Home / malware PWS:Win32/Zbot.AHD
First posted on 01 March 2013.
Source: MicrosoftAliases :
PWS:Win32/Zbot.AHD is also known as Backdoor.Win32.Androm (Ikarus), Mal/EncPk-AIC (Sophos), PWS-Zbot.gen.ati (McAfee), TR/Spy.ZBot.imgrua (Avira), Trojan-Spy.Win32.Zbot.ikoy (Kaspersky), Win32/Spy.Zbot.ZR (ESET), Worm/Win32.Stekct (AhnLab).
Explanation :
PWS:Win32/Zbot.AHD is trojan that allows unauthorized access and control of your computer, and steals your valuable information, such as passwords. PWS:Win32/Zbot.AHD is created by kits known as "Zeus" which are bought and sold on the black market.
Installation
When PWS:Win32/Zbot.AHD is executed, it creates a modified copy of itself with a randomly-generated file name in the following location:
%APPDATA%\<random letters>\<random letters>.exe
For example:
c:\documents and settings\administrator\application data\eqepys\ruynn.exe
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the %APPDATA% folder for Windows 2000, XP, and 2003 is 'C:\Documents and Settings\<user>\Application Data'. For Windows Vista, 7 and W8, the default location is 'C:\Users\<user>\AppData\Roaming'.
It then modifies the registry to ensure that this copy is executed at each Windows start:
To subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: "{GUID of Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"
For example:
To subkey: HKCU\Software\Microsoft\Windows\Currentversion\Run
Sets value: {F38B3E05-4020-AD7D-5A64-4EC179C86DD3}" "
With data: "c:\documents and settings\administrator\application data\eqepys\ruynn.exe"
PWS:Win32/Zbot.AHD also creates copies of itself in the default user startup folder:
<DefaultUserPath>\Programs\Startup\<random letters>.exe
Examples for <DefaultUserPath> are:
- C:\Documents and Settings\Default user\
- C:\Users\Default\
- C:\Documents and Settings\<User name>\
- C:\Users\<User name>\
PWS:Win32/Zbot.AHD injects code into all the current user's running processes. This behavior is intended to hide the trojan's behavior from security applications.
It also hooks the following Windows system APIs to aid in the capture of sensitive data, such online banking and shopping passwords, email credentials and network information:
SSLEAY32.DLL
- SSL_write
- SSL_read
SECUR32.DLL
- DeleteSecurityContext
- EncryptMessage
- DecryptMessage
NSPR.DLL
- PR_OpenTCPSocket
- PR_Close
- PR_Poll
- PR_Read
- PR_Write
NTDLL.DLL
- NtCreateUserProcess
- NtCreateThread
- RtlUserThreadStart
- LdrLoadDll
KERNEL32.DLL
- GetFileAttributesExW
WININET.DLL
- InternetCloseHandle
- HttpSendRequestA
- HttpSendRequestW
- HttpSendRequestExA
- HttpSendRequestExW
- InternetWriteFile
- InternetReadFile
- InternetReadFileExA
- InternetReadFileExW
- InternetQueryDataAvailable
- HttpQueryInfoA
- HttpQueryInfoW
WS2_32.DLL
- closesocket
- send
- WSASend
- recv
- WSARecv
- WSAGetOverlappedResult
GDI32.DLL
- OpenInputDesktop
- SwitchDesktop
- DefWindowProcW
- DefWindowProcA
- DefDlgProcW
- DefDlgProcA
- DefFrameProcW
- DefFrameProcA
- DefMDIChildProcW
- DefMDIChildProcA
- CallWindowProcW
- CallWindowProcA
- RegisterClassW
- RegisterClassA
- RegisterClassExW
- RegisterClassExA
USER32.DLL
- BeginPaint
- EndPaint
- GetDCEx
- GetDC
- GetWindowDC
- ReleaseDC
- GetUpdateRect
- GetUpdateRgn
- GetMessagePos
- GetCursorPos
- SetCursorPos
- SetCapture
- ReleaseCapture
- GetCapture
- GetMessageW
- GetMessageA
- PeekMessageW
- PeekMessageA
- TranslateMessage
- GetClipboardData
CRYPT32.DLL
Spreads via...
