NEW DELHI,INDIA:Trend Micro, the global leader in Internet content security, has recently noted multiple reports of a new botnet named Kneber. TrendLabs has confirmed that this new botnet is a specific ZBOT compromise. ZeuS, ZBOT and Kneber all relate to the ZeuS Trojan/Bot, an established crimeware bot known to be leveraged by many botnets and is possibly the most pernicious Trojan/Bot currently in operation.
The ZeuS bot, which is primarily designed for data theft or to steal account information related to online banking transactions, may arrive as a spammed message or it may be unknowingly downloaded by users via compromised websites.
Majority of the ZBOT detections have been found to be targeting bank-related websites. In order to defraud their victims, the criminals behind this threat generate a list of bank-related websites or financial institutions from which they try and steal sensitive online banking information, such as user names and passwords. However, recent spam runs have shown an increasing diversity in targets. The list of noteworthy ZBOT variants include TROJ_ZBOT.SVR which was used to spam government agencies, TSPY_ZBOT.JF which targeted AIM users and TSPY_ZBOT.CCB which targets social networking site Facebook.
In addition to its social engineering tactics and ever-evolving spamming techniques, the ZBOT makes detection difficult because of its rootkit capabilities. Upon installing itself on the affected system, ZBOT creates a folder with attributes set to System and Hidden to prevent users from discovering and removing its components. Furthermore, the ZBOT is capable of disabling the Windows Firewall and injecting itself into processes to become memory-resident. It also terminates itself if certain known firewall processes are found on the system.
“ZBOT is primarily designed for data theft or to steal account information from various sites, like online banking sites, social networking sites, ecommerce sites, among others. It generates a list of bank-related websites or financial institutions from which it attempts to steal sensitive online banking information, such as user names and passwords. It then monitors the user’s web browser activity (both HTTP and HTTPS), using the browser window title or address bar URL as the trigger for its attack. This routine risks the exposure of the user’s account information, which may then lead to the unauthorized use of the stolen data,” commented Amit Nath, Country Manager, Trend Micro India.
Solutions supported by the Trend Micro Smart Protection Network block the spam used by this botnet to infect users via Email reputation and protect the customers against these types multi-vector or blended threat. It also can detect and prevent the execution malicious files via File reputation. In addition, Trend Micro correlation and in-the-cloud reputation databases are constantly analyzing and providing immediate protection for any new components that show up.
Since 2007, Trend Micro has been closely monitoring the ZBOT family and it is observed that the number of ZBOT detections has been growing substantially over the years. To date, Trend Micro has seen over 2,000 ZBOT detections and the numbers continue to rise. The earliest known use of the ZeuS Trojan, or ZBOT was by the infamous Rock Phish gang known for their easy-to-use phishing page kits.