Installation
Win32/Zeeborot can be installed on your PC by:
- Malicious or compromised websites
- Malicious torrent files
- Other malware
- Spam email attachments
The malware creates an instance of svchost.exe in suspended mode with the following command line parameter:
It injects a copy of itself on the created process.
Win32/Zeeborot drops a copy of itself at the following location:
- %APPDATA%\<random folder>\<random name>.exe, for example, C:\Documents and Settings\Alan Tracey\Application Data\Irvo\reyka.exe
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<machine CLISD>", for example "{9024414C-D7F3-5CD8-2536-500D5E976EA9}"
With data: "<Installed cmalware copy>", for example "C:\Documents and Settings\Alan Tracey\Application Data\Irvo\reyka.exe"
The malware will create an event named “Global\<random characters>” for example Global\omomupumaduvoko as a system infection marker.
Payload
Installs other malware
Win32/Zeeborot creates a Tor hidden service that runs a Win32/Zbot family variant on the infected system. This is achieved by creating the following suspended service process:
- %systemdir%\svchost.exe –HiddenServiceDir %appdata%\tor\hidden_service –HiddenServicePort “55080 127.0.0.1:55080”
It then injects a copy of a Zbot variant (PWS:Win32/Zbot.gen!CI at the time of analysis) into the hidden service.
Connects to a remote host
This malware communicates with its command and control servers through the Tor network.
In order to contact a web server that uses the Tor hidden service feature, the network uses a special domain naming scheme. The server’s name is derived from its public key within the Tor network, appended with .onion as the top level domain. The malware contains a list of .onion domains that are contacted using the standard HTTP protocol (over SOCKS):
- 24v63yidnlfeke45.onion
- 3kc3wgsbq5bjikyf.onion
- 4bx2tfgsctov65ch.onion
- 4njzp3wzi6leo772.onion
- 6ceyqong6nxy7hwp.onion
- 6m7m4bsdbzsflego.onion
- 6tkpktox73usm5vq.onion
- 742yhnr32ntzhx3f.onion
- 7wuwk3aybq5z73m7.onion
- ceif2rmdoput3wjh.onion
- dpuzn6fhxqr2kfx6.onion
- eamxnonwsr76nbit.onion
- f2ylgv2jochpzm4c.onion
- gpt2u5hhaqvmnwhr.onion
- h266x4kmvmpdfalv.onion
- jr6t4gi4k2vpry5c.onion
- kexxw7qevamewdkc.onion
- kv5fkk7csqonp64x.onion
- mh4vqvfvjk5imf2a.onion
- niazgxzlrbpevgvq.onion
- owbm3sjqdnndmydf.onion
- qdzjxwujdtxrjkrz.onion
- rxrhv2ajbmjw3kyq.onion
- ua4ttfm47jt32igm.onion
- uf5aizcddahngjbz.onion
- uy5t7cus7dptkchs.onion
- uzvyltfdj37rhqfy.onion
- wg6ry5rlzfoosbir.onion
- x3wyzqg6cfbqrwht.onion
- xvauhzlpkirnzghg.onion
Once connected to the network the malware can receive instructions to perform DDOS attacks and Bitcoin mining.
Analysis by Patrick Estavillo