|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Trojan-Spy:W32/ZBot.HS
|
|
|
| Radar |
 |
|
|
|
Summary
|
Trojan-Spy:W32/ZBot.HS is a trojan-spy.
Trojan-spy applications attempt to steal online banking login-information and other sensitive data from the infected computer. Update: New sample received on April 04, 2008, detected as Trojan-Spy:W32/Zbot.KZ. |
|
|
|
Disinfection
|
Trojan-Spy
Our free Online Scanner is available if you think that your computer has been infected as a result of following links and downloading the file called:
Contact your bank and confirm your online banking transactions if infection is confirmed.
New download filename is iPIX-install.exe. |
|
|
|
Detailed Description
|
Infection Vectors
ZBot variants target online banking.
Banks in multiple countries have been targeted. Various languages have been used in spam pushing the installation.
Trojan-Spy:W32/ZBot.HS was discovered on February 20th 2008. ZBot.HS targets a Finnish bank and utilized spam written in Finnish.
Several Finnish language spam messages were used to direct recipients to various websites. The websites supposedly contain a images that require an iPIX plug-in. The download link for the "plug-in" in fact downloads the ZBot trojan-spy.
Spam message example:
The example message warns of a radioactive cloud spreading from a nuclear reactor close to the Finnish city of Mikkeli.
The end of the message provides a link to a supposed blog with pictures of the event and of victims.
It is an attempt at social engineering. However, as there is no nuclear power plant near Mikkeli, many recipients report that they were not tempted by the message.
This is an example of the website:
An icon for a needed plug-in is displayed rather than images when viewing the site.
The message below the image area contains the link from which the malware is downloaded:
There are several versions of bait used by the spam messages.
One message claims to be from a woman seeking love. The message directs to a Web site such as this:
The website designs have been used in the past. There are previous examples of German language versions targeting individuals in Switzerland.
ZBot variants use modular components (configuration and commands) downloaded from the Internet after installation. The components are encrypted and hinder full analysis as the ZBot requires an online connection and all components to determine full functionality.
Offline analysis of this variant within our isolated network displays typical banking trojan behavior.
Browser activity is now monitored for multiple ".fi", ".ch", ".de", ".nl" and ".com" bank URL addresses.
Technical Details
Comprehensive analysis of this variant has been completed.
Upon execution the trojan copies itself to the following location:
- %windir%\system32\ntos.exe
Note: %windir% represents the system's default Windows directory. The folder name may vary by language localization.
It then creates the following folder under the Windows system directory:
ZBot.HS attempts to hide this folder using stealth techniques.
It creates the following files in the newly created folder:
These files are written with encrypted data.
The trojan modifies the following registry entry to enable its automatic execution upon Windows startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Userinit" = "%windir%\system32\userinit.exe,%windir%\system32\ntos.exe"
The trojan deletes cookies in the Internet Explorer URL cache.
It then injects malicious code into several active processes, particularly winlogon.exe and iexplorer.exe. The injected code starts listening for incoming TCP connections and downloads the following data file from a remote server:
The remote server URL contains a top-level domain of ".ru". The server is hosted in Turkey as of February 21, 2008.
Logging online banking information is the primary payload of Trojan-Spy:W32/Zbot variants.
ZBot searches the following string by default:
- https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
Other targets are added through the file.bin configuration.
The file.bin of ZBot.HS targets a Finnish bank.
Browser activity is monitored for multiple ".fi" URL addresses. Finnish, Swedish, and English language versions are monitored.
If online banking activity is detected ZBot.HS will beginning logging information. ZBot.HS does not inject its own banking transactions.
ZBot also checks for running programs with firewall related processes:
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: April 04, 2008
|
|
|
|
|
