Zbot variants are typically distributed as executable file attachments to spam email messages, and via drive-by downloads, when a file is silently 'dropped' on a user's computer system during a visit to a malicious (or compromised) website.
The primary payload of Trojan:W32/Zbot variants focuses on stealing information related online banking transactions and banking portal login details. They also have limited backdoor and proxy capabilities.
Early versions of Zbot malware were notable for tying infected systems into a botnet known as Kneber.
In 2011, the source code for a version of the Zeus malware was leaked online, and was rapidly taken by other malware authors and used to develop new malware. Of particular note in this second wave of Zeus-derived malware are three separate families: Ice IX, Citadel and the GameOver malware used to create a peer-to-peer (P2P) communicating botnet known as GameOver ZeuS (GOZ).
The GOZ botnet was especially noted for distributing banking trojans and ransomware, and being used to commit electronic monetary theft. In 2014, the botnet was the target of a major multinational takedown spearheaded by the United States Federal Bureau of Investigation (FBI).
More information about these separate Zeus-derived families is available in:
The Zbot trojan creates a %windir%\system32\wsnpoem folder in which it places two files, video.dll and audio.dll. These files are used to store information stolen from the infected system, as well as an encrypted configuration file which the trojan downloads from a predefined location. The wsnpoem folder and its content are usually hidden using stealth techniques.
The Zbot trojan also copies itself to %windir%\system32\ntos.exe (or in some variants, ...\oembios.exe). A random amount of junk data is appended to the copy in an attempt to make its detection more difficult.
During installation, the Zbot trojan will check the running programs for firewall related processes such as outpost.exe or zlclient.exe. If either of these processes are running, the trojan only copies itself to the system32 folder, then exits. If it is safe to proceed, it will amend the registry keys to enable the malware to execute at every startup, which will also cause it to inject itself into other processes.
The Zbot-trojan starts its main information-stealing function by opening a connection to a remote server and downloading an encrypted configuration file. This file contains the address where the trojan will later upload the information it has stolen; an address where it can download a new version of itself; and the address of another configuration file. This file also defines what websites the trojan will target for information theft.
Once the configuration file is downloaded, any confidential banking data the victim types in is compromised. If the victim enters account information on an online banking site, the trojan intercepts the data in the webform and uploads it to the server defined in the trojan's configuration file. To gather more information, the malware author can even create additional fields, which are then injected into a targeted webpage for the unsuspecting victim to fill in.
Zbot-trojans are also capable of presenting the victim with a fake version of a webpage. Victims trying to browse specific webpages will be presented with a modified copy of the website from a server controlled by the attacker, rather than the correct webpage from the legitimate server. Again, any information entered is captured by the attacker.
Keylogging, stealing data from the clipboard and taking screenshots of the desktop are also in Zbot arsenal. Zbot trojans steal the content of the Windows Protected Storage, as well as certificates stored on the infected system. Username and password information for POP3 and FTP protocols are also stolen.
Zbot trojans have limited backdoor functionality, which mainly involve executing a file already on the system or downloading a new version of itself.
A Zbot-trojan can also act as a proxy-server. Other miscellaneous functionality includes the ability to modify the content of %windir%\system32\drivers\hosts, and to redirect or block access to websites.