New ZBot variant discovered in the wild (Apr 26, 2012)


The SonicWALL Threats Research team discovered a new ZBot variant spreading in the wild. Through our analysis it was determined that this variant is aimed at stealing banking credentials from users in the UAE.

The Trojan makes the following DNS requests:

  • (C&C server)
  • (C&C server)
  • (C&C server)

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTemptmp7c2aa4f0umcc.exe [Detected as GAV: Zbot.YW_216 (Trojan)]
  • %USERPROFILE%Local SettingsTemptmpad242544.bat
  • %USERPROFILE%Application DataAwozaradasagq.exe [Detected as GAV: Zbot.YW_214 (Trojan)]
  • %USERPROFILE%Application DataMidymeeymmogu.tmp

tmpad242544.bat contains instructions to disable certain windows security features as seen below. It then deletes itself.

The Trojan adds the follwing key to the windows registry:

    Enable startup:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {69834A20-7B82-9FD6-35FD-B1FA2A96E05E} “%USERPROFILE%Application DataAwozaradasagq.exe”
  • Bypass Windows Firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList %windir%explorer.exe “%windir%explorer.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList %windir%explorer.exe “%windir%explorer.exe”

The Trojan modifies the following registry keys:

    Disable Windows Security Center:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswscsvc Start dword:00000004
  • Disable Windows Automatic Updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv dword:00000004
  • Disable internet security policy:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones2 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4 1609 dword:00000000

The Trojan injects code into explorer.exe and causes it to perform the following tasks:

It downloads and runs umcc.exe [Detected as GAV: Zbot.YW_216 (Trojan)]

It posts sensitive system info to a remote C&C server and receives an encrypted Zbot configuration file in response:

The encrypted configuration file contains banking URL’s, browser user agent strings, C&C server addresses and various other instructions for the bot. Below is a sample of strings found in this file:

      "Welcome to HSBC"
      "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zbot.YW_214 (Trojan)
  • GAV: Zbot.YW_216 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.