The ZeuS/ZBOT botnet has been entrenched in the cybercrime business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses continue to thwart both antivirus and other security solutions as well as the efforts made by the security industry.
This time, the malware upholds it notorious reputation with a new version related to previous detections TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ.
ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites. They have rapidly become popular tools for cybercriminals to use, thanks to exceptional information-stealing routines and rootkit capabilities, which allow them to stay stealthy and to affect users’ systems without their knowledge.
Current ZBOT variants use fixed file names (both for their executable and component files). The file names may vary from one ZBOT version but they are recognized by security analysts.
This is not the case for the new ZBOT variants seen above. Instead of using prespecified names, both TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ use random names for the files and directories they create. In addition, ZBOT now injects its code into the Explorer process, something that previous variants did not do. Both of these attempts by cybercriminals to lessen the profile of ZBOT are in response to the malware family’s notoriety, which means that ZBOT malware are now becoming somewhat easier to detect.
The under-the-hood changes to the ZBOT variants are, if anything, more significant. These new ZBOT variants inject themselves into the following processes:
From this list, we can see that the new ZBOT version now “features” support for both Windows Vista and Windows 7. Taskeng.exe and Taskhost.exe are processes both found in Windows Vista and Windows 7 though neither were found in older versions such as Windows XP. (In previous ZBOT versions, Windows Vista and Windows 7 support was purchased as a separate add-on.)
The changes in file names used and the start of providing official support for Windows Vista and Windows 7 highlight the fact that ZBOT developers are keeping track of developments and are adjusting their tactics accordingly. For now, older ZBOT variants will represent the bulk of infection threats. However, it will not take long for new variants to become more widespread.
Trend Micro™ Smart Protection Network™ already protects product users from ZeuS-related attacks of this kind by detecting and preventing the malicious files from being executed on systems. Below you can find the number of attacks that the Smart Protection Network has prevented these past few months.
Update as of April 27, 2010, 6:18 p.m. (GMT +8:00):
Some ZBOT variants can modify target Web pages in such a way that they ask users to provide additional information that legitimate sites do not. Previously, this was only done in Internet Explorer (IE). However, data captured from new ZBOT variants now show that this behavior is also done on Mozilla Firefox.