Home / malwarePDF  

PWS:Win32/Zbot.gen!AM


First posted on 27 April 2013.
Source: Microsoft

Aliases :

PWS:Win32/Zbot.gen!AM is also known as Spyware/Win32.Zbot (AhnLab), TR/PSW.Zbot.AM.1595 (Avira), Trojan-PWS.Win32.Zbot (Ikarus), PWS-Zbot-FASE!AA1971DE0DA0 (McAfee).

Explanation :



Installation

When run, PWS:Win32/Zbot.gen!AM drops a copy of itself as a randomly named file with the following format:

%APPDATA%\<random letters>\<random letters>.exe - for example, "C:\Documents and Settings\Administrator\Application Data\Vyefm\ywjy.exe"

It makes the following change to your system registry so that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Mirosoft\Windows\CurrentVersion\Run
Sets value: "{GUID of your Windows volume}"
With data: "%APPDATA%\<random letters>\<random letters>.exe"

It tries to inject code into the address space of all running processes matching the security privilege of the currently logged-on user; if it is unable to do so, it injects its code into all user-level processes (such as "explorer.exe", "iexplore.exe" and so on).

Note: Code injection is commonly used by malware in an attempt to prevent its detection by security software.

Spreads via...

Remote desktop services (RDS)

PWS:Win32/Zbot.gen!AM can install its code to other computers if your computer is connected to other computers in the network via Remote Desktop Services (RDS). If your computer is running RDS, this trojan tries to run a process for every connected RDS session to drop a copy of the trojan in the remote desktop folders <startup folder>.



Payload

Steals sensitive information

PWS:Win32/Zbot.gen!AM hooks the following Windows system APIs to gather sensitive data from your computer, such as login credentials for online bank accounts, email credentials, and network information:

  • In the file NSPR.DLL:
    • PR_OpenTCPSocket
    • PR_Close
    • PR_Poll
    • PR_Read
    • PR_Write
  • In the file NTDLL.DLL:
    • ZwCreateThread
    • LdrLoadDll
  • In the file KERNEL32.DLL:
    • GetFileAttributesExW
  • In the file WININET.DLL:
    • HttpSendRequestW
    • HttpSendRequestA
    • HttpSendRequestExW
    • HttpSendRequestExA
    • InternetCloseHandle
    • InternetReadFile
    • InternetReadFileExA
    • InternetQueryDataAvailable
    • HttpQueryInfoA
    • InternetSetStatusCallbackW
    • InternetSetStatusCallbackA
    • InternetSetOptionA
  • In the file WS2_32.DLL:
    • closesocket
    • send
    • WSASend
    • recv
    • WSARecv
  • In the file GDI32.DLL:
    • OpenInputDesktop
    • SwitchDesktop
    • DefWindowProcW
    • DefWindowProcA
    • DefDlgProcW
    • DefDlgProcA
    • DefFrameProcW
    • DefFrameProcA
    • DefMDIChildProcW
    • DefMDIChildProcA
    • CallWindowProcW
    • CallWindowProcA
    • RegisterClassW
    • RegisterClassA
    • RegisterClassExW
    • RegisterClassExA
  • In the file USER32.DLL:
    • BeginPaint
    • EndPaint
    • GetDCEx
    • GetDC
    • GetWindowDC
    • ReleaseDC
    • GetUpdateRect
    • GetUpdateRgn
    • GetMessagePos
    • GetCursorPos
    • SetCursorPos
    • SetCapture
    • ReleaseCapture
    • GetCapture
    • GetMessageW
    • GetMessageA
    • PeekMessageW
    • PeekMessageA
    • TranslateMessage
    • GetClipboardData
  • In the file CRYPT32.DLL:
    • PFXImportCertStore


Once it has hooked these APIs, the trojan steals the following sensitive information from your computer:

  • Cached user names and passwords
  • Digital certificates
  • Internet Explorer cookies


It also logs keystrokes and takes snapshots of the activities on your computer. Captured data is sent to a predefined FTP or email server, specified in the downloaded configuration file (see below), and is sent to a remote attacker.

Lowers Internet Explorer security

PWS:Win32/Zbot.gen!AM lowers Internet Explorer's security settings by changing the following settings in the registry:

  • Disables phishing filtering:
    In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
    Sets value: "Enabled"
    With data: "0"
    Sets value: "EnabledV8"
    With data: "0"
  • Disables system behavior to remove expired Internet Explorer browser cookies:
    In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
    Sets value: "CleanCookies"
    With data: "0"
  • Lowers Internet Explorer Internet zone security settings:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    Set value: "1609"
    With data: "0"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    Sets value: "1406"
    With data: "0"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    Sets value: "1609"
    With data: "0"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "1406"
    With data: "0"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    Sets value: "1406"
    With data: "0"


Lowers Firefox security

PWS:Win32/Zbot.gen!AM might change settings for Mozilla Firefox, including the following:

  • Disable the clearing of Internet cookies
  • Disable warning messages that are displayed when viewing mixed secure and unsecure web pages
  • Disable warning messages that are displayed when submitting data to unsecure pages
  • Downloads configuration data


Allows remote access and control

Earlier variants of this trojan downloaded a configuration file from a remote server (for example, "dairanet.cn"). Newer variants of this malware generate a list of up to 1020 pseudo-randomly named domains that they try to connect to. If a trojan successfully connects to a domain, it downloads a configuration file. The list of domain names that are generated are based on the system date and time, and have one of these suffixes:

  • .biz
  • .com
  • .info
  • .net
  • .org


The downloaded configuration file contains data used by this trojan, for example:

  • URL from which it downloads its code updates
  • URL from which additional configuration data files can be downloaded
  • URL of targeted online banks
  • What version of the bot builder was used to create this trojan
  • HTML and JavaScript code for parsing target web pages


Depending on the information in the downloaded configuration data file, some variants of this trojan might:

  • Restart or shut down your computer
  • Remove or update itself from your computer
  • Enable or disable HTTP injection, which is a type of attack in which malicious code is injected into HTTP pages
  • Look through your files and folders
  • Delete files and folders
  • Log off the current user
  • Run a program
  • Steal Internet Explorer browser cookies
  • Steal or delete certificates
  • Block or unblock access to certain websites
  • Set the Internet Explorer home page
  • Steal FTP and email credentials stored in your computer




Analysis by Zhitao Zhou

Last update 27 April 2013

 

TOP

Malware :

Family: