Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Trojan-Spy:W32/Zbot


Aliases:


Zeus, Citadel, Ice IX
Trojan.zbot.[variant]
Trojan-spy.win32.zbot.[variant]
Gen:variant.zbot.[variant]
Trojan-spy:w32/zbot.[variant]

Malware
Trojan-Spy
W32

Summary

This type of trojan secretly installs spy programs and/or keylogger programs.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The primary payload of Trojan:W32/Zbot variants focuses on stealing online banking information. They also have limited backdoor and proxy capabilities.

Zbot is also known as Zeus or Wsnpoem. This malware is discussed in our Labs Weblog:

A variant of the Zbot trojan is known as Citadel, and is based on source code that was leaked out on the Internet 2011. More information about this variant, and other variants based on the leaked Zeus source code, is available in the following Threat Reports:


Installation

The Zbot trojan creates a %windir%\system32\wsnpoem folder in which it places two files, video.dll and audio.dll. These files are used to store information stolen from the infected system, as well as an encrypted configuration file which the trojan downloads from a predefined location. The wsnpoem folder and its content are usually hidden using stealth techniques.

The Zbot trojan also copies itself to %windir%\system32\ntos.exe (or in some variants, ...\oembios.exe). A random amount of junk data is appended to the copy in an attempt to make its detection more difficult.

During installation, the Zbot trojan will check the running programs for firewall related processes such as outpost.exe or zlclient.exe. If either of these processes are running, the trojan only copies itself to the system32 folder, then exits. If it is safe to proceed, it will amend the registry keys to enable the malware to execute at every startup, which will also cause it to inject itself into other processes.


Data Harvesting

The Zbot-trojan starts its main information-stealing function by opening a connection to a remote server and downloading an encrypted configuration file. This file contains the address where the trojan will later upload the information it has stolen; an address where it can download a new version of itself; and the address of another configuration file. This file also defines what websites the trojan will target for information theft.

Once the configuration file is downloaded, any confidential banking data the victim types in is compromised. If the victim enters account information on an online banking site, the trojan intercepts the data in the webform and uploads it to the server defined in the trojan's configuration file. To gather more information, the malware author can even create additional fields, which are then injected into a targeted webpage for the unsuspecting victim to fill in.

Zbot-trojans are also capable of presenting the victim with a fake version of a webpage. Victims trying to browse specific webpages will be presented with a modified copy of the website from a server controlled by the attacker, rather than the correct webpage from the legitimate server. Again, any information entered is captured by the attacker.

Keylogging, stealing data from the clipboard and taking screenshots of the desktop are also in Zbot arsenal. Zbot trojans steal the content of the Windows Protected Storage, as well as certificates stored on the infected system. Username and password information for POP3 and FTP protocols are also stolen.


Backdoor

Zbot trojans have limited backdoor functionality, which mainly involve executing a file already on the system or downloading a new version of itself.

A Zbot-trojan can also act as a proxy-server. Other miscellaneous functionality includes the ability to modify the content of %windir%\system32\drivers\hosts, and to redirect or block access to websites.





Description Created: 2008-09-05 16:34:25.0
Description Last Modified: 2011-11-30 14:30:01.0



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free