TROJ_ZBOT.BTS - Technical details

TROJ_ZBOT.BTS

Overview

Solution

Technical Details

File type: PE

Memory resident: Yes

Size of malware: 81,920 Bytes

Payload 1: Downloads files

Payload 2: Steals information

Details:

Infection Points

This Trojan arrives as a file downloaded from the following URL:

http://{BLOCKED}i.com/lbrc/labo.exe

Installation and Autostart Technique

Upon execution, this Trojan drops a copy of itself in the system folder as sdra64.exe and appends garbage code to the dropped copy to avoid easy detection. It creates the folder, %System%\lowsec, with its attributes set to System and Hidden to prevent users from discovering and removing its components. This Trojan then creates the following non-malicious files:

%System%\lowsec\user.ds - used to save the gathered information
%System%\lowsec\local.ds - copy of the encrypted downloaded file

It modifies the following registry entry to enable its automatic execution at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %System%\sdra64.exe,"

(Note: The default value data of the said registry entry is %System%\Userinit.exe,.)

It also creates the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Network
UID = "{computer name}_{random numbers}"

It injects itself into legitimate WINLOGON.EXE and SVCHOST.EXE processes as part of its memory residency routine.

Information Theft Routine

This Trojan attempts to access the following Web site to download a file:

http://{BLOCKED}i.com/lbrc/lbr.bin

The said file contains information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also contains the following list of targeted Web sites from which it steals information:

*.microsoft.com/*
*//www.svbconnect.com/security/challengeVerify.do
*amazon.com*
*blogger.com*
*facebook.com*
*flickr.com*
*livejournal.com*
*myspace.com*
*youtube.com*
http://*myspace.com*
http://calbanktrust.com/
http://fbtonline.com/home/
http://ultrex.info/webstat/03/03x.htm
http://unfcu.org/
http://us.hsbc.com/
http://www.ncsecu.org/*
http://www.synovus.com/
http://www.unfcu.org/
http://www.wellsfargo.com/
https://*.ebanking-services.com/nubi/StrongAuth/
SignInContinue_Register.aspx
https://*.web-cashplus.com/Cashplus/
https://*treasury.pncbank.com/*/login.ht
https://access.jpmorgan.com/appmanager/
jpmalogonportal/jpmalogonhome*
https://alltimetreasury.pacificcapitalbank.com/TekPortfolio/servlet/
TB_UI_Controller*
https://banking.*.de/cgi/ueberweisung.cgi/*
https://banking.calbanktrust.com/iLogin.jsp
https://bnycash.bankofny.com/
https://bob.sovereignbank.com/wcmfd/wcmpw/CustomerLogin
https://boh.webcashmgmt.com/phcp/servlet/LoginServlet
https://business-eb.ibanking-services.com/K1/*
https://businessaccess.citibank.citigroup.com/cbusol/guestSignOn.do
https://businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx
https://businessonline.tdbank.com/CorporateBankingWeb/Core/Login.aspx*
https://cashman.arvest.com/cashman*Auth.asp
https://cashmgt.firsttennessee.biz/cb/servlet/cb/login.jsp
https://cbs.firstcitizens.com/cb/servlet/cb/loginfcbnc.jsp
https://chaseonline.chase.com/MyAccounts.aspx
https://chsec.wellsfargo.com/login/login.fcc
https://cm.netteller.com/login*/Authentication/Views/LoginCM.aspx
https://commerceconnections.commercebank.com/ibank/
cmserver/welcome/default/verify.cfm
https://commercial.wachovia.com/Online/Financial/Business/Service*
https://e-access.compassbank.com/bbw/cmserver/welcome/default/verify.cfm
https://express.53.com/express/logon.action
https://ffce.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
https://goldleafach.com/ach/Login.aspx*
https://ibank.scnb.com/inets/Login.cfm
https://internetbanking.firsttennessee.biz/*
https://internetbanking.gad.de/banking/*
https://itreasury.regions.com/
https://lakecitybank.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
https://mibusinessonlinebanking.ebanking-services.com/nubi/signin.aspx
https://myib.firstmerchants.com/fi3039a_auth/sbuser/slogon
https://netconnect.bokf.com/ibs/cmserver/welcome/default/verify.cfm
https://onb.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
https://online.citibank.com/*
https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
https://online.wellsfargo.com/das/cgi-bin/session.cgi*
https://onlineaccess.ncsecu.org/login.aspx
https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
https://onlinetreasurymanager.suntrust.com/ibswebsuntrust/cmserver/
welcome/default/verify.cfm
https://rbs.com/
https://secure.fundsxpress.com/piles/fxweb.pile/custom_login?template=login&no_top_url=1&iid=ABMWI
https://secure.ingdirect.com/myaccount/INGDirect.html
https://secure.ingdirect.com/myaccount/InitialINGDirect.html*
https://securentrycorp.calbanktrust.com/Authentication/zbf/k/*
https://singlepoint.usbank.com/*
https://top.capitalonebank.com/pub/html/login.html
https://trading.scottrade.com/home/default.aspx
https://treas-mgt.frostbank.com/rdp/cgi-bin/*
https://treasurydirect.tdbank.com/ibsweb/cmserver/welcome/
default/verify.cfm
https://usgateway1.rbs.com/usgateway/cb/gpsmoneymanager.jsp
https://usgateway2.rbs.com/usgateway/cb/gpsmoneymanager.jsp
https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
https://web4.secureinternetbank.com/ebc_ebc1961/
https://webexpress.tdbanknorth.com/wcmfd/wcmpw/CustomerLogin
https://wellsoffice.wellsfargo.com/portal/signon/index.jsp
https://ws2.bankbyweb.net/EBC_EBC1961/*
https://www#.citizensbankonline.com/*/index-wait.jsp
https://www#.usbank.com/internetBanking/LoginRouter
https://www.53.com/servlet/efsonline/index.html*
https://www.53.com/wps/portal/cblogin
https://www.americansavingsnj2.com/onlineserv/CM/
https://www.boh.com/
https://www.businessonlineaccess.web-cashplus.com/
https://www.citibank.com/us/citibusiness/
https://www.citibank.de/*
https://www.columbiabankonline.com/onlineserv/CM/
https://www.directline4biz.com/bbw/cmserver/login_validate.cfm*
https://www.directline4biz.com/challenge100.cfm
https://www.easterntreasuryconnect.com/bbw/cmserver/
appserver_login_validate.cfm
https://www.easterntreasuryconnect.com/bbw/cmserver/
welcome/default/verify.cfm
https://www.eastwestbankhb.com/onlineserv/CM/*
https://www.ecathay.com/onlineserv/CM/
https://www.fiservdmecorp1.net/
https://www.fiservla10.com/
https://www.floridagulfbank.com/
https://www.frostbank.com/
https://www.independentcm.com/onlineserv/CM/
https://www.jpmorgan.com/cm/
https://www.mibank.com/
https://www.mybusinessbank.co.uk/cs70_banking/logon/slogon
https://www.nationalcity.com/consultnc/
https://www.paypal.com/*
https://www.securechemicalbankmi.com/onlineserv/CM/
https://www.skagitonlinebanking.com/onlineserv/CM/
https://www.sterlingcorporatenetbanking.com/bbw/
cmserver/login_validate.cfm*
https://www.sterlingwires.com/
https://www.sunnb.blilk.com/Core/Authentication/MFAUsername.aspx
https://www.suntrust.com/portal/server.pt*parentname=Login*
https://www.svbconnect.com/*
https://www.treasurypathways.com/pub/html/pt/RSApm/loginID.html
https://www.us.hsbc.com/*
https://www.whitneybank.web-access.com/whitney/cgi-bin/welcome.cgi
https://www8.comerica.com/nv/TMConnectWeb/cgi-bin/welcome.cgi*

