Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    TSPY_ZBOT.CQJ is one of the new ZeuS/ZBOT 2.0 variants spotted earlier this year. Let’s take a look at one of the methods it uses to steal users’ banking credentials.

    These new ZBOT variants intercept the information users enter into a bank’s Web page by inserting predefined JavaScript code into the said page. At present, this threat successfully inserts its predefined code when affected users use Internet Explorer and Firefox.

    A downloaded ZBOT configuration file contains a list of target websites. It also specifies how these targets will be modified. In some cases, Web forms are added for users to fill in. Here’s a screenshot of part of a targeted bank’s website:

    Here is the modified version. Note the added field, Clavo de Operaciones, which refers to another security key:

    The latter version has been extensively modified with the addition of a script that was not present in the original version:

    Click Click

    This script performs the actual information theft, capturing any entered credential. It prompts the user to fill in the inserted Web form field if left blank/empty.

    This second password is used by institutional accounts that have different levels of user privileges. The bank’s website will ask for this second password if transactions involve money (such as paying bills, transferring funds, etc.) are made by the user. Clearly, this is something that cybercriminals would like to steal.

    Added fields in forms are not the only tactic used. In other cases, a fake secondary login page asking for the second password is displayed instead:


    The goal here is similar to the first instance wherein secondary passwords needed to complete financial transactions are stolen.

    In addition to detecting the ZBOT files themselves, Trend Micro products now also detect the scripts inserted into Web pages as JS_ZBOT.SM and JS_ZBOT.CNX. A white paper detailing the activities of the ZeuS/ZBOT botnet is also available here.

    Additional information provided by Advanced Threats Researcher Ranieri Romera.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice