Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    File infectors and ZBOT don’t usually go together, but we recently saw a case where these two kinds of threats did.

    This particular file infector – PE_PATNOTE.A (MD5 871246d00caffdbed56b1374975c368e) – appends its code to all executable files on the infected system, like so:

    Figure 1. Before infection

    Figure 2. After infection

    What does this code do? It drops and executes the embedded ZBOT variant, TSPY_ZBOT.PNR (MD5 5c492c6300fd9def233bfaa56fb6b0f2), as well as infecting other executable files. TSPY_ZBOT.PNR is dropped as %User Temp%\notepat.exe.

    As we mentioned earlier, PE_PATNOTE.A spreads by adding its code to all executable files on the system. This includes removable and network drives, not just fixed drives on the system. This may allow it to spread across multiple systems, making cleanup and removal much more difficult.

    In addition to its rather unusual behavior, this malware also uses some of the anti-analysis techniques that we started seeing earlier this year. This thwarts some common analysis tools like OllyDbg, ProcDump, StudPDE, and WinHex. This may be an indicator that we will see greater use of these techniques moving forward.

    Figure 3. Embedded ZBOT variant

    This isn’t the first time we’ve seen file infectors used to spread ZBOT. In late 2010, we found that ZBOT was being spread by the LICAT file infector. However, there were some differences between then and now. Then, ZBOT was being downloaded onto the system; today the ZBOT code is dropped directly onto the affected system. This makes it more likely that infection can take place even in networks with restricted Internet access.

    We detect both the file infector (PE_PATNOTE.A) and the ZBOT variant (TSPY_ZBOT.PNR) through the Trend Micro Smart Protection Network.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice