ZeuS and Its Continuing Drive Towards Stealing Online Data

Written by: Dianne Lagrimas

TSPY_ZBOT is the Trend Micro detection for malware related to what the industry dubs "ZeuS botnets." ZeuS botnet, in fact, is a shortened term for networks of compromised computers that use ZeuS/ZBOT Trojans in their botnet-related operations. TSPY_ZBOT variants typically arrive via spam appearing to come from legitimate sources, asking recipients to click a link. The said link leads to the download of TSPY_ZBOT, which silently sits in systems to wait for users to key in their credentials to particular sites.

Since 2007, Trend Micro has been monitoring the ZBOT family. The number of ZBOT detections has substantially grown over the years. To date, Trend Micro has seen over 2,000 ZBOT detections and the numbers continue to rise.

How does this threat get into users' systems?

The threat may arrive as a spammed message or may be unknowingly downloaded from compromised websites. The majority of ZBOT detections have been found to target bank-related websites. However, recent spam runs have shown an increasing diversity in targets. The list of noteworthy ZBOT variants include TROJ_ZBOT.SVR, which was used to spam government agencies; TSPY_ZBOT.JF, which targeted AIM users; and TSPY_ZBOT.CCB, which targeted social networking site, Facebook.

Spammed messages typically purport to be from legitimate companies and, more recently, from government agencies. One recent ZeuS attack targeted Bank of America Military Bank customers. ZBOT variants have likewise been found in a spam run that rides on popular events such as Michael Jackson's death.

Trend Micro also found a ZBOT variant that leveraged the Windows LNK flaw. A new ZBOT variant was spotted that was supposedly signed by a legitimate antivirus company. In reality, the signature had been lifted from a legitimate application of the company without their knowledge or consent.

How does it trick users into clicking links?

Spammed messages typically purport to be from legitimate companies and, more recently, from government agencies. ZBOT variants have likewise been found in a spam run that rides on popular events such as Michael Jackson's death.

What is the primary purpose of the ZeuS botnet?

It is primarily designed for data theft or to steal account information from various sites like online banking, social networking, and e-commerce sites.

How does this threat make money for its perpetrators?

It generates a list of bank-related websites or financial institutions from which it attempts to steal sensitive online banking information such as user names and passwords. It then monitors the user's Web browsing activities (both HTTP and HTTPS) using the browser window titles or address bar URLs as triggers for its attack.

Newer ZBOT variants use JavaScript codes, inserting these into a legitimate bank's Web page. Other ZBOT variants display a second fake login page after the original login page to get additional information. Cybercriminals may either siphon money directly from victim accounts. They may either steal money directly from the victim, or use them as conduits or "money mules" that help transfer funds from victims to cybercriminal bank accounts.

These routines risk exposing the user's account information, which may then lead to the unauthorized use of the stolen data.

Who are at risk?

ZBOT variants target online banking users in general. As mentioned in the section How does this threat get into users' systems?, ZBOT spreading via spam uses latest headlines or convincing email content, or exploit flaws in commonly-used software. Almost anyone can fall prey to its schemes. Users with ZBOT-infected systems who log in to any of the targeted sites are at risk of losing personal information to cybercriminals.

What does the malware do with the information it gathers?

It sends the gathered information via HTTP POST to remote URLs. Cybercriminals may then use this information for their malicious activities. They may be sold in underground markets.

What makes this threat persistent?

In addition to its social engineering tactics and ever-evolving spamming techniques, ZBOT makes detection difficult because of its rootkit capabilities. Upon installing itself on an affected system, ZBOT creates a folder with attributes set to System and Hidden to prevent users from discovering and removing its components. Furthermore, ZBOT is capable of disabling Windows Firewall and of injecting itself into processes to become memory-resident. It also terminates itself if certain known firewall processes are found on the system. ZBOT variants also figure in daisy-chain downloads involving other malware families such as WALEDAC and FAKEAV.

Moreover, ZBOT creators leveraged the Windows LNK flaw and have abused the PDF Launch feature in some Adobe products. Using the aforementioned as entry points allow ZBOT variants to get into more systems virtually undetected. Also, ZBOT has also kept up with trends in operating systems. Newer variants feature full and integrated support for new Windows operating systems like Vista and Windows 7. Older versions only had support for the said operating systems with optional modules.

What is the difference among ZeuS, ZBOT, and Kneber?

In February 2010, Trend Micro researchers came across several malware that were first thought of as part of a new botnet dubbed as Kneber. However Kneber, as it turned out, relates to the ZeuS botnet as a recently coined term pertaining to a specific ZBOT/ZeuS compromise. On the other hand, the term 'ZBOT' is Trend Micro's detection name for all malware involved in the massive botnet.

So what can I do to protect my computer from the threat presented by the ZeuS botnet?

It is important that users exercise caution when opening email messages and when clicking URLs. Since the ZBOT malware perpetrators are constantly finding new ways to attack users, users are advised to employ safe computing practices.

Be wary of phishing pages that purport to be legitimate websites, as these are primarily designed to fool unwitting users into handing over personal information. Clicking links on emails that come from unknown senders is one of the easiest ways to fall prey to ZBOT attacks.

TSPY_ZBOT variants are currently supported by Trend Micro GeneriClean, a feature found in most Trend Micro products. Users need to manually scan their systems to trigger this.

Solutions supported by the Trend Micro™ Smart Protection Network™ block the spam used by this botnet to infect users via the email reputation service. It can detect and prevent the execution of malicious files via the file reputation service. It also protects users from ZBOT variants by blocking access to malicious sites via the Web reputation service as well as from phone-home attempts wherein an infected computer tries to upload stolen data or to download additional malware from command-and-control (C&C) servers.

Non-Trend Micro product users can also check their systems using HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. They can also use Web Protection Add-On to proactively protect their computers from Web threats and bot-related activities. RUBotted can be used to find out if their machines are part of a bot network.

Some of our heuristic detections for this threat are MAL_ZBOT, MAL_ZBOT-2, MAL_ZBOT-3, MAL_ZBOT-4, MAL_ZBOT-5, MAL_ZBOT-6, and MAL_ZBOT-7.