot> net/news/?s=<random set of numbers>
• kkrtfpqrsnslo <dot> com/news/?s=<random set of numbers>
• nppuxmsnpfnkpphr <dot> info/news/?s=<random set of numbers>
• nppuxmsnpfnkpphr <dot> com/news/?s=<random set of numbers>
• mqjowjsgrpvmpr <dot> biz/news/?s=<random set of numbers>
• mqjowjsgrpvmpr <dot> org/news/?s=<random set of numbers>

The configuration file contains data used by the malware, or instructions, such as the following:

• URL to download updates of PWS:Win32/Zbot.gen!AF
• URL for additional configuration data files to download
• bot build version
• URL of targeted online financial institutions
• HTML and JavaScript code for parsing target web pages
• Steal sensitive data

Captures sensitive information

PWS:Win32/Zbot.gen!AF hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials when a user visits certain websites. The trojan also steals the following sensitive information fromyour PC:

• Digital certificates
• IE cookies
• Cached passwords

The trojan also logs keystrokes and gets a snapshot of the infected system. Captured data is sent to a predefined FTP or email server, specified in a downloaded configuration file, for collection by a remote attkacker.

Allows remote access and control

Some variants of this malware can perform the following actions, depending on the information in the downloaded configuration data file:

• Reboot/shut down your PC
• Uninstall/update itself
• Enable/disable HTTP injection
• Traverse directory
• sSarch/remove files and directory
• Log off current user
• Run a program
• Steal Internet Explorer browser cookies
• Steal/delete certificates
• Block/unblock URLs
• Set Internet Explorer home page
• Steal FTP credentials
• Steal email login credentials

Analysis by Zarestel Ferrer