• Email
• Facebook
• Twitter
• Google+
• Linkedin

TROJ_ZBOT.BXX

---

• マルウェアタイプ:
• 破壊活動の有無: なし
• 暗号化:  
• 感染報告の有無: はい

---

  概要

マルウェアは、ユーザ名およびパスワードといったオンラインバンキングに関連した個人情報を収集します。これにより、収集された情報は不正リモートユーザにより悪用される可能性があります。 ユーザが監視サイトのいずれかにアクセスすると、マルウェアは、キー入力操作情報を収集します。

---

  詳細

感染ポイント

マルウェアは、以下のWebサイトからダウンロードされたファイルとして、コンピュータに侵入します。

• http://{BLOCKED}ost/gro.exe

インストール

マルウェアは、以下のフォルダを作成します。

• %Application Data%\{random1}
• %Application Data%\{random2}

(註：%Application Data%フォルダは、 Windows 2000、XP、Server 2003 の場合 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" 、 Windows NTの場合 "C:\WINNT\Profiles\＜ユーザ名＞\Application Data"、Windows 98 および MEの場合、"C:\Windows\Profiles\＜ユーザ名＞\Application Data" です。)

自動実行方法

マルウェアは、以下のファイルを作成します。

• %Application Data%\{random1}\{random}.exe
• %Application Data%\{random2}\{random}.ono

(註：%Application Data%フォルダは、 Windows 2000、XP、Server 2003 の場合 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" 、 Windows NTの場合 "C:\WINNT\Profiles\＜ユーザ名＞\Application Data"、Windows 98 および MEの場合、"C:\Windows\Profiles\＜ユーザ名＞\Application Data" です。)

情報漏えい

マルウェアは、ユーザ名およびパスワードといったオンラインバンキングに関連した個人情報を収集します。これにより、収集された情報は不正リモートユーザにより悪用される可能性があります。

ユーザが監視サイトのいずれかにアクセスすると、マルウェアは、キー入力操作情報を収集します。

マルウェアは、Webサイトにアクセスしてファイルをダウンロードします。ダウンロードされたファイルには、自身のコピーの更新版ファイルのダウンロード元および収集した情報の送信先が記載されています。なお、上記でダウンロードされたファイルは、環境設定ファイルで、このマルウェアが情報収集の際に対象とする以下の金融関連Webサイトのリストを含んでいます。

• *.banking.firstdirect.com/1/2/*
• *.co-operativebank.co.uk/CBIBSWeb/login.do
• *.co-operativebank.co.uk/CBIBSWeb/start.do
• *.cuviewpoint.net/mvptartan/*ogin.asp
• *.smile.co.uk/SmileWeb/login.do
• *.smile.co.uk/SmileWeb/start.do
• *.victeach.com.au/704191V47/ntv471.asp*=entry
• *10.20.2.206*
• *174.139.0.74*
• *abbeynational.co.uk/CentralLogonWeb/Logon*
• *allanalyses.info*
• *allstatistics.info*
• *alotmetrics.com*
• *banking.first-direct.com/1/2/*
• *blinkx.com*
• *cbonline.co.uk/personal/internet-banking/login*
• *cust-r2*
• *egg.com/customer/*
• *f2fcomms.co.u*
• *facebook.co*
• *g00gleanalytics.info*
• *gameassists.co.uk*
• *greatjobdealuk.info*
• *halifax-online.co.uk/MyAccounts/MyAccounts.aspx*
• *home.cbonline.co.uk/ralu/loginmgr/fullPassword.ctl
• *home.cbonline.co.uk/ralu/loginmgr/loginQuestion.ctl
• *home.cbonline.co.uk/ralu/loginmgr/loginSetup.ctl
• *home.cbonline.co.uk/ralu/loginmgr/partialPassword.ctl
• *home.ybonline.co.uk/ralu/loginmgr/fullPassword.ctl
• *home.ybonline.co.uk/ralu/loginmgr/loginQuestion.ctl
• *home.ybonline.co.uk/ralu/loginmgr/loginSetup.ctl
• *home.ybonline.co.uk/ralu/loginmgr/partialPassword.ctl
• *hsbc.co.uk/1/2/personal/internet-banking*
• *ibank.lll.org.au/myviewpoint/*
• *iplayer*
• *ladbrokes.com*
• *love.rambler.ru*
• *meebo.com*
• *mochiads.com*
• *mochibot.com*
• *mxlivemedia.com*
• *myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/*
• *myonlineaccounts2.abbeynational.co.uk/eBankingWeb/*
• *myspacecdn.com*
• *ohueli.net*
• *online.savingsloans.com.au/*ogon/CU5023/*ogon.as*
• *savingsloans.com.au/PCLink_Check.aspx?p=52
• *secure.hsbcnet.com/*/portal*
• *secure.ingdirect.co.uk/InitialINGDirect*
• *slashkey.co*
• *trendsecure.com*
• *virtuefusion.com*
• *westpac.com.au/*
• *yaho0-groups.info*
• http://*.2opg.hr/*
• http://*.abcsearch.com/*
• http://*.adultfriendfinder.com/*
• http://*.ahram.org.eg/*
• http://*.bebo.com/*
• http://*.bidz.com*
• http://*.bizarre.com.ua/*
• http://*.blackamericaweb.com/*
• http://*.bloodyworld.com/*
• http://*.cam-hot.com/*
• http://*.chat-co.terra.com.co/*
• http://*.conduit.com/*
• http://*.dostihy.cz/*
• http://*.everythinggirl.com/*
• http://*.fantasysports.yahoo.com/*
• http://*.foodnetwork.com/*
• http://*.fotka.pl/*
• http://*.gator.com/*
• http://*.gayvox.com/*
• http://*.gazogen.com/*
• http://*.genealogie.com/*
• http://*.hexalis.net*
• http://*.hi5.com/*
• http://*.hotbar.com/*
• http://*.i-nt-e-r-n-e-t.com/*
• http://*.ix.nu/*
• http://*.klikadvertising.com/*
• http://*.mafiaonline.ru/*
• http://*.mcafee.com/*
• http://*.metacafe.com/*
• http://*.microsoft.com/*
• http://*.monzoo.net/*
• http://*.myspace.com/*
• http://*.nick.com/*
• http://*.nrj.fr/*
• http://*.odnoklassniki.ru/*
• http://*.ogame.fr/*
• http://*.orbitdownloader.com/*
• http://*.passy-mont-blanc.com/*
• http://*.personal.com.ar/*
• http://*.photobucket.com/*
• http://*.polls.aol.com*
• http://*.rapidshare.com/files/*
• http://*.seekmo.com/*
• http://*.skyblueads.com/*
• http://*.targetsaver.com/*
• http://*.terra.com.br/*
• http://*.tokidoki.ru/*
• http://*.travian.ru/*
• http://*.tribalwars.es/*
• http://*.vin.com.ua/*
• http://*.vobu.biz/*
• http://*.webbuying.net/*
• http://*.webkinz.com/*
• http://*.webmessenger.msn.com*
• http://*.wildtangent.com/*
• http://*.xtube.com/*
• http://*.ya.com/*
• http://*.youtube.com/*
• http://*.zango.com/*
• http://*.zwinky.com/*
• http://0*
• http://1*
• http://1.1.1.1/*
• http://127.0.0.1*
• http://192.168.*
• http://195.29.247.78/*
• http://2*
• http://217.160.253.69/*
• http://3*
• http://4*
• http://5*
• http://6*
• http://61.155.8.157/*
• http://61.155.8.157/test/*
• http://61.155.8.157/test/stask.php
• http://64.191.104.68/*
• http://66.48.69.*
• http://66.48.69.102/login.php
• http://66.48.69.103/sindex.php
• http://66.48.83.212/*
• http://67.29.139.220/*
• http://68.180.219.*
• http://7*
• http://8*
• http://80.77.113.118/*
• http://9*
• http://almaserrantes.foros.ws
• http://anonymouse.org/*
• http://awesomehouseparty.com/*
• http://best-girl.info/*
• http://dwar.ru/*
• http://games.yahoo.com/*
• http://holiday.ru/*
• http://localhost/*
• http://love.mail.ru/*
• http://loveplanet.ru/*
• http://mamba.ru/*
• http://monsantic.com/*
• http://moorea.cea.fr/*
• http://motya.ru/*
• http://myzuka.ru/*
• http://naship.info/*
• http://nordtravel.ru/*
• http://rapidshare.com*
• http://ref.by/*
• http://search52.com/*
• http://simpsonizeme.com*
• http://skyblueads.com/*
• http://smotri.com/*
• http://surveys.globalepanel.com/wix/*
• http://teleskop.ru/*
• http://vkontakte.ru/*
• http://vpt-studio.com/*
• http://webmessenger.msn.com*
• http://win-touch.com/*
• http://www.abcsearch.com/*
• http://www.adam4adam.com/*
• http://www.advertisementhost.com/*
• http://www.anpe.fr/*
• http://www.ck-magazine.com/*
• http://www.desktopgirls.com/*
• http://www.distrigame.com/*
• http://www.elcorteingles.es/*
• http://www.gaiaonline.com/*
• http://www.hsbcnet.com
• http://www.i-n-te-r-n-e-t.com/*
• http://www.in-t-e-r-n-e-t.com/*
• http://www.ingdirect.co.uk/home/contact_us/contact_us_ec.html
• http://www.kodakgallery.com/*
• http://www.liveinternet.ru*
• http://www.lloydstsb.com/security.asp
• http://www.millsberry.com/*
• http://www.natwest.com/go.ashx?BANKLINE-LOGON
• http://www.neverlands.ru/*
• http://www.prijateli.com.mk/*
• http://www.projectplaylist.com/*
• http://www.recruitingsite.com/*
• http://www.sexyono.com*
• http://www.sharedtalk.com/*
• http://www.ticket.rzd.ru/*
• http://www.urbanchat.com/*
• https://*.antiplagiat.ru/*
• https://*.bankofamerica.com*
• https://*.bankofamerica.com/cgi-bin/ias/*
• https://*.communityfirst.com.au/mvpcfcu/*ogin.asp
• https://*.mcafee.com/*
• https://*.myherbalife.com/*
• https://*.qtcu.com.au/QTCUV4*/ntv4*.asp?*=entry
• https://accountservices.passport.net/*
• https://direkt.postbank.de/direktportalApp/framework/skins/postbank/images/loader.gif
• https://ebank.adcu.com.au/mvp352/*ogin.asp
• https://finanzportal.fiducia.de/*
• https://finanzportal.fiducia.de/ebpg02/resource/xhtml-filler?rzbk=0118&rzid=XC
• https://home.cbonline.co.uk/*b/*/index.jsp
• https://home.cbonline.co.uk/ralu/loginmgr/images/skins/CBlarge-text.gif
• https://home.ybonline.co.uk/ralu/loginmgr/images/skins/CBlarge-text.gif
• https://home.ybonline.co.uk/ybib/nabib/index.jsp
• https://ibank.barclays.co.uk*
• https://ibank.cahoot.com/*ViewHomePageServlet
• https://ibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameset_top_log_in.html
• https://ibank.cahoot.com/Aquarius/web/images/buttons/continue_cerulean_text.gif
• https://ibank.cahoot.com/Aquarius/web/images/misc/spacer.gif
• https://ibank.cahoot.com/servlet/com*
• https://ibank.internationalbanking.barclays.com/logon/icebapplication*
• https://ibank.melbcdf.com.au/brisbanemyviewpoint/*ogin.asp
• https://ibs.bankwest.com.au/CmWeb/AccountInformation/AI/Balances.asp*
• https://internetbanking.aib.ie/hb1/roi/presign.jsp
• https://internetbanking.suncorpmetway.com.au/sml/balances/balances.asp
• https://internetbanking.suncorpmetway.com.au/sml/logon.asp*
