Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    The ZeuS/ZBOT malware family is probably one of the most well-known malware families today . It is normally known for stealing credentials associated with online banking accounts. However, ZBOT is no one-trick pony. Some ZBOT variants perform other routines like downloading or dropping other threats like ransomware.

    We recently came across one variant detected as TROJ_ZCLICK.A, which seemingly “locks” the desktop to display websites. This kind of behavior is out of the ordinary for a ZBOT variant. Once it infiltrates the system, this occurs every time the user performs any activity, such as opening a window or file. These sites occupy the entire desktop screen, hindering access to any open windows or files. There have been instances wherein the user can still see the open windows, but with the sites running in the background. Users can bypass this inconvenience by performing the “show desktop” command but the malware will continue to display windows.


    Figure 1. Sites are displayed full-screen in the background of the running program Space Cadet

     It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines. Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle.

    It is noteworthy to say that this variant doesn’t perform traditional routines associated with this malware family like stealing information. However, analysis reveals that the sample does contain the ZBOT code and this only means that this ZBOT variant only loads the clickbot routine. In this light, it’s only logical to assume that the main motivation for this variant is to generate income via the pay-per-click model.

    This malware proves that cybercriminals are continuously tweaking familiar or known malware to deliver new payloads, all in the name of generating income from victimizing users. As such, users should always remember key safety practices when going online. Habits like installing the latest software updates or deleting spammed messages can go a long way in protecting computers from threats.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice