Trojan-Spy:W32/ZBot.HS

Classification

Category :

Malware

Type :

Trojan-Spy

Aliases :

Trojan-Spy:W32/Zbot.KZ, ZBot.HS

Summary

This type of trojan secretly installs spy programs and/or keylogger programs.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan-Spy:W32/ZBot.HS was discovered on February 20th 2008 and targets the online banking portal Finnish bank; the spam email messages used to distribute its executably binary file are written in Finnish. Later samples received on April 04, 2008 are now detected as Trojan-Spy:W32/Zbot.KZ. New download filename is iPIX-install.exe. Also, please contact your bank and confirm your online banking transactions if infection is confirmed.

Distribution

Several Finnish language spam messages were used to direct recipients to various websites.The websites supposedly contain a images that require an iPIX plug-in.The download link for the "plug-in" in fact downloads the ZBot file.

A sample message is below:

The message warns of a radioactive cloud spreading from a nuclear reactor close to the Finnish city of Mikkeli. The end of the message provides a link to a supposed blog with pictures of the event and of victims.

It is an attempt at social engineering. However, as there is no nuclear power plant near Mikkeli, many recipients report that they were not tempted by the message.

This is an example of the website:

An icon for a needed plug-in is displayed rather than images when viewing the site.

The message below the image area contains the link from which the malware is downloaded:

There are several versions of bait used by the spam messages.

One message claims to be from a woman seeking love. The message directs to a Web site such as this:

The website designs have been used in the past. There are previous examples of German language versions targeting individuals in Switzerland.

ZBot variants use modular components (configuration and commands) downloaded from the Internet after installation. The components are encrypted, probably to hinder analysis of the code.

Installation

Upon execution the trojan copies itself to the following location:

  • %windir%\system32\ntos.exe

Note: %windir% represents the system's default Windows directory. The folder name may vary by language localization.

It then creates the following folder under the Windows system directory:

  • wsnpoem

ZBot.HS attempts to hide this folder using stealth techniques.

It creates the following files in the newly created folder:

  • audio.dll
  • video.dll

These files are written with encrypted data.

The trojan modifies the following registry entry to enable its automatic execution upon Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Userinit" = "%windir%\system32\userinit.exe,%windir%\system32\ntos.exe"

The trojan deletes cookies in the Internet Explorer URL cache.

It then injects malicious code into several active processes, particularly winlogon.exe and iexplorer.exe.

Activity

The injected code starts listening for incoming TCP connections and downloads the following data file from a remote server:

  • file.bin

The remote server URL contains a top-level domain of ".ru". The server is hosted in Turkey as of February 21, 2008.

Logging online banking information is the primary payload of Trojan-Spy:W32/Zbot variants.

ZBot searches the following string by default:

  • https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome

Other targets are added through the file.bin configuration.The file.bin of ZBot.HS targets a Finnish bank.

Browser activity is monitored for multiple ".fi" URL addresses. Finnish, Swedish, and English language versions are monitored.

If online banking activity is detected ZBot.HS will beginning logging information. ZBot.HS does not inject its own banking transactions.

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe

ZBot also checks for running programs with firewall related processes:

  • outpost.exe
  • zlclient.exe