1. /
  2. Security Response/
  3. Trojan.Zbot

Trojan.Zbot

Risk Level 2: Low

Discovered:
January 10, 2010
Updated:
September 2, 2014 11:28:05 AM
Also Known As:
Trojan-Spy:W32/Zbot [F-Secure], PWS-Zbot [McAfee], Trojan-Spy.Win32.Zbot [Kaspersky], Win32/Zbot [Microsoft], Infostealer.Monstres [Symantec], Infostealer.Banker.C [Symantec], Trojan.Wsnpoem [Symantec], Troj/Zbot-LG [Sophos], Troj/Agent-MDL [Sophos], Troj/Zbot-LM [Sophos], Troj/TDSS-BY [Sophos], Troj/Zbot-LO [Sophos], Troj/Buzus-CE [Sophos], Sinowal.WUR [Panda Software], Troj/QakBot-D [Sophos], Troj/Agent-MIR [Sophos], Troj/Qakbot-E [Sophos], Troj/QakBot-G [Sophos], Troj/QakBot-F [Sophos], Troj/Agent-MJS [Sophos], Troj/Agent-MKP [Sophos], Troj/Zbot-ME [Sophos], Troj/Dloadr-CYP [Sophos], Win32/Zbot.WY [Computer Associates], Troj/DwnLdr-IBQ [Sophos], Troj/Zbot-NG [Sophos], W32/Zbot-NI [Sophos], Troj/Zbot-NN [Sophos], Troj/DwnLdr-ICV [Sophos], Troj/DwnLdr-ICY [Sophos], Troj/DwnLdr-IDB [Sophos], Troj/Dldr-DM [Sophos], Troj/Zbot-NR [Sophos], Troj/Zbot-NS [Sophos], Troj/Agent-MWK [Sophos], Troj/FakeAV-BDB [Sophos], Troj/Agent-MYL [Sophos], Troj/Agent-NAX [Sophos], Troj/Zbot-OD [Sophos], Troj/Zbot-OE [Sophos], Troj/Zbot-OT [Sophos], Troj/FakeAV-BGJ [Sophos], Troj/VB-EPV [Sophos], Troj/VB-EQA [Sophos], Troj/Zbot-PE [Sophos], Troj/Zbot-OZ [Sophos], Troj/Zbot-PA [Sophos], Troj/Zbot-OY [Sophos], Troj/FakeAV-BHP [Sophos], Troj/Zbot-OX [Sophos], Troj/Agent-NIV [Sophos], Troj/Zbot-PM [Sophos], Troj/Zbot-PQ [Sophos], Troj/Agent-NKD [Sophos], Troj/Zbot-PP [Sophos], Troj/Zbot-PN [Sophos], Troj/Zbot-PX [Sophos], Troj/Zbot-PW [Sophos], Troj/Zbot-PY [Sophos], Troj/Zbot-PT [Sophos], Troj/Zbot-PV [Sophos], Troj/Zbot-QC [Sophos], Troj/Zbot-QD [Sophos], Troj/Zbot-QK [Sophos], Troj/Zbot-QZ [Sophos], Troj/VB-ERY [Sophos], Troj/Zbot-RA [Sophos], Troj/Zbot-RK [Sophos], Troj/Dloadr-DAD [Sophos], Troj/Zbot-RP [Sophos], Troj/Zbot-RY [Sophos], Troj/Zbot-SC [Sophos], Troj/Zbot-SD [Sophos], Troj/Zbot-SB [Sophos], Troj/Zbot-SF [Sophos], Troj/Zbot-SV [Sophos], Troj/Agent-NUO [Sophos], Troj/Zbot-SP [Sophos], Troj/Meredrop-K [Sophos], Troj/Zbot-SX [Sophos], Troj/Zbot-SY [Sophos], Troj/Zbot-SR [Sophos], Troj/Zbot-TG [Sophos], Troj/Zbot-TQ [Sophos], Troj/Zbot-TY [Sophos], Troj/ZBot-UL [Sophos], Troj/Zbot-VN [Sophos], Troj/Zbot-VM [Sophos], Troj/Zbot-VQ [Sophos], Troj/Zbot-WD [Sophos], Troj/Zbot-WF [Sophos], Troj/Zbot-XA [Sophos], Troj/Agent-OLW [Sophos], Troj/Zbot-XO [Sophos], Troj/Zbot-XN [Sophos], Troj/Zbot-YB [Sophos], Troj/Zbot-YE [Sophos], Troj/Zbot-YO [Sophos], Troj/Zbot-YP [Sophos], Troj/ZBot-ZJ [Sophos], Troj/Zbot-AAN [Sophos], Troj/Zbot-AAM [Sophos], Troj/Zbot-ACI [Sophos], Troj/Zbot-AGC [Sophos], Troj/Zbot-AGJ [Sophos], Troj/Zbot-AHE [Sophos], Troj/Zbot-AHD [Sophos], Troj/Zbot-AIR [Sophos]
Type:
Trojan
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.

Infection
The Trojan.Zbot files that are used to compromise computers are generated using a toolkit that is available in marketplaces for online criminals. The toolkit allows an attacker a high degree of control over the functionality of the final executable that is distributed to targeted computers.

The Trojan itself is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized. The user may receive an email message purporting to be from organizations such as the FDIC, IRS, MySpace, Facebook, or Microsoft. The message body warns the user of a problem with their financial information, online account, or software and suggests they visit a link provided in the email. The computer is compromised if the user visits the link, if it is not protected.


Functionality
This Trojan has primarily been designed to steal confidential information from the computers it compromises. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes.

Confidential information is gathered through multiple methods. Upon execution the Trojan automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within Protected Storage (PStore). However, its most effective method for gathering information is by monitoring Web sites included in the configuration file, sometimes intercepting the legitimate Web pages and inserting extra fields (e.g. adding a date of birth field to a banking Web page that originally only requested a user name and password).

Additionally, Trojan.Zbot contacts a command-and-control (C&C) server and makes itself available to perform additional functions. This allows a remote attacker to command the Trojan to download and execute further files, shutdown or reboot the computer, or even delete system files, rendering the computer unusable without reinstalling the operating system.


Zeus and “Kneber”
On February 18, 2010 news reports appeared about a new botnet called Kneber. The reports claimed there were as many as 75,000 machines compromised by this newly discovered threat. In actuality, Kneber turned out to be a group of computers infected with Trojan.Zbot, controlled by one owner.

On February 23, 2010, one of our DeepSight honeypots was compromised by this latest version of Trojan.Zbot. In this particular case, Trojan.Zbot also downloaded copies of W32.Waledac. DeepSight™ Threat Management System subscribers can read the full report.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.






PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.




SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures

Antivirus (heuristic/generic)

      Browser protection
      Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


      Intrusion Prevention System

      Antivirus Protection Dates

      • Initial Rapid Release version January 7, 2010 revision 037
      • Latest Rapid Release version September 2, 2014 revision 009
      • Initial Daily Certified version January 7, 2010 revision 049
      • Latest Daily Certified version September 2, 2014 revision 019
      • Initial Weekly Certified release date January 13, 2010
      Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

      Threat Assessment

      Wild

      • Wild Level: Medium
      • Number of Infections: 50 - 999
      • Number of Sites: 3 - 9
      • Geographical Distribution: Medium
      • Threat Containment: Easy
      • Removal: Easy

      Damage

      • Damage Level: High
      • Payload Trigger: Clicking on links in unsolicited emails.
      • Payload: Opens a back door, gathers information from the computer, steals sensitive information, may download additional files.
      • Releases Confidential Info: Steals confidential information.

      Distribution

      • Distribution Level: Low
      • Subject of Email: Varies, depending on the spam email campaign.
      Writeup By: Ben Nahorney and Nicolas Falliere

      Search Threats

      Search by name
      Example: W32.Beagle.AG@mm
      STAR Antimalware Protection Technologies
      Internet Security Threat Report
      Symantec DeepSight Screensaver