File infectors and ZBOT don’t usually go together, but we recently saw a case where these two kinds of threats did.
This particular file infector – PE_PATNOTE.A (MD5 871246d00caffdbed56b1374975c368e) – appends its code to all executable files on the infected system, like so:
Figure 1. Before infection
Figure 2. After infection
What does this code do? It drops and executes the embedded ZBOT variant, TSPY_ZBOT.PNR (MD5 5c492c6300fd9def233bfaa56fb6b0f2), as well as infecting other executable files. TSPY_ZBOT.PNR is dropped as %User Temp%\notepat.exe.
As we mentioned earlier, PE_PATNOTE.A spreads by adding its code to all executable files on the system. This includes removable and network drives, not just fixed drives on the system. This may allow it to spread across multiple systems, making cleanup and removal much more difficult.
In addition to its rather unusual behavior, this malware also uses some of the anti-analysis techniques that we started seeing earlier this year. This thwarts some common analysis tools like OllyDbg, ProcDump, StudPDE, and WinHex. This may be an indicator that we will see greater use of these techniques moving forward.
Figure 3. Embedded ZBOT variant
This isn’t the first time we’ve seen file infectors used to spread ZBOT. In late 2010, we found that ZBOT was being spread by the LICAT file infector. However, there were some differences between then and now. Then, ZBOT was being downloaded onto the system; today the ZBOT code is dropped directly onto the affected system. This makes it more likely that infection can take place even in networks with restricted Internet access.
We detect both the file infector (PE_PATNOTE.A) and the ZBOT variant (TSPY_ZBOT.PNR) through the Trend Micro Smart Protection Network.