Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May 23rd, 2013

    The notorious info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year. In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow. The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet.

    We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months based from Trend Micro Smart Protection Network feedback.


    Figure 1. Smart Protection Network feedback for ZBOT (Jan – May 7 2013)

    As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII).

    ZBOT Earlier Versions vs. Current Versions

    Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS.

    Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network.

    ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated.

    Both variants send DNS queries to randomized domain names. The GameOver variant also opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names.

    How does this malware steal your credentials?

    ZBOT malware connects to a remote site to download its encrypted configuration file.


    Figure 2. Screenshot of ZBOT communication to C&C server

    The following information can be seen once the configuration file is decrypted:

    • Site where an updated copy of itself can be downloaded
    • List of websites to be monitored
    • Site where it will send the stolen data

    These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers.
    Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.

    Trend Micro Solution for ZBOT variants

    There are several avenues for detecting ZBOT variants, such as:

    1. First, as the malware tries to write to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    2. Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file
    3. Finally, detecting where the site would send the stolen data, or if acquires an updated copy of itself

    In the screen capture below, it demonstrates that the exact behaviour of writing to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon was successfully blocked by OfficeScan’s Behavioural Monitoring function and the malware fails to execute:

    screenshot-Officescan-detection copy

    Figure 3. OfficeScan Scanning Screenshot

    The second opportunity to detect ZBOT variants is when the malware downloads its configuration file, an updated copy of itself, or even with the attempt to upload its stolen information. Trend Micro Web Reputation Services can detect this function:


    Figure 4. Trend Micro blocks the related URL associated with ZeuS

    In the screen capture above, the URL was detected as malicious. With further investigation, we determined that this site is associated with ZeuS/ZBOT. The same is observed if using Trend Micro’s Deep Discovery:



    Figure 5. Screenshot of Deep Discovery detection of malicious network activity

    Similarly, an attempt to connect to any related URL that is related to ZBOT/ZEUS upon performing it’s call-back routine can be detected via DeepDiscovery Inspector.

    For removing the malware, since this malware injects itself into certain processes, there are instances that a reboot is required. As ZeuS/ZBOT malware downloads newer version of itself, the binary itself may not be detected but could generally act the same. As such, certain parts of the infection can be blocked or partially mitigated.


    What we can learn from ZeuS/ZBOT’s spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these. Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent. Thus, it is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones. Always keep your system up-to-date with the latest security releases from software vendors and install trusted antimalware protection.

    To know more about how cybercriminals are getting better at stealing information, you can refer to this infographic.

    With additional inputs from Threat researchers Rhena Inocencio and Roddell Santos.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Malware | Comments Off on ZeuS/ZBOT Malware Shapes Up in 2013

    Since its initial release in February 2012 the Raspberry Pi – a very inexpensive, palm-sized computer meant to help teach computer science in schools –  has become a favorite of hobbyists, makers, and tech enthusiasts everywhere. Why wouldn’t it be? The Raspberry Pi offers tinkerers a very low-cost (both to buy and to run) computer in an extremely compact platform. In addition, because of its origins as an educational tool, it’s easy to use and is versatile. Accordingly, it can be used in all sorts of creative ways.

    However, its apparent simplicity and low cost comes with a downside. The Raspberry Pi is not a simple “device” with limited capabilities; it is a fully capable computer. The same pitfalls that befall normal desktop computing can  hit the Raspberry Pi, if it is not properly secured.

    Some uses of the Raspberry Pi actually turn them into servers, and that is something that users may not really know how to secure. For example, some people have made the Raspberry Pi into a server that controls their home automation system, or allows users to watch videos served by the Pi remotely.

    For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk. For example, some automated scanners are already trying to log in with the pi user.

    In short, the Raspberry Pi is only as secure as the uses you use it for. Good server security is not always easy; consider that even IT professionals make mistakes. Look into known server best practices if you do use a Raspberry Pi for these uses. Considering its origin as an educational tool, learning how to secure a server would be an appropriate use for a Raspberry Pi. You can also check out the infographic we’ve made about this issue here.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice