ZBot: The never ending Trojan

It was around 2007 when we first encountered the ‘Win32/ZeusBot Trojan Horse’, AKA ‘ZBot’.
The first versions of the malware was used against the U.S. Department of Transportation, mainly in order to steal information such as various passwords.

Since then, multiple variants have been released, adding more and more functionalities and ‘bad’ stuff with every update, mainly by criminal groups in order to steal banking information.

These groups have evolved ZBot so much that if I need to categorize it, I would say this is the ‘level 5 storm’ of all malware.

Today, ZBot includes all the latest hacking and viral techniques, such as rootkit, backdoor, proxy, data harvesting as well as audio and video recording (in comparison to just keystrokes logging in the beginning).
The trojan also downloads additional settings from remote dedicated servers, therefore it’s functionality could be different even within the same infection. It inserts and modifies files on the breached PC and even opens a window entry through thousands or more adware and other malicious spyware could infiltrate into the computer.

The Trojan’s fixed backdoor opening allows a remote attacker to control the infected computer. Such attack could retrieve any information from the computer, especially stored financial information such as credit card numbers, bank account information, etc.

It is not known for sure who originally wrote and distributed the Trojan, however this malware was associated many times with a cybercrime organization known as the ‘Russian Business Network’. This organization, which has been also called ‘Baddest of the Bad’, is taking part in a wide variety of criminal online activities, such as malware sites hosting, pornography of children, spamming, data theft and more. In 2007, it was argued that the income of the organization was more than two billion dollars, while today it is estimated to be worth more than the global illegal drugs trade, which is more than $100 billion a year.

Taking down this organization is almost impossible because it is not a listed company, nor using real names in their sites. Usually, anyone who tries to hack into the organization networks is becoming a victim to backfire attacks. A trace to some of the organization networks mainly leads to St. Petersburg as well as Latvia and Kazakhstan.

The organization is also known to be associated with the Russian Mafia and it has been even claimed to have direct connections with the Russian government.

How does ZBot distribute?

Typically, ZBot is carried out by an e-mail attachment with attractive titles, which cause victims to open the file or link to a malicious website.

However, there are also other ways, such as utilizing Exploits of the operating system or software. An attacker could also take advantage of Cross Site Scripting Vulnerabilities of innocent sites, in order to redirect users to malicious sites without their knowledge. Moreover, you could also get infected through chats or sharing software.

In addition, after a successful infection, the Trojan “knows” to send itself without the knowledge of the victims to all their friends that could become victims on their own.

Where ZBot hits? Well, everywhere…

As always the recommendation is to avoid opening e-mails with too much attractive titles, update the operating system and all installation software and use a reliable security product.