Request a free trial.

Protect yourself from the latest threats!
Also Known As:
Trojan-Spy:W32/Zbot , PWS-Zbot, Trojan-Spy.Win32.Zbot, Win32/Zbot, Infostealer.Monstres, Infostealer.Banker.C , Trojan.Wsnpoem , Troj/Zbot-LG , Troj/Agent-MDL , Troj/Zbot-LM , Troj/TDSS-BY , Troj/Zbot-LO , Troj/Buzus-CE , Sinowal.WUR [Panda Software], Troj/QakBot-D , Troj/Agent-MIR , Troj/Qakbot-E , Troj/QakBot-G , Troj/QakBot-F , Troj/Agent-MJS , Troj/Agent-MKP , Troj/Zbot-ME , Troj/Dloadr-CYP , Win32/Zbot.WY , Troj/DwnLdr-IBQ , Troj/Zbot-NG , W32/Zbot-NI , Troj/Zbot-NN , Troj/DwnLdr-ICV , Troj/DwnLdr-ICY , Troj/DwnLdr-IDB , Troj/Dldr-DM , Troj/Zbot-NR , Troj/Zbot-NS , Troj/Agent-MWK , Troj/FakeAV-BDB , Troj/Agent-MYL , Troj/Agent-NAX , Troj/Zbot-OD , Troj/Zbot-OE , Troj/Zbot-OT , Troj/FakeAV-BGJ , Troj/VB-EPV , Troj/VB-EQA , Troj/Zbot-PE , Troj/Zbot-OZ , Troj/Zbot-PA , Troj/Zbot-OY , Troj/FakeAV-BHP , Troj/Zbot-OX , Troj/Agent-NIV , Troj/Zbot-PM , Troj/Zbot-PQ , Troj/Agent-NKD , Troj/Zbot-PP , Troj/Zbot-PN , Troj/Zbot-PX , Troj/Zbot-PW , Troj/Zbot-PY , Troj/Zbot-PT , Troj/Zbot-PV , Troj/Zbot-QC , Troj/Zbot-QD , Troj/Zbot-QK , Troj/Zbot-QZ , Troj/VB-ERY , Troj/Zbot-RA , Troj/Zbot-RK , Troj/Dloadr-DAD , Troj/Zbot-RP , Troj/Zbot-RY , Troj/Zbot-SC , Troj/Zbot-SD , Troj/Zbot-SB , Troj/Zbot-SF , Troj/Zbot-SV , Troj/Agent-NUO , Troj/Zbot-SP , Troj/Meredrop-K , Troj/Zbot-SX , Troj/Zbot-SY , Troj/Zbot-SR , Troj/Zbot-TG , Troj/Zbot-TQ , Troj/Zbot-TY , Troj/ZBot-UL , Troj/Zbot-VN , Troj/Zbot-VM , Troj/Zbot-VQ , Troj/Zbot-WD , Troj/Zbot-WF , Troj/Zbot-XA , Troj/Agent-OLW , Troj/Zbot-XO , Troj/Zbot-XN , Troj/Zbot-YB , Troj/Zbot-YE , Troj/Zbot-YO , Troj/Zbot-YP , Troj/ZBot-ZJ , Troj/Zbot-AAN , Troj/Zbot-AAM , Troj/Zbot-ACI , Troj/Zbot-AGC , Troj/Zbot-AGJ , Troj/Zbot-AHE , Troj/Zbot-AHD , Troj/Zbot-AIR
Type: Trojan
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.
Infection
The Trojan.Zbot files that are used to compromise computers are generated using a toolkit that is available in marketplaces for online criminals. The toolkit allows an attacker a high degree of control over the functionality of the final executable that is distributed to targeted computers.
The Trojan itself is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized. The user may receive an email message purporting to be from organizations such as the FDIC, IRS, MySpace, Facebook, or Microsoft. The message body warns the user of a problem with their financial information, online account, or software and suggests they visit a link provided in the email. The computer is compromised if the user visits the link, if it is not protected.
Functionality
This Trojan has primarily been designed to steal confidential information from the computers it compromises. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes.
Confidential information is gathered through multiple methods. Upon execution the Trojan automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within Protected Storage (PStore). However, its most effective method for gathering information is by monitoring Web sites included in the configuration file, sometimes intercepting the legitimate Web pages and inserting extra fields (e.g. adding a date of birth field to a banking Web page that originally only requested a user name and password).
Additionally, Trojan.Zbot contacts a command-and-control (C&C) server and makes itself available to perform additional functions. This allows a remote attacker to command the Trojan to download and execute further files, shutdown or reboot the computer, or even delete system files, rendering the computer unusable without reinstalling the operating system.
Zeus and “Kneber”
On February 18, 2010 news reports appeared about a new botnet called Kneber. The reports claimed there were as many as 75,000 machines compromised by this newly discovered threat.
Contact Us for a free antivirus trial to the end of this month.
 |