BitDefender weekly review

ZBot will not stop spreading soon enough as it seems. It hasn't been long since the last time we wrote about this e-threat and here it is again, repacked, ready to roll out to the masses. We advise to keep your guard up and the spam filters updated, or else you might get hit.


The malware
comes with a common trick for the users: it has a different icon then a usual
executable icon. In this case it’s a *.chm file icon (Microsoft Compiled HTML
Help File). We’ve also seen usage of Microsoft Excel and standard directory
icons used by Zbot.

As for most
Zbots, its infection vector is email spam.

This particular
version of Zbot is actually nothing else but a repacked version of Trojan.Spy.ZBot.UI.
It injects code in winlogon.exe allowing it to create files and connect
to the Internet undetected. Making use of this, it creates a copy of itself
into %windir%system32sdra64.exe, adding garbage to the executable so
it has a different size and md5 hash, a rather shy attempt of av-evasion. It
also creates a folder called lowsec in the same folder in which it will
write 3 files containing encrypted data: local.ds, user.ds and user.ds.lll

In order to
run at every system startup the Trojan makes changes to certain registry
entries. I also marks it’s presence on the computer by creating the following
mutex: __SYSTEM__64AD0625__



generic detection made by BitDefender stands for JavaScripts which try to
exploit vulnerabilities outdated browsers or third party browser plugins like
ActiveX controls for PDF viewing, Flash playback and others.

The idea of
the script is to load malicious pages into beforehand specifically crafted
pages for this purpose or initially clean but later attacked websites which
have been modified to act as a medium.

mechanics behind the attack is to inject JavaScript code into the clean page,
which will have as a result the creation of a special iframe, which is
invisible to the eye, but will practically load another page behind the page
the victim is visiting at the moment.

That other
page will most certainly contain several exploits for the above mentioned
plugins and whichever succeeds will download malware to the affected PC without
the users notice or consent. This type of download is called drive-by-download
and the payload depends on the page that has been loaded by this JavaScript’s
code into the clean site.

in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Marius Vanta