The ZeuS, ZBOT, and Kneber Connection

Written by: Bernadette Caraig

Background of the Attack

TSPY_ZBOT is the Trend Micro detection for malware related to what the industry dubs "ZeuS botnets." ZeuS botnet, in fact, is a shortened term for networks of compromised computers that use ZeuS/ZBOT Trojans in their botnet-related operations. TSPY_ZBOT variants typically arrive via spam appearing to come from legitimate sources, asking recipients to click a link. The said link leads to the download of TSPY_ZBOT, which silently sits in systems to wait for users to key in their credentials to particular sites.

Since 2007, Trend Micro has been monitoring the ZBOT family. The number of ZBOT detections has substantially grown over the years, as can be seen in the following blog entries:

Read more ZBOT/ZeuS-related entries here.

To date, Trend Micro has seen over 2,000 ZBOT detections and the numbers continue to rise.

What is the difference among ZeuS, ZBOT, and Kneber?

These names all relate to the ZeuS botnet, which is an established crimeware botnet said to be responsible for other known botnets in the wild. The earliest notable use of the ZeuS Trojan was via the notorious Rock Phish Gang, which is known for its easy-to-use phishing page kits. The term "ZBOT" is Trend Micro's detection name for all malware involved in the massive botnet. The Kneber botnet meanwhile is a recently coined term pertaining to a specific ZBOT/ZeuS compromise.

How does this threat get into users' systems?

The threat may arrive as a spammed message or may be unknowingly downloaded from compromised websites. The majority of ZBOT detections have been found to target bank-related websites. However, recent spam runs have shown an increasing diversity in targets. The list of noteworthy ZBOT variants include TROJ_ZBOT.SVR, which was used to spam government agencies; TSPY_ZBOT.JF, which targeted AIM users; and TSPY_ZBOT.CCB, which targeted social networking site, Facebook.

How does it trick users into clicking links?

Spammed messages typically purport to be from legitimate companies and, more recently, from government agencies. ZBOT variants have likewise been found in a spam run that rides on popular events such as Michael Jackson’s death.

What is the primary purpose of the ZeuS botnet?

It is primarily designed for data theft or to steal account information from various sites like online banking, social networking, and e-commerce sites.

How does this threat make money for its perpetrators?

It generates a list of bank-related websites or financial institutions from which it attempts to steal sensitive online banking information such as user names and passwords. It then monitors the user’s Web browsing activities (both HTTP and HTTPS) using the browser window titles or address bar URLs as triggers for its attack. This routine risks exposing the user’s account information, which may then lead to the unauthorized use of the stolen data.

Who are at risk?

Users with ZBOT-infected systems who log in to any of the targeted sites are at risk of losing personal information to cybercriminals.

What does the malware do with the information it gathers?

It sends the gathered information via HTTP POST to remote URLs. Cybercriminals may then use this information for their malicious activities. They may be sold in underground markets.

What makes this threat persistent?

In addition to its social engineering tactics and ever-evolving spamming techniques, ZBOT makes detection difficult because of its rootkit capabilities. Upon installing itself on an affected system, ZBOT creates a folder with attributes set to System and Hidden to prevent users from discovering and removing its components. Furthermore, ZBOT is capable of disabling Windows Firewall and of injecting itself into processes to become memory-resident. It also terminates itself if certain known firewall processes are found on the system. ZBOT variants also figure in daisy-chain downloads involving other malware families such as WALEDAC and FAKEAV.

So what can I do to protect my computer from the threat presented by the ZeuS botnet?

It is important that users exercise caution when opening email messages and when clicking URLs. Since the ZBOT malware perpetrators are constantly finding new ways to attack users, users are advised to employ safe computing practices.

Be wary of phishing pages that purport to be legitimate websites, as these are primarily designed to fool unwitting users into handing over personal information. Clicking links on emails that come from unknown senders is one of the easiest ways to fall prey to ZBOT attacks.

TSPY_ZBOT variants are currently supported by Trend Micro GeneriClean, a feature found in most Trend Micro products. Users need to manually scan their systems to trigger this.

Solutions supported by the Trend Micro™ Smart Protection Network™ block the spam used by this botnet to infect users via the email reputation service. It can detect and prevent the execution of malicious files via the file reputation service. It also protects users from ZBOT variants by blocking access to malicious sites via the Web reputation service as well as from phone-home attempts wherein an infected computer tries to upload stolen data or to download additional malware from command-and-control (C&C) servers.

Non-Trend Micro product users can also check their systems using HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. They can also use Web Protection Add-On to proactively protect their computers from Web threats and bot-related activities. RUBotted can be used to find out if their machines are part of a bot network.

Some of our heuristic detections for this threat are MAL_ZBOT, MAL_ZBOT-2, MAL_ZBOT-3, MAL_ZBOT-4, MAL_ZBOT-5, MAL_ZBOT-6, and MAL_ZBOT-7.

From the Field: Expert Insights

"The recent Kneber botnet attack is but another occurrence of how ZeuS Trojans (or ZBOT) files are being used. Trend Micro has been posting blog entries about it as early as 2007. As far as we’re concerned, we’re not even surprised."

—Jamz Yaneza on the recent Kneber attack and the media hype surrounding the issue

"It's difficult to stay ahead of it via antivirus because ZeuS (ZBOT) binaries continuously change a few times a day to evade detection."

—Paul Ferguson on a ZeuS attack last September 2009 that used spammed messages purportedly from the Internal Revenue Service (IRS)