- PFXImportCertStore
Remote Desktop Service
PWS:Win32/Zbot.AHD attempts to spread to other computers that might be remotely connected to your computer using the Remote Desktop Service (RDS).
If your computer is running a Remote Desktop Service, Zbot may attempt to execute a process for every connected RDS session and create a copy of itself in the startup folder:
%RDSUserProfilePath%\Start Menu\Programs\Startup\<random letters>.exe
Payload
Allows remote access and control
PWS:Win32/Zbot.AHD allows varying degrees of remote access and control of your computer depending on how it has been configured. Once installed, PWS:Win32/Zbot.AHD downloads a configuration file from a remote server that determines how it will behave.
PWS:Win32/Zbot.AHD generates up to 1020 pseudo-randomly named domains, and attempts connecting to the generated list to download the configuration file. The generated domain names are based on your system's date and time and use one of the following suffixes:
.com
.net
.org
.info
.biz
.ru
Some examples include:
tsljnihhusyxzddltpci.net
hbixougjfqxkftswinlfbars.org
dhqwyelbpndaqwljampjsoea.info
rvowslrmvnfkblkfyttpfemwx.com
ofvgupbpsgaumfvkbuobevceuv.ru
jvklraqgyofcqhikfbazlltauhi.biz
The configuration file contains data used by the malware in order to perform its data-stealing payload, including:
- Locations to download updates of PWS:Win32/Zbot from
- Locations to download additional data files from
- The version of the malware
- Online financial institutions to target
- HTML and JavaScript code for performing its data stealing payload
Recent variants of this malware use a decentralized peer-to-peer (P2P) communication method in order to receive commands from a remote attacker, download updates and configuration files, and upload stolen information. Older variants used a centralized command and control method (thus reaching out to a single specific server to receive instruction).
Using this access, a remote attacker could perform any of the following actions on your computer:
- Reboot or shut down your computer
- Uninstall Zbot
- Update Zbot and its configuration file
- Search or remove files and directories
- Log you off your computer
- Run a program
- Steal or remove Internet Explorer browser cookies
- Steal or delete certificates
- Block or unblock URLs
- Change the Internet Explorer home page
- Steal your FTP credentials
- Steal your email login credentials
- Steal credentials stored by Macromedia Flash Player by parsing "flashplayer.cab" with SOL (Flash Local Shared Object File) files located at €œ%APPDATA%\Macromedia\Flash Player€Â
- Remove Macromedia Flash Player files located at €œ%APPDATA%\Macromedia\Flash Player".
Steals sensitive information
PWS:Win32/Zbot.AHD hooks APIs used by Internet Explorer and Mozilla Firefox. It does this to monitor the activities you perform online and steal your data. It also injects HTML code into particular websites to enable it to capture and steal your credentials when you visit these website and log in.
The trojan steals the following sensitive information from your computer:
- Digital certificates
- Cached passwords
- Logged keystrokes
- Screen and window image captures
- Passwords and other details (such as credit card numbers) as you enter them to targeted websites
We've observed Zbot targeting the following websites in this way:
amazon.com
blogger.com
flickr.com
livejournal.com
myspace.com
youtube.com
microsoft.com
facebook.com
ktt.key.com/ktt/cmd/logonFromKeyCom
ktt.key.com/ktt/cmd/validatePinForm
feedback.ebay.com/ws/eBayISAPI.dll?ViewFeedback&
us.hsbc.com
Steals Windows Mail and Windows Live mail credentials
If your computer is running on Windows XP or below, Win32/Zbot uses the COM libraries "msoeacct.dll" and "wab32.dll" to capture the following details:
- Your Windows mail account name
- Your email address
- Email server
- Your user name
- Your password
Otherwise, if you are running Windows Vista or above, the trojan captures the credentials by parsing the Windows mail folder, specified in this registry subkey:
HKCU\SOFTWARE\Microsoft\Windows Mail\Store Root\
Related encyclopedia entries
Win32/Bredolab
Win32/Cutwail
Win32/Kelihos
Win32/Waledac
Exploit:Win32/CplLnk
Blacole
Win32/Zbot
Analysis by Rodel Finones
Last update 01 March 2013
