ThreatFire Research Blog Home
 
 
« ActiveX MsVidCtl 0day
South Korea and U.S. Government Sustained DDoS »

Michael Jackson Zbot Data Stealing Hooks

The recent Michael Jackson Zbot variant implements a variety of IAT hooks to perform its data stealing and stealth on victims’ compromised systems. Its user-mode hook techniques have been described as “implemented properly” for malicious user-mode hooks. The Zbot releases have changed in various ways over time, and a couple of new additions reveal ongoing development by the same writers.

The Zbot family of malware continues to use multistaged component injection to achieve its final goal of stealing sensitive and confidential information off of the machine. It attempts to kill off two fairly prevalent firewalls at startup, functionality that seems to be present across all Zbot releases. It also continues to hide its ondisk components by hooking NtQueryDirectory within ntdll, and uses much of the same list of hooked win32 calls since the original release as its basis to plant more hooks:
LdrLoadDll
LdrGetProcedureAddress
NtCreateThread

A couple of hooks have been a common part of their ongoing releases to steal data:
GetClipboardData has always been used to steal information from the clipboard — copying and pasting your username/password won’t get past this malware.
TranslateMessage – buffers keyboard input from windows messages, converts the input to unicode, and sends it to the controller process’s pipe to be sent off of the victim’s machine.

A couple of newer hooks placed by the malware are new and related to what is known as screenscraping:
BeginPaint/EndPaint – appear to be hooks designed to determine when to perform the screenshot functionality found in the DefWindowProcW hook.
DefWindowProcW – mechanism to extract a device context from a window and generate a bitmap from it. In other words, this functionality is used to take screenshots on the victim’s machine as they are using it.

All in all, Zbot is one of the nastier malware families in circulation with a fairly regular release cycle and is actively used by cybercrooks. ThreatFire has been effectively preventing this malicious family from stealing information for a couple of years now.

This entry was posted on Wednesday, July 8th, 2009 at 3:49 pm and is filed under ZBot. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

Click here to cancel reply.
 

  • Blog Archive

    • November 2009
    • October 2009
    • September 2009
    • August 2009
    • July 2009
    • June 2009
    • May 2009
    • April 2009
    • March 2009
    • February 2009
    • January 2009
    • December 2008
    • November 2008
    • October 2008
    • September 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
    • December 2007
    • November 2007
    • October 2007
    • September 2007
    • August 2007

  • Search This Blog

  • RSS Subscribe Now

    • Koobface on Yuotube
    • Spamvertizing Social Networks and Why Legitimate Money Will Help Clean Them Up
    • Zbot: Not Your Typical Malware

  • Categories

  • About ThreatFire

    ThreatFire™, features innovative real-time behavioral protection technology that provides powerful standalone protection or the perfect complement to traditional signature-based antivirus programs.

    ThreatFire's patent-pending ActiveDefense™ technology offers unsurpassed protection against both known and unknown zero-day viruses, worms, trojans, rootkits, buffer overflows, spyware, adware and other malware.

    Learn more...

  • Blogroll

    • AV-Comparatives weblog
    • Bill Mullins’ Weblog – Tech Thoughts
    • Security Response Blogs
    • Swatkat’s rants
    • ThreatExpert Blog

  • Links

    • AMTSO
    • AV-Test
    • Frank Boldewin’s Reconstructor
    • PC Tools
    • ThreatExpert
    • ThreatFire
    • Virus Bulletin
 
Subscribe to:
Posts (Atom) 		Entries (RSS) and Comments (RSS).