Freely subscribe to our NEWSLETTER

The Threat Defined

Convincing Subdomains: Key to New ZBOT/Zeus Attack
Trend Micro researchers investigated a spam run randomly targeting the employees of several companies. A number of employees received email notifications purporting to be from their respective companies’ system administrators. These emails reminded them to update their systems due to a recent server software upgrade. The link in the emails used several subdomains that resolved to the same IP address. These URLs all served a ZBOT variant (TROJ_ZBOT.CYX) to victims’ PCs.

Trend Micro researchers believe that the subdomains were tailor-made—crafted to make the email recipients think the links were legitimate and thus non-malicious. Tests using BFK’s Domain Name System (DNS) replication tool revealed that the URLs were actually “wildcarded subdomains,” under some of the following domains:

The fact that the domains used in this campaign were wildcarded resolvers is, however, still not the most important aspect of this threat. What is more important is that the domains involved are hosted on the Avalanch fast-flux botnet and that they are changing very rapidly as new domains are used. Due to the fact that these domains are wildcarded resolvers as well, they are also moving from one campaign to another, sometimes in the same day in the form of fake updates for security products, fake Outlook Web Access updates, and fake Secure Sockets Layer (SSL) certificates for banks.

In the spam sample in Figure 2, the cybercriminals created the subdomain nextel.com.mx.secure under the domain upd-center.com. The download URL will therefore look familiar to the target. Cybercriminals increase the chances of infection with this social engineering tactic.
Upon execution, TROJ_ZBOT.CYX attempts to access a website to download a file containing information where it can download an updated copy of itself and where to send the data it steals. The configuration file also contains a list of targeted bank-related websites from which it steals information.

What Makes ZBOT Malware Dangerous?

The Zeus botnet comprises various components, several of which have been detected over the months by Trend Micro as ZBOT Trojan and Trojan spyware variants. The botnet is most commonly associated with ebanking attacks targeting small businesses. Its creators often

Web Threat Spotlight

A Web threat is any threat