About Me

Pedro Bueno
Security and Malware Researcher
Pedro Bueno is a Security and Malware Researcher at McAfee Labs for almost 5 years. He also has a volunteer job at the SANS ...

Blogs

Consumer (478)
Corporate (155)
Enterprise (466)
McAfee Labs (1126)

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

New Wave of Zbot Trojan

Friday, August 13, 2010 at 6:57pm by Pedro Bueno

McAfee Labs detected a new wave of the PWS-Zbot (a.k.a Zeus) spam campaign this week.

Some common phrases used in the email subject headers:

Subject: Sales Dept
Subject: Another candidate brought to you
Subject: Summary of payments

These emails carried PWS-Zbot Trojan variants that are a part of the 2.x version of the Zeus botnet, and currently try to access the following URLs:

hxxpS://193.104.{blocked}/box1/master.tmp
hxxpS://193.104.{blocked}/box1/1.gif
hxxpS://193.104.{blocked}/box1/update.php
hxxpS://cisco-update-{blocked}.com/box1/1.gif (currently offline)

This variant also exhibits rootkit behavior, hooking Windows APIs to prevent users from seeing some of the files.

Examples of such hooks are:

ntdll.dll!NtCreateThread

USER32.dll!TranslateMessage

ntdll.dll!NtQueryDirectoryFile

ntdll.dll!LdrLoadDll

ntdll.dll!LdrGetProcedureAddress

ntdll.dll!NtCreateThread

USER32.dll!GetClipboardData

This variant also uses HTTPS as the communication protocol with the remote servers to download encrypted data. In some instances, it was also found to patch termsrv.dll to bypass authentication while connecting to the machine via Remote Desktop.

The SSL Certificate used by the server is self-signed with default parameters and a date of July 13, exactly one month from today.

Further details of the Zbot or Zeus Trojan family are available at the Virus Information Library.

Update: We have noticed that some reports refer to the current wave of PWS-Zbot as “Zeus v3.” To clarify: The current Zbot variants are generated by the “v2 toolkit” and its variants. The Zbot Trojan has evolved from the “v1 toolkit”–which generated the 1.x.x to 1.3.x variants–to the “v2 toolkit,” which underlies the current versions.

About Me

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

New Wave of Zbot Trojan

Submit your own comments / message for this post

Comments (0)