Note that the contents of the file, hence the list of Web sites to monitor, may change any time. Once users access any of the monitored sites, it starts logging keystrokes.

Attacked Entities

This Trojan attempts to retrieve information from the following list of banking institutions:

Amazon
Arvest Cash Manager
Atlantic Bank & Trust
Audubon State Bank
Bank of America
Bank of Hawaii
Bank of Oklahoma
Blogger
Business Online
California Bank & Trust
Capital One
CashPlus
Cathay Bank
Chase
Chemical Bank
Citibank
Citizens
Columbia Bank
Comerica
Commerce Bank
Compass Bank
East West Bank
Facebook
Fifth Third
First Bank & Trust
First Citizens Bank
First Tennessee
Flickr
Florida Gulf Bank
Frost Bank
Fundsxpress
GAD
GoldLeaf ACH
HSBC
Independent Bank
ING Direct
Investors Savings Bank
iTreasury
JP Morgan
Lafayette Bank
LakeCity Bank
LiveJournal
M&I Business Online Banking
Microsoft
Money Manager
My Business Bank
Myspace
National City
NetTeller Internet Banking
Northeast Bank
Pacific Capital Bank
Pacific Western Bank
PayPal
PNC
Raiffeisen
Scottrade
Silicon Valley Bank
Skagit State Bank
Sovereign Bank
State Employees' Credit Union
Sterling Savings Bank
Suffolk County National Bank
Suntrust
Synovus
Treasury Direct
Treasury Pathways
Ultrex
United Nations Federal Credit Union
US Bank
Wachovia
Washington Mutual
Wells Fargo
YouTube

Note that the list may change anytime.

Stolen Information

This Trojan attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user�s account information, which may then lead to the unauthorized use of the stolen data.

Drop Points

The stolen information is saved in the file %SYSTEM%\lowsec\user.ds. The said file is then sent to the server http://{BLOCKED}i.com/lbr/rec.php via HTTP POST.

Download Routine

The Trojan accesses the following site to download its configuration file: