Home / malwarePDF  

PWS:Win32/Zbot.SU


First posted on 30 August 2010.
Source: SecurityHome

Aliases :

PWS:Win32/Zbot.SU is also known as W32/Zbot.AVW (Authentium (Command)), Trojan-Spy.Win32.Zbot.alys (Kaspersky), TrojanSpy.Zbot.AHHR (VirusBuster), Trojan.PWS.Panda.364 (Dr.Web), Win32/Spy.Zbot.YW (ESET), Trojan-Spy.Win32.Zbot (Ikarus), Trojan.Zbot (Symantec), TROJ_ZBOT.KJT (Trend Micro).

Explanation :

PWS:Win32/Zbot.SU is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine.
Top

PWS:Win32/Zbot.SU is a password stealing trojan. Win32/Zbot also contains backdoor functionality that allows unauthorized access and control of an affected machine. InstallationWhen executed, PWS:Win32/Zbot.SU copies itself with a variable file name as the following:

  • %APPDATA%\<random letters>\<random letters>.exe
  • For example: %APPDATA%\udnuux\yviqh.exe It modifies the registry to execute this copy at each Windows start:Sets value: "<GUID of Windows volume>"
    With data: "%APPDATA%\<random letters>\<random letters>.exe"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Many Zbot variants utilize code injection to hinder detection and removal. When PWS:Win32/Zbot.SU executes, it may inject code into the following running processes:
  • ctfmon.exe
  • explorer.exe
  • rdpclip.exe
  • taskeng.exe
  • taskhost.exe
  • wscntfy.exe
  • Payload Steals sensitive informationPWS:Win32/Zbot.SU hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials when a user visits certain websites. A configuration file may be downloaded from a remote server (for example, "dailyair.net") and captured data is then sent to a predefined FTP or email server. It collects FTP credentials (IP, port, username, and passwords) from the following FTP software:
  • CoreFTP
  • FAR/FAR2
  • FileZilla
  • FlashFXP
  • FTP Commander
  • SmartFTP
  • Total Commander
  • winscp
  • ws_ftp
  • PWS:Win32/Zbot.SU steals the following sensitive information from the affected computer:
  • certificates
  • Internet Explorer cookies
  • cache passwords
  • PWS:Win32/Zbot.SU hooks the following Windows system APIs to capture sensitive information:
  • GetFileAttributesExW
  • HttpSendRequestW
  • HttpSendRequestA
  • HttpSendRequestExW
  • HttpSendRequestExA
  • InternetCloseHandle
  • InternetReadFile
  • InternetReadFileExA
  • InternetQueryDataAvailable
  • HttpQueryInfoA
  • closesocket
  • send
  • WSASend
  • TranslateMessage
  • GetClipboardData
  • PFXImportCertStore
  • It also hooks the following APIs specific to Firefox:
  • PR_OpenTCPSocket
  • PR_Close
  • PR_Read
  • PR_Write
  • PWS:Win32/Zbot.SU also logs keystrokes and takes snapshots of the user's desktop. Lowers web browser securityPWS:Win32/Zbot.SU lowers Internet Explorer web browser security settings by modifying the registry data:
  • Disables Internet Explorer phishing filtering:
  • Sets value: "Enabled" With data: "0" Sets value: "EnabledV8" With data: "0" In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
  • Disables clearing Internet Explorer browser cookies:
  • Sets value: "CleanCookies" With data: "0" In subkey: HKCU\Software\Microsoft\Internet Explorer\Privacy
  • Disables Internet Explorer zone security settings:
  • Set value: "1609" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Sets value: "1406" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Sets value: "1609" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Sets value: "1406" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Sets value: "1406" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Allows remote backdoor access and controlPWS:Win32/Zbot.SU can be instructed to perform a host of actions by a remote attacker, including the following:
  • block/unblock URLs
  • enable/disable HTTP injection
  • execute a program
  • get current path
  • log off
  • reboot/shut down affected computer
  • search/remove files
  • set Internet Explorer home page
  • steal certificates
  • steal credentials stored by Macromedia Flash Player by parsing "flashplayer.cab" with SOL (Flash Local Shared Object File) files located at "%APPDATA%\Macromedia\Flash Player".
  • steal FTP credentials
  • steal Internet Explorer browser cookies
  • uninstall/update Zbot
  • Additional InformationPWS:Win32/Zbot.SU appends the following headers when invoking the hooked APIs "HttpSendRequestA", "HttpSendRequestExW", and "HttpSendRequestExA": Accept-Encoding: identity TE: If-Modified-Since:

    Analysis by Jireh Sanico

    Last update 30 August 2010

     

    TOP