Zeus is an extremely effective bot builder kit designed and developed to be sold in underground markets as a cybercrime kit, enabling buyers to easily build identity theft related spyware that evades many security solutions. The writers have been known to do custom work as well, all for a price.
The bots produced by the kit were in turn called ”Ntos” and ”Zbot” by major software security vendors. We’ve kept on top of its activity over the past couple of years, describing its distribution as a part of other attacks, drive by attacks, and spam blasts. The ThreatExpert blog maintains posts here and here. ThreatFire is one of the most effective, if not the most effective, products on the market at detecting and preventing the Zbot variants on user systems. It detects them clearly as “Spyware.Zbot”. Because one gang of the bot distributors have been so determined and successful at distributing the malware to high-value targets over the past couple of years, an individual zbot botnet currently made up of a reported 74,000 zbot infected systems is being renamed as the “Kneber Botnet“, based on the username this Zbot variant uses.
We have posted a dozen times about Zbot over the past couple of years, including stats on Zbot-downloading Bredolab variants being run on user’s systems. Locations of the tens of thousands of systems on which users have run Zbot itself over only the past six months vary across globe, but here are a recent top ten from the ThreatFire community.
These Zbot hits are the malware that get through spam filters, mail AV scanners, etc, and Zbot actually was run on the user’s system and then prevented by ThreatFire. It’s also interesting to know that over 70% of ThreatFire users are running another security solution on their system (indicating that ThreatFire is first and only to detect and prevent in a startling number of incidents). ThreatFire protected all of our users that were tricked into running Zbot, and it’s a good thing. The vast majority of these variants were configured to steal banking credentials, in addition to other valuable user data.
Note – the Dns domains registered to “Hilary Kneber” from which the attacking web sites served the zbot spyware (which cleverly must helped in naming the botnet), maintained the Zbot executables as “bot.exe” from a couple of different directories. One would think that this filename may be a giveaway to security monitors. On victim systems where the malware was run, it seems that the file was downloaded and renamed to both “svchost.exe” and random names like “58e.tmp” so as to camoflage its purpose. It predictably then would attempt to copy itself to c:\windows\system32\sdra64.exe.