Zbot In Your Inbox

June 24, 2009

A password stealing Zbot (ZeuS bot) Trojan has been increasingly spammed throughout the previous two weeks. We believe the spam originates from the Pushdo botnet. The spam template varies from time to time, mostly using subject lines such as “You have received a Greeting ecard ”, “Statement request”, “Microsoft outlook update”, “Postal Tracking” and may come either as an attachment or a link in the message body. Here are some of the spam we have received in our spamtraps.

Zbots are capable of hijacking online banking sessions and social networking sites. On the infected machine, it connects to its control server and requests a configuration file containing a list of information such as an updated Zbot binary, a drop zone where it sends stolen credentials, and a list of targeted websites which are mostly online banking URLs.

Here is a packet trace of a Zbot sample sending an HTTP request to its control server:

As you can see, Zbot attempts to download a file named "djwl.bin". This file is an encrypted configuration file.

Decrypting the .BIN file reveals the following list of websites:

•    !*livejournal.com*
•    !*facebook.com*
•    !*myspace.com*
•    !*youtube.com*
•    !*blogger.com*
•    !*amazon.com*
•    !*.microsoft.com/*
•    !*flickr.com*
•    !http://*myspace.com*
•    @*//www.svbconnect.com/security/challengeVerify.do
•    https://chsec.wellsfargo.com/login/login.fcc
•    http://ultrex.info/webstat/03/03x.htm
•    https://wellsoffice.wellsfargo.com/portal/signon/index.jsp?UpdateProfileInfo
•    */my.ebay.com/*CurrentPage=MyeBayPersonalInfo*
•    *.ebay.com/*eBayISAPI.dll?*
•    https://www.us.hsbc.com/*
•    https://online.wellsfargo.com/das/cgi-bin/session.cgi*
•    https://www.paypal.com/*/webscr?cmd=_account
•    https://www.paypal.com/*/webscr?cmd=_login-done*
•    https://www#.usbank.com/internetBanking/LoginRouter
•    https://www#.citizensbankonline.com/*/index-wait.jsp
•    https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
•    https://www.suntrust.com/portal/server.pt*parentname=Login*
•    https://www.53.com/servlet/efsonline/index.html*
•    https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
•    https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
•    https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
•    https://businessonline.tdbank.com/CorporateBankingWeb/Core/Login.aspx*
•    https://online.citibank.com/*
•    https://webexpress.tdbanknorth.com/wcmfd/wcmpw/CustomerLogin
•    https://onb.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
•    https://www.sterlingwires.com/
•    https://ffce.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
•    https://web3.secureinternetbank.com/ebc_ebc1961/ebc1961.asp*
•    https://trading.scottrade.com/home/default.aspx
•    https://www.svbconnect.com/security/integratedLoginAuth.do
•    https://www.svbconnect.com/useraccess/Login.jsp
•    https://www.svbconnect.com/*
•    https://chaseonline.chase.com/MyAccounts.aspx
•    https://www.securechemicalbankmi.com/onlineserv/CM/

Zbot hijacks the session each time a user visits any URL from this list. It then saves stolen information and sensitive data to a hidden folder in the Windows system directory. Every hour, it sends a POST request to its control server to submit harvested information. The control server can also take screenshots of the infected system or it may also download and install additional malware such as fake antivirus.

For more information about Zbot, the Swiss Security blog wrote a good analysis about the Zbot command and control server.

It goes without saying that clicking on these links in spam is an especially bad idea.

Last Reviewed: June 26, 2009 by Rodel Mendrez