Security News

Chinese new year wishes leads to Zbot Trojan (Jan 26, 2012)

By

SonicWALL UTM Research team discovered a new variant of Zbot Trojan being spammed in the wild. The spam campaign in this email exploits the timing of the Chinese new year. The spammed email contains an attached PDF with wishes for the Chinese new year along with a link. The link appears to point to the website of the Ministry of Foreign Affairs of the People’s Republic of China but it in fact leads to a malicious domain hosting a newer variant of the Zbot Trojan.

The contents of the attached PDF file is shown below:

screenshot

The contents of the PDF file translates to:

Brother, Happy Dragon year, and I give you my best wishes!
Thank you for sending me your greetings. I feel the warmth inside.
Long time no contact, I’m not sure if you are still working in China?
[MALICIOUS LINK] Chaili

It performs the following activities when executed:

  • It injects code in to winlogon.exe and svchost.exe

  • It creates the following files:
    • %windir%system32sdra64.exe (Copy of itself) [Detected as GAV: “Zbot.DRGN (Trojan)]
    • %windir%system32lowseclocal.ds (Encrypted config file)
    • %windir%system32lowsecuser.ds (Collected user information)

  • It modifies the created and accessed timestamp of %windir%system32sdra64.exe to an older date in 2002 in order to avoid suspicion. It also modifies the files attributes to be read only and hidden.

  • It download an encrypted configuration file from a remote domain:
    • GET /libraries/joomla/spm.bin HTTP/1.1
      The configuration file when decrypted was found to contain the remote C&C sever, custom hosts file and a list of banking and e-commerce sites to monitor and intercept credentials from along with the HTML pages to be injected

  • It contacts a remote C&C server and uploads scrounged cookies and stolen credentials:
    • POST /tmp_m/hwnehj/gate.php HTTP/1.1
  • It replaces the hosts file in order to be prevent AntiVirus updates:
    • screenshot
  • It modifies the following registry key to ensure infection on reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon:Userinit “%windir%system32userinit.exe,%windir%system32sdra64.exe,”

This newer Zbot variant has very low AV detection at the time of writing this alert.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Zbot.DRGN (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Spam campaign roundup: The Memorial Day Edition (May 24, 2013)
Microsoft Security Bulletin Coverage (Oct 9, 2012)
Microsoft Security Bulletins Coverage (May 10, 2011)
Microsoft Security Bulletin Coverage (Sept 13, 2016)
Buffer Overflow vulnerability in PHP (June 19,2015)
Yet another Linux malware spotted in the wild (Feb 26, 2016)
Linux CUPS Printing Systems Multiple Vulnerabilities
Fake McAfee E-mail protection tool - Banker Trojan (Apr 15, 2010)