Chinese new year wishes leads to Zbot Trojan (Jan 26, 2012)


SonicWALL UTM Research team discovered a new variant of Zbot Trojan being spammed in the wild. The spam campaign in this email exploits the timing of the Chinese new year. The spammed email contains an attached PDF with wishes for the Chinese new year along with a link. The link appears to point to the website of the Ministry of Foreign Affairs of the People’s Republic of China but it in fact leads to a malicious domain hosting a newer variant of the Zbot Trojan.

The contents of the attached PDF file is shown below:


The contents of the PDF file translates to:

Brother, Happy Dragon year, and I give you my best wishes!
Thank you for sending me your greetings. I feel the warmth inside.
Long time no contact, I’m not sure if you are still working in China?

It performs the following activities when executed:

  • It injects code in to winlogon.exe and svchost.exe
  • It creates the following files:
    • %windir%system32sdra64.exe (Copy of itself) [Detected as GAV: “Zbot.DRGN (Trojan)]
    • %windir%system32lowseclocal.ds (Encrypted config file)
    • %windir%system32lowsecuser.ds (Collected user information)
  • It modifies the created and accessed timestamp of %windir%system32sdra64.exe to an older date in 2002 in order to avoid suspicion. It also modifies the files attributes to be read only and hidden.
  • It download an encrypted configuration file from a remote domain:
    • GET /libraries/joomla/spm.bin HTTP/1.1
      The configuration file when decrypted was found to contain the remote C&C sever, custom hosts file and a list of banking and e-commerce sites to monitor and intercept credentials from along with the HTML pages to be injected
  • It contacts a remote C&C server and uploads scrounged cookies and stolen credentials:
    • POST /tmp_m/hwnehj/gate.php HTTP/1.1
  • It replaces the hosts file in order to be prevent AntiVirus updates:
    • screenshot
  • It modifies the following registry key to ensure infection on reboot:
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon:Userinit “%windir%system32userinit.exe,%windir%system32sdra64.exe,”

This newer Zbot variant has very low AV detection at the time of writing this alert.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Zbot.DRGN (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.