New ZBot variant discovered in the wild (Apr 26, 2012)
The SonicWALL Threats Research team discovered a new ZBot variant spreading in the wild. Through our analysis it was determined that this variant is aimed at stealing banking credentials from users in the UAE.
The Trojan makes the following DNS requests:
- leadcloth.ru
- datecoin.ru
- acidblues.ru (C&C server)
- steelray.com (C&C server)
- danasrat.com
- adbwer.com
- janpollj.com
- sahbara.com (C&C server)
The Trojan adds the following files to the filesystem:
- %USERPROFILE%Local SettingsTemptmp7c2aa4f0umcc.exe [Detected as GAV: Zbot.YW_216 (Trojan)]
- %USERPROFILE%Local SettingsTemptmpad242544.bat
- %USERPROFILE%Application DataAwozaradasagq.exe [Detected as GAV: Zbot.YW_214 (Trojan)]
- %USERPROFILE%Application DataMidymeeymmogu.tmp
tmpad242544.bat contains instructions to disable certain windows security features as seen below. It then deletes itself.
The Trojan adds the follwing key to the windows registry:
- Enable startup:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {69834A20-7B82-9FD6-35FD-B1FA2A96E05E} “%USERPROFILE%Application DataAwozaradasagq.exe”
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList %windir%explorer.exe “%windir%explorer.exe”
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList %windir%explorer.exe “%windir%explorer.exe”
Bypass Windows Firewall:
The Trojan modifies the following registry keys:
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswscsvc Start dword:00000004
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv dword:00000004
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones� 1609 dword:00000000
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 1406 dword:00000000
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 1609 dword:00000000
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones2 1609 dword:00000000
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 1406 dword:00000000
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 1609 dword:00000000
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4 1406 dword:00000000
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4 1609 dword:00000000
Disable Windows Security Center:
Disable Windows Automatic Updates:
Disable internet security policy:
The Trojan injects code into explorer.exe and causes it to perform the following tasks:
It downloads and runs umcc.exe [Detected as GAV: Zbot.YW_216 (Trojan)]
It posts sensitive system info to a remote C&C server and receives an encrypted Zbot configuration file in response:
The encrypted configuration file contains banking URL’s, browser user agent strings, C&C server addresses and various other instructions for the bot. Below is a sample of strings found in this file:
"rakbankonline.ae/4rp/""http://datecoin.ru/us.php""http://acidblues.ru/wallst.php""http://leadcloth.ru/yukon.php""Welcome to HSBC""Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Zbot.YW_214 (Trojan)
- GAV: Zbot.YW_216 (Trojan)
