Trusteer reports that 3.6 million PCs are infected in the US alone, and even up to date anti-virus scanners cannot stop it. "Installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23% compared to running without an anti-virus altogether" (Trusteer).
In other words, opening or downloading the trojan results in infection more than 75% of the time.
The newest delivery method of the trojan is emails claiming to be from the IRS and a typical subject of "Notice of Unreported Income". These emails are in wide circulation over the last three weeks and are showing no signs of slowing down according to a report recently published by Network World.
What is Zbot?
The Zbot trojan is designed to steal login credentials, usually for financial accounts. The admin panel and exe builder can be easily purchased and is widely distruibuted on criminal networks for only a few thousand dollars. Old and obsolete versions of the builder are even freely available on P2P file sharing networks and torrent sites. This admin panel makes it possible for the cybercriminals to generate their own version of the virus to get around anti-virus scanners.
Zbot is typically used to steal account information. The main area of focus for the criminals is banking websites. Once the credentials for these sites have been stolen they can then be used to siphon money from the account and into their own network of accounts. Because Zbot is a keylogger and due to design it can be used for any type of website the hacker wishes to gain access to including social networking sites, ftp accounts and can even be used to bypass two-factor authentication.
Zbot is commonly spread through email or malicious websites using drive-by downloads. The emails claim to be from a reputable source containing an attachment that the unsuspecting user will open. The most prevalent scheme for these emails has been shipping carrier (UPS, Fedex, etc.) delivery notifications which report a problem with package delivery and get the user to open the attachment. Other schemes include bank notifications, Microsoft Outlook update notifications, Western Union fakes and others.
How Does Zbot Work?
The Zbot Trojan is essentially a framework for the exploit. Without the configuration file the program does nothing. This encrypted configuration file is the command and control structure of the bot including what sites to attack and where to send stolen credentials and information.
"The logics contained in the configuration contains the list of banking institutions that the bot targets, URLs of the additional components that the bots relies on to download commands and updates, the lists of questions and the list of the fields that the bot injects into Internet banking websites to steal personal details/credentials, etc." (ThreatExpert)
The configuration file can be downloaded from a site of the attackers choosing, and also contains the location for the next configuration update. Infected machines can be grouped into botnets by the attacker and updated from the same locations.
Once running on a system the trojan can perform a variety of operations. The majority of the time this is simply a keylogger which is activated when the user accesses a targeted site. Zeus can also replace the web form on a search page to ask for additional information such as card numbers, pin numbers, social security numbers and the answers to security questions. Real-time screenshots can also be taken from infected machines.
More detailed technical information is available on the ThreatExpert blog and the Zeus tracker pages at the bottom of this post.
Detecting Infection
To determine if a machine is infected users can look for specific registry keys and file locations added by Zbot. Here is a list of file locations from abuse.ch:
Preventing Infection
The best way to prevent infection is to simply be cautious of opening dangerous file attachments in email, and by enabling browser protection to limit scripts and file downloads. Web filtering can be a powerful technique in limiting the effectiveness of Zeus by preventing access to distribution and call-home points. The tracker on abuse.ch is a great resource for finding command and control centers which can then be blocked with web filtering or firewall.
Conclusion
Zbot usage and distribution is showing no signs of slowing down and criminals associated are making millions. The trojan has proven effectiveness and has been in circulation over three years - it will continue to be a threat for more to come.
Resources
Abuse.ch Zeus Tracker
ThreatExpert: Time to Revisit Zeus Almighty
Trusteer: Measuring the in-the-wild effectiveness of antivirus against Zeus
Network World: IRS Scam Now World's Biggest Email Virus Problem
Dancho Danchev: Crimeware in the Middle - Zeus
Zero Day: Modern banker malware undermines two-factor authentication
