McAfee Labs

Zbot Botnet Steals Thousands of Credentials

0
By on Apr 07, 2014

In McAfee Labs we keep a close eye on the Zeus/Zbot/Gamover botnet malware that is responsible of thousands of samples we gather each day. The following graph shows the total number of Zbot samples submitted to McAfee Labs in recent months.

20140407 Zbot1

For a couple of weeks, McAfee Labs has followed a global Zbot campaign, in which payloads have been used to steal credentials. Between the end of March and April 3, the amount of bots connected to the botnet ranged between 26,000 and 41,000.

 

Countries Involved

The following map and table are based on the data of April 2. Only countries with more than 80 bots are highlighted:

20140407 Zbot2

20140407 Zbot3

The top 10 countries infected with the data-stealing malware:

Country                     Number of Bots

1.   United Kingdom    6,694

2.   India                      4,820

3.   South Africa           3,472

4.   China                     1,197

5.   Indonesia               1,175

6.   South Korea           1,034

7.   Italy                        1,029

8.   United States            999

9.   Malaysia                    958

10. Taiwan                       664

 

By the Numbers

The statistics in the following botnet control screen show some interesting details around the most targeted CPUs and operating systems.

The 32-bit CPU architecture is targeted about three times more than 64-bit systems. Windows 7 is the leading operating system, closely followed by Windows XP.

When we started monitoring the botnet, the average number of bots connected to the botnet was 34,461. Around April 1, the number of bots decreased to 26,836. Immediately thereafter, we saw a successful campaign to update the number of bots, with the botnet reaching 41,820 bots. In the United Kingdom, for example, the number of bots grew by 2,000 to 8,663 infected hosts.

20140407 Zbot4

The botnet control server hosted at hxxp://vodrasit.su was set up around the beginning of March, although the team behind this was not very careful in guarding the root directory of their server:

20140407 Zbot5

Jolly Roger

The malware used to get the bots connected to the control server is called Jolly Roger. This kit has been available on the underground market since October 2013. Security blogger Kafeine offered an excellent overview in his post about this kit.

During the botnet campaigns, we found a sample at hxxp://merdekapalace.com/jr.exe

In a forum in March, “Silent Riot” posted an update on Jolly Roger that announced support for hijacking Bitcoin wallets:

20140407 Zbot6

On March 13, Silent Riot mentioned a bug and an update:

20140407 Zbot7

The malware steals credentials from various programs on a user’s computer.  The harvesting of credentials can be set up per country or campaign. In this case the botnet harvested data on http/https, FTP, RDP, email (SMTP/POP), and certificates:

20140407 Zbot8

The preceding overview shows the type of logs available; the count, the number of lines with harvested credentials; and the size of the logs. For example, 153 RDP credentials were harvested during the month’s campaign. That is not the number of unique sites or links; in some cases the same links are harvested multiple times.

An example of a log file:

20140407 Zbot9

During our investigation, we found thousands of leaked social media accounts, webmail, corporate and government email-accounts, RDP sessions into companies, and more. We have reported many of these to CERTs and law enforcement. In one case, a law enforcement agency confirmed that the leaked credentials were already being abused to commit banking fraud.

The control server is no longer available, but we will keep a close watch on this particular botnet to see if it resurfaces.

We would like to thank Kafeine in particular for his help, as well as the many CERTs and law enforcement agencies that responded quickly to our investigation and took actions to inform victims.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>