• https://is2.cuviewpoint.net/mvpsge/Login.asp
• https://is2.cuviewpoint.net/mvpshell/Login.asp
• https://is2.cuviewpoint.net/mvpwaw/Login.asp
• https://is2.cuviewpoint.net/mvpwaw/images/calc.gif
• https://is2.cuviewpoint.net/mvpwaw/scripts/script.js
• https://is2.cuviewpoint.net/mvpwaw/style/general.css
• https://is2.cuviewpoint.net/mvpwecu/*ogin.asp
• https://mv*.sccu.com.au/mvpsccu/*ogin.asp
• https://net*.pncs.com.au/806015*4*ntv*.asp?*=entry
• https://net.defcredit.com.au/803205V47/ntv47.asp*entry
• https://nettelle*.sydneycu.com.au/802084v45/ntv45.asp?*=entry
• https://nettelle*.tsw.com.au/802147V45/ntv45.asp?*=entry
• https://nettelle*.tsw.com.au/802214V47/ntv47.*entry
• https://nettelle*.tsw.com.au/803205V47/ntv47.asp?*=entry
• https://nettelle*.tsw.com.au/804059v45/ntv45.asp?*=entry
• https://nettelle*.tsw.com.au/806036*451/ntv45.asp?*=entry
• https://nettelle*.tsw.com.au/BOCA451/ntv451.asp?*=entry
• https://new.egg.com/com.egg/images/Login/login_outage10jul09.gif
• https://olb2.nationet.com/*
• https://olb2.nationet.com/MyAccounts/MyAccounts_WP2.asp*
• https://online-business.lloydstsb.co.uk/*
• https://online-business.lloydstsb.co.uk/img/space.gif
• https://online-business.lloydstsb.co.uk/logon.ibc
• https://online-business.lloydstsb.co.uk/miheld.ibc
• https://online-offshore.lloydstsb.co.uk/img/space.gif
• https://online-offshore.lloydstsb.com/customer.ib*
• https://online-offshore.lloydstsb.com/img/space.gif
• https://online-offshore.lloydstsb.com/logon.ib*
• https://online-offshore.lloydstsb.com/titles/log_tit.gif
• https://online.citibank.com/US/JPS/portal/Index.d*
• https://online.citibank.com/US/JSO/signon/uname/Next.do*
• https://online.hbs.net.au/HBSV45/NTV45.ASP?*=entry
• https://online.hbs.net.au/HBSV45/NTV45.ASP?*=reason
• https://online.islamic-bank.com/*/aspscripts/secretenter.*
• https://online.islamic-bank.com/business/images/blank.gif
• https://online.lloydstsb.co.uk/customer.ibc
• https://online.lloydstsb.co.uk/customer.ibc*
• https://online.lloydstsb.co.uk/logon*
• https://online.lloydstsb.co.uk/miheld.ibc
• https://online.qccu.com.au/
• https://online.qccu.com.au/App_Themes/theme/images/caution.gif
• https://online.qccu.com.au/login.aspx
• https://online.westpac.com.au/*/webtop/components/ProtectSMSCodeSplash.html
• https://online.westpac.com.au/wtib/asp/payment/plus/bpd_pygetdetails.as*
• https://online.westpac.com.au/wtib/asp/pmaintenance/bpd_bmaintenance.asp*
• https://online.westpac.com.au/wtwt/startpage
• https://onlinebanking.firsttrustbank.co.uk/*/login.htm
• https://onlinebanking.firsttrustbank.co.uk/uk/_img/misc/ft_logo.gif
• https://onlinebanking.firsttrustbank.co.uk/uk/images/ft_logo.gif
• https://onlineeast3.bankofamerica.com/eas-docs/images/bk_header_bottom.gif) 0 0;float:left;line-height:0;font-size:0}
• https://onlineeast3.bankofamerica.com/eas-docs/images/logo_flagscape.gif) 14px 17px #fff}
• https://onlineteller.cu.com.au/bcProd/*
• https://onlineteller.cu.com.au/bcProd/images/proceed.gif
• https://psx1online.com/ft/pax/dtsbgvdt.js
• https://psx1online.com/ft/pax/lktdbm38.js
• https://psx1online.com/ft/pax/stgbdiuh.js
• https://psx1online.com/ft/pax/y.php?ct=
• https://psx1online.com/ft/pax/y.php?f=1&ct=
• https://psx1online.com/ft/pax/y.php?f=4&ct=
• https://retail.abbeynational.co.uk*
• https://secure.ingdirect.co.uk/en_GB/web/images/cleardot.gif
• https://secure.ingdirect.co.uk/en_GB/web/images/left_top_corner.gif
• https://secure.ingdirect.co.uk/en_GB/web/images/login.gif
