Home / malwarePDF  

Win32/Zeeborot


First posted on 23 September 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Zeeborot.

Explanation :

Threat behavior

Installation

Win32/Zeeborot can be installed on your PC by:

  • Malicious or compromised websites
  • Malicious torrent files
  • Other malware
  • Spam email attachments


The malware creates an instance of svchost.exe in suspended mode with the following command line parameter:

  • \svchost.exe ext


It injects a copy of itself on the created process.

Win32/Zeeborot drops a copy of itself at the following location:

  • %APPDATA% \\.exe, for example, C:\Documents and Settings\Alan Tracey\Application Data\Irvo\reyka.exe


It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "", for example "{9024414C-D7F3-5CD8-2536-500D5E976EA9}"
With data: "", for example "C:\Documents and Settings\Alan Tracey\Application Data\Irvo\reyka.exe"

The malware will create an event named €œGlobal\€ for example Global\omomupumaduvoko as a system infection marker.

Payload

Installs other malware

Win32/Zeeborot creates a Tor hidden service that runs a Win32/Zbot family variant on the infected system. This is achieved by creating the following suspended service process:

  • %systemdir%\svchost.exe €“HiddenServiceDir %appdata%\tor\hidden_service €“HiddenServicePort €œ55080 127.0.0.1:55080€


It then injects a copy of a Zbot variant (PWS:Win32/Zbot.gen!CI at the time of analysis) into the hidden service.

Connects to a remote host

This malware communicates with its command and control servers through the Tor network.

In order to contact a web server that uses the Tor hidden service feature, the network uses a special domain naming scheme. The server's name is derived from its public key within the Tor network, appended with .onion as the top level domain. The malware contains a list of .onion domains that are contacted using the standard HTTP protocol (over SOCKS):

  • 24v63yidnlfeke45.onion
  • 3kc3wgsbq5bjikyf.onion
  • 4bx2tfgsctov65ch.onion
  • 4njzp3wzi6leo772.onion
  • 6ceyqong6nxy7hwp.onion
  • 6m7m4bsdbzsflego.onion
  • 6tkpktox73usm5vq.onion
  • 742yhnr32ntzhx3f.onion
  • 7wuwk3aybq5z73m7.onion
  • ceif2rmdoput3wjh.onion
  • dpuzn6fhxqr2kfx6.onion
  • eamxnonwsr76nbit.onion
  • f2ylgv2jochpzm4c.onion
  • gpt2u5hhaqvmnwhr.onion
  • h266x4kmvmpdfalv.onion
  • jr6t4gi4k2vpry5c.onion
  • kexxw7qevamewdkc.onion
  • kv5fkk7csqonp64x.onion
  • mh4vqvfvjk5imf2a.onion
  • niazgxzlrbpevgvq.onion
  • owbm3sjqdnndmydf.onion
  • qdzjxwujdtxrjkrz.onion
  • rxrhv2ajbmjw3kyq.onion
  • ua4ttfm47jt32igm.onion
  • uf5aizcddahngjbz.onion
  • uy5t7cus7dptkchs.onion
  • uzvyltfdj37rhqfy.onion
  • wg6ry5rlzfoosbir.onion
  • x3wyzqg6cfbqrwht.onion
  • xvauhzlpkirnzghg.onion


Once connected to the network the malware can receive instructions to perform DDOS attacks and Bitcoin mining.



Analysis by Patrick Estavillo


Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "", for example "{9024414C-D7F3-5CD8-2536-500D5E976EA9}"
    With data: "", for example "C:\Documents and Settings\Alan Tracey\Application Data\Irvo\reyka.exe"




Last update 23 September 2014

 

TOP