PWS:Win32/Zbot is a family of trojans that are created by kits known as "Zeus". These kits are bought and sold on the cyberworld black market.
They can hook API addresses and inject code into webpages to monitor online banking activities.
Distribution methods
This a widespread and pervasive malware family. It uses several different methods to spread and infect your PC.
Downloaded by other malware
The threat might be installed by other malware or exploit families. These families have been observed to download Zbot as part of their criminal activity to steal information about your PC:
Remote Desktop Service
If your PC is using Remote Desktop Service (RDS), and connected to other PCs, Zbot might try to install itself on your PC through this channel.
If your PC is running a Remote Desktop Service, Zbot might try to run a process for every connected RDS session and create a copy of itself in the startup folder:
%RDSUserProfilePath%\Start Menu\Programs\Startup\<random letters>.exe
where %RDSUserProfilePath% is generated by enumerating each user in this registry key using a unique security identifier (SID):
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Sets value: ProfileImagePath
For example:
If the administrator account SID is:
S-1-5-21-1844237615-2111687655-839522115-500
Then the profile path will be:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1844237615-2111687655-839522115-500
If ProfileImagePath is:
%SystemDrive%\Documents and Settings\Administrator
Then the full drop file will be:
C:\Documents and Settings\Administrator\Programs\Startup\<random letters>.exe
This means that, as your PC is remotely connected to other PCs, they risk being infected as well.
Installation
Recent versions of PWS:Win32/Zbot have been observed dropping copies of itself as a randomly named file:
- %APPDATA%\<random letters>\<random letters>.exe
- %TEMP%\<random letters>\<random letters>.exe
For example:
C:\Documents and Settings\Administrator\Application Data\ecymy\huojq.exe
Some variants make the following changes to the registry to ensure that they run each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "<random letters>"
With data: "<location and file name of file>"
For example:
In subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "Kubimiytv"
With data: "c:\documents and settings\administrator\application data\ecymy\huojq.exe"
Zbot injects code into the address space of all running processes, matching the privilege of the currently logged on user. Otherwise, the trojan will inject its code into all user-level processes (like "explorer.exe", "iexplore.exe" and so on). This behavior is intended to hide the trojan from security applications.
It also hooks the following Windows system APIs to help it capture sensitive data, for example, online banking and shopping, email credentials and network information:
- NSPR.DLL
- PR_OpenTCPSocket
- PR_Close
- PR_Poll
- PR_Read
- PR_Write
- NTDLL.DLL
- LdrLoadDl
- NtCreateThread
- NtCreateUserProcess
- RtlUserThreadStart
- ZwCreateThread
- KERNEL32.DLL
- WININET.DLL
- HttpSendRequestW
- HttpSendRequestA
- HttpSendRequestExW
- HttpSendRequestExA
- InternetCloseHandle
- InternetReadFile
- InternetReadFileExA
- InternetReadFileExW
- InternetWriteFile
- InternetQueryDataAvailable
- HttpQueryInfoA
- HttpQueryInfoW
- InternetSetStatusCallbackW
- InternetSetStatusCallbackA
- InternetSetOptionA
- WS2_32.DLL
- closesocket
- send
- WSASend
- recv
- WSARecv
- WSAGetOverlappedResult
- GDI32.DLL
- OpenInputDesktop
- SwitchDesktop
- DefWindowProcW
- DefWindowProcA
- DefDlgProcW
- DefDlgProcA
- DefFrameProcW
- DefFrameProcA
- DefMDIChildProcW
- DefMDIChildProcA
- CallWindowProcW
- CallWindowProcA
- RegisterClassW
- RegisterClassA
- RegisterClassExW
- RegisterClassExA
- USER32.DLL
- BeginPaint
- EndPaint
- GetDCEx
- GetDC
- GetWindowDC
- ReleaseDC
- GetUpdateRect
- GetUpdateRgn
- GetMessagePos
- GetCursorPos
- SetCursorPos
- SetCapture
- ReleaseCapture
- GetCapture
- GetMessageW
- GetMessageA
- PeekMessageW
- PeekMessageA
- TranslateMessage
- GetClipboardData
- CRYPT32.DLL
- SSLEAY32.DLL
- SECUR32.DLL
- DeleteSecurityContext
- EncryptMessage
- DecryptMessage
If the infected PC is running a Remote Desktop Service (RDS), Zbot creates copy of itself to the default user startup folder as a randomly named file:
<DefaultUserPath>\Programs\Startup\<random letters>.exe
Examples of the <DefaultUserPath> are:
Payload
Downloads other malware, including ransomware
We've seen Win32/Zbot downloading variants from the Trojan:Win32/Crilock family. This is a family of ransomware that will encrypt the files on your PC and then demand money to unlock them.
You can help protect your PC from ransomware by reading more about Trojan:Win32/Crilock.A and our help topics about ransomware in general.
Changes the Firewall
Zbot makes the following changes to the registry to prevent Windows Firewall from blocking the threat's UDP port:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Changes value: "DisableNotifications"
With data: "1"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
Changes value: "<UDP port>:UDP"
With data: "<UDP port>:udp:*:enabled:udp <UDP port>"
Lets a hacker access your PC
PWS:Win32/Zbot lets a hacker gain access and control your PC, to varying degrees. Its level of control depends on the information in the configuration data in each particular variant.
The trojan could do, but is not limited to, any of the following actions:
- Reboot/shut down your PC
- Uninstall Zbot
- Update Zbot and its configuration file
- Search and remove files and directories
- Log you off your PC
- Run a program
- Steal or delete Internet Explorer cookies
- Steal or delete certificates
- Block or unblock URLs
- Change the Internet Explorer homepage
- Steal your FTP credentials
- Steal your email login credentials
- Steal your Flash Player credentials
Downloads configuration data file
PWS:Win32/Zbot.gen!GO is based on Zeus kits that operate through a centralized peer-to-peer (P2P) based network.
Your PC checks a predefined list that contains 20 IP addresses and ports of other infected PCs. Upon successful contact, the configuration file containing the C&C server will be fetched from the other infected PCs (the "peers"). The list of peers will be updated whenever other peers contact the installed copy of Zbot. The information of up to 100 peers, IP addresses, and UDP port combinations can be stored.
If none of the initial 10 peers respond, the trojan can generate up to 1000 pseudo-randomly named domains, and tries to connect with the generated list to download a new peer list. The data read from the domain is RSA-signed and validated through the public key store in the trojan's body.
The generated domain names are based on the system date and time and have one of the following suffixes:
Some examples include:
- dhqwyelbpndaqwljampjsoea.info
- hbixougjfqxkftswinlfbars.org
- jvklraqgyofcqhikfbazlltauhi.biz
- ofvgupbpsgaumfvkbuobevceuv.ru
- rvowslrmvnfkblkfyttpfemwx.com
- tsljnihhusyxzddltpci.net
The configuration file contains data used by the malware like the following:
- The version of the malware
- Online financial institutions to target
- HTML and JavaScript code for doing its data stealing payload
Steals sensitive information
PWS:Win32/Zbot hooks APIs used by Internet Explorer and Mozilla Firefox; it does this to monitor your online activities. It also injects HTML code into target websites to steal login credentials when you visit these websites.
The trojan steals the following sensitive information from your PC:
- Digital certificates
- Internet Explorer and Firefox cookies
- Cached passwords
- Logged keystrokes
- Images of screen and window captures
- Passwords and other details (like credit card numbers), as you enter them in to targeted websites
- Bitcoin wallet credentials (through monitoring Bitcoin clients bitcoin-qt.exe and bitcoind.exe)
It also monitors online activity by intercepting targeted websites listed in the configuration file to steal your personal information like user name, password and credit card details.
The following are some of the target websites found in the configuration file of Zbot:
- amazon.com
- blogger.com
- flickr.com
- livejournal.com
- myspace.com
- youtube.com
- microsoft.com
- facebook.com
- ktt.key.com/ktt/cmd/logonFromKeyCom
- ktt.key.com/ktt/cmd/validatePinForm
- feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&
- us.hsbc.com
Steals FTP credentials
The trojan collects FTP credentials (IP, port, user name, and passwords) from the following FTP software:
- FlashFXP
- Total Commander
- ws_ftp
- FileZilla
- FAR/FAR2
- winscp
- FTP Commander
- CoreFTP
- SmartFTP
Steals Windows Mail and Windows Live mail credentials
If your PC is running on Windows XP or below, Win32/Zbot uses the COM libraries "msoeacct.dll" and "wab32.dll" to capture the following details:
- Windows mail account name
- Email address
- Server
- User name
- Password
The DLL files are searched in the directory defined in the registry key:
HKLM\SOFTWARE\Microsoft\WAB\DLLPath\
Otherwise, if running on Windows Vista, Windows 7, or Windows 8 and above, the trojan captures the credentials by parsing the Windows mail folder, specified in this registry subkey:
HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\
Tampers the Trusteer security components
If the Trusteer DLL components rooksbas.dll and rapportgp.dll exist on your PC, the trojan might try to patch the DLLs in memory to avoid being detected.
Analysis by Rodel Finones