New ZBot variant discovered in the wild

May 11, 2012

The SonicWALL Threats Research team discovered a new ZBot variant spreading in the wild. Through our analysis it was determined that this variant is aimed at stealing banking credentials from users in the UAE.

The Trojan makes the following DNS requests:

  • leadcloth.ru
  • datecoin.ru
  • acidblues.ru (C&C server)
  • steelray.com (C&C server)
  • danasrat.com
  • adbwer.com
  • janpollj.com
  • sahbara.com (C&C server)

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTemptmp7c2aa4f0umcc.exe [Detected as GAV: Zbot.YW_216 (Trojan)]
  • %USERPROFILE%Local SettingsTemptmpad242544.bat
  • %USERPROFILE%Application DataAwozaradasagq.exe [Detected as GAV: Zbot.YW_214 (Trojan)]
  • %USERPROFILE%Application DataMidymeeymmogu.tmp

tmpad242544.bat contains instructions to disable certain windows security features as seen below. It then deletes itself.

The Trojan adds the follwing key to the windows registry:

    Enable startup:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun {69834A20-7B82-9FD6-35FD-B1FA2A96E05E} "%USERPROFILE%Application DataAwozaradasagq.exe"

    • Bypass Windows Firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList %windir%explorer.exe "%windir%explorer.exe"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList %windir%explorer.exe "%windir%explorer.exe"

The Trojan modifies the following registry keys:

    Disable Windows Security Center:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswscsvc Start dword:00000004

    • Disable Windows Automatic Updates:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv dword:00000004

    • Disable internet security policy:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones2 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 1609 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4 1406 dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4 1609 dword:00000000

The Trojan injects code into explorer.exe and causes it to perform the following tasks:

It downloads and runs umcc.exe [Detected as GAV: Zbot.YW_216 (Trojan)]

It posts sensitive system info to a remote C&C server and receives an encrypted Zbot configuration file in response:

The encrypted configuration file contains banking URL's, browser user agent strings, C&C server addresses and various other instructions for the bot. Below is a sample of strings found in this file:

      "rakbankonline.ae/4rp/"
      "http://datecoin.ru/us.php"
      "http://acidblues.ru/wallst.php"
      "http://leadcloth.ru/yukon.php"
      "Welcome to HSBC"
      "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zbot.YW_214 (Trojan)
  • GAV: Zbot.YW_216 (Trojan)