ZeuS/ZBOT Malware Shapes Up in 2013

The notorious info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year. In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow. The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet.

We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months based from Trend Micro Smart Protection Network feedback.


Figure 1. Smart Protection Network feedback for ZBOT (Jan – May 7 2013)

As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII).

ZBOT Earlier Versions vs. Current Versions

Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS.

Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network.

ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated.

Both variants send DNS queries to randomized domain names. The difference in GamOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names.

How does this malware steal your credentials?

ZBOT malware connects to a remote site to download its encrypted configuration file.


Figure 2. Screenshot of ZBOT communication to C&C server

The following information can be seen once the configuration file is decrypted:

  • Site where an updated copy of itself can be downloaded
  • List of websites to be monitored
  • Site where it will send the stolen data

These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers.
Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.

Trend Micro Solution for ZBOT variants

There are several avenues for detecting ZBOT variants, such as:

  1. First, as the malware tries to write to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  2. Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file
  3. Finally, detecting where the site would send the stolen data, or if acquires an updated copy of itself

In the screen capture below, it demonstrates that the exact behaviour of writing to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon was successfully blocked by OfficeScan’s Behavioural Monitoring function and the malware fails to execute:

screenshot-Officescan-detection copy

Figure 3. OfficeScan Scanning Screenshot

The second opportunity to detect ZBOT variants is when the malware downloads its configuration file, an updated copy of itself, or even with the attempt to upload its stolen information. Trend Micro Web Reputation Services can detect this funcion:


Figure 4. Trend Micro blocks the related URL associated with ZeuS

In the screen capture above, the URL was detected as malicious. With further investigation, we determined that this site is associated with ZeuS/ZBOT. The same is observed if using Trend Micro’s Deep Discovery:



Figure 5. Screenshot of Deep Discovery detection of malicious network activity

Similarly, an attempt to connect to any related URL that is related to ZBOT/ZEUS upon performing it’s call-back routine can be detected via DeepDiscovery Inspector.

Finally, for removing the malware, here is an example of a clean-up procedure for TSPY_ZBOT.XMAS. Since this malware injects itself into certain processes, there are instances that a reboot is required:

As ZeuS/ZBOT malware downloads newer version of itself, the binary itself may not be detected but could generally act the same. As such, certain parts of the infection can be blocked or partially mitigated.


What we can learn from ZeuS/ZBOT’s spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these. Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent. Thus, it is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones. Always keep your system up-to-date with the latest security releases from security vendors and install trusted antimalware protection.

To know more about how cybercriminals are getting better at stealing information, you can refer to this infographic.

With additional inputs from Threat researchers Rhena Inocencio and Roddell Santos.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

ZeuS/ZBOT Malware Shapes Up in 2013

Read more: ZeuS/ZBOT Malware Shapes Up in 2013

Story added 23. May 2013, content source with full text you can find at link above.