Zbot: still wriggling one year on

It is almost a year since I blogged about Zbot being distributed by malicious web sites [1]. Back then it was also known under the alias Prg. Well, months have passed, and I won’t begin to even guess the number of Zbot variants we have seen since then. The malware family, also known as ZeuS [2,3,4], has been troubling victims throughout 2008, as we have mentioned several times [5,6].

Today I came across another attack delivering a Zbot variant to victims. Similar attack style to some of the previous ones:

  1. Numerous sites compromised with malicious JavaScript that injects iframe into the page (script is now detected as Mal/Iframe-F)
  2. Loads malicious script from attacked-owned site (proactively detected as Mal/ObfJS-M)
  3. This script tries to exploit several client vulnerabilities to infect victim with Zbot (added as Troj/Zbot-BG). Vulnerabilities used include:

To exploit the Adobe Reader vulnerability, the malicious script writes an iframe to load the malicious PDF file. Detection for this malicious PDF has now been added within Troj/PDFJs-A.

Curiously, one of the domain names used in the latest attack is suggestive of attackers with anti-Semitic views (it has specific reference to the Russian president, Medvedev).

The people behind Zbot are not amateurs. The malware is distributed through a variety of mechanisms and is reasonably complex in nature. Once running it stealths its presence on the victim machine and downloads encrypted configuration files which can be used to “drive” the payload. Both the script and executable content make aggressive use of obfuscation and packing to evade detection. Fortunately, in the attacks I have investigated thus far we have managed to detect at least one of more of the components involved proactively (in this latest attack, the exploit script is detected, Mal/ObfJS-M).

One thing does remain constant however – the important of runtime protection. Just as with one year ago, even if you disregard and content detections, users are protected by HIPs.


So, if the recent post by Cliff was not enough for you to investigate using the runtime technologies in the Sophos product, this case provides yet further justification.