ZBOT Adds Clickbot Routine To Arsenal

The ZeuS/ZBOT malware family is probably one of the most well-known malware families today . It is normally known for stealing credentials associated with online banking accounts. However, ZBOT is no one-trick pony. Some ZBOT variants perform other routines like downloading or dropping other threats like ransomware.

We recently came across one variant detected as TROJ_ZCLICK.A, which seemingly “locks” the desktop to display websites. This kind of behavior is out of the ordinary for a ZBOT variant. Once it infiltrates the system, this occurs every time the user performs any activity, such as opening a window or file. These sites occupy the entire desktop screen, hindering access to any open windows or files. There have been instances wherein the user can still see the open windows, but with the sites running in the background. Users can bypass this inconvenience by performing the “show desktop” command but the malware will continue to display windows.


Figure 1. Sites are displayed full-screen in the background of the running program Space Cadet

 It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines. Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle.

It is noteworthy to say that this variant doesn’t perform traditional routines associated with this malware family like stealing information. However, analysis reveals that the sample does contain the ZBOT code and this only means that this ZBOT variant only loads the clickbot routine. In this light, it’s only logical to assume that the main motivation for this variant is to generate income via the pay-per-click model.

This malware proves that cybercriminals are continuously tweaking familiar or known malware to deliver new payloads, all in the name of generating income from victimizing users. As such, users should always remember key safety practices when going online. Habits like installing the latest software updates or deleting spammed messages can go a long way in protecting computers from threats.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

ZBOT Adds Clickbot Routine To Arsenal

Read more: ZBOT Adds Clickbot Routine To Arsenal

Story added 19. March 2014, content source with full text you can find at link above.