• https://secure.ingdirect.co.uk/en_GB/web/images/right_top_corner.gif
• https://service.oneaccount.com/onlineV*event=logi*
• https://sitekey.bankofamerica.com/sas-docs/en_US/images/continue.gif
• https://sitekey.bankofamerica.com/sas-docs/en_US/images/continue_down.gif
• https://sitekey.bankofamerica.com/sas-docs/en_US/images/continue_over.gif
• https://sitekey.bankofamerica.com/sas-docs/images/clr.gif
• https://static.secure.hsbcnet.com/uims/themes/uandp3/images/logo_v35.gif
• https://www.365online.com/servlet/Dispatcher/login.htm
• https://www.365online.com/servlet/Dispatcher/login2.htm
• https://www.365online.com/servlet/Dispatcher/validate.htm
• https://www.bankline.natwest.com/LogonService/CheckUniqueIdentifier.d*
• https://www.bankline.natwest.com/LogonService/Logon.d*
• https://www.bankline.natwest.com/LogonService/branding/CESD/error.gif
• https://www.bankline.rbs.com/LogonService/CheckUniqueIdentifier.d*
• https://www.bankline.rbs.com/LogonService/Logon.d*
• https://www.bankline.rbs.com/bankline/rbs/default.jsp
• https://www.bankline.ulsterbank.co.uk/LogonService/CheckUniqueIdentifier.d*
• https://www.bankline.ulsterbank.co.uk/LogonService/Logon.d*
• https://www.bankline.ulsterbank.co.uk/bankline/ubn/default.jsp
• https://www.bnz.co.nz/IB/login2FA/*
• https://www.bnz.co.nz/Internet_Banking/
• https://www.cardonebanking.com/auth*
• https://www.caterallenonline.co.uk/WebAccess.dll*
• https://www.citbank.co.uk/JSO/chcq/questandansw.php
• https://www.citibank.co.uk/*/InitializeSubApp.do*
• https://www.citibank.co.uk/GBGCB/JPS/apps/challques/*
• https://www.citibank.co.uk/GBGCB/JSO/signon/uname/HomePage.do*
• https://www.dataaction.com.au/DAIB/Logon/CU5019/Logon.asp
• https://www.dataaction.com.au/daib/ProcessLogon.asp
• https://www.google.com/accounts/CreateAccount*
• https://www.google.com/accounts/ig.gif
• https://www.halifax-online.co.uk*
• https://www.hsbc.co.uk/1/2*
• https://www.hunterunited.com.au/kiosk/shentry.shtml
• https://www.kiwibank.co.nz/banking/KeepSafe.asp*
• https://www.kiwibank.co.nz/banking/images/springload/progress_right.gif
• https://www.mybank.alliance-leicester.co.uk/view_accounts/*
• https://www.mybusinessbank.co.uk/cs70_banking*password
• https://www.mybusinessbank.co.uk/cs70_banking*viewAccount
• https://www.mybusinessbank.co.uk/cs70_banking/*
• https://www.mybusinessbank.co.uk/cs70_banking/logon/challenge/submit
• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon
• https://www.mybusinessbank.co.uk/cs70_banking/sbb/app/customer/corp/StartMFAReset
• https://www.mybusinessbank.co.uk/cs70_banking/sbb/app/smallbiz/user/viewCompanyPreferences
• https://www.mybusinessbank.co.uk/cs70_banking/sbb/enroll
• https://www.mybusinessbank.co.uk/cs70_banking/user/images/msg_error.gif
• https://www.mybusinessbank.co.uk/cs70banking/logon/logon/password
• https://www.mybusinessbank.co.uk/cs70banking/logon/logon/questions
• https://www.netteller.com.au/803205V47/ntv47.asp?*=entry
• https://www.offshore.hsbc.com/1/2/idv.Authentication
• https://www.offshore.hsbc.com/1/2/idv.OnlineCAMReset?OLRLink=CAM30ForgotPasswordLink
• https://www.offshore.hsbc.com/1/2/ut/p/kcxml/*
• https://www.rapportguard11.com/rep/my_core.js
• https://www.rbsdigital.com*AccountSummary.asp*
• https://www.rbsdigital.com*OneOffPaymentsCreate*.asp*
• https://www.rbsdigital.com*OneOffPaymentsCreatePayee.asp*
• https://www.securecheckinfo.com/jb/session/resourse/token123124142.js
• https://your.egg.com/customer/*
• pop3://*

なお、このファイルの内容である監視Webサイトのリストは、常時変更されます。

---

  対応方法

ご利用はいかがでしたか？　アンケートにご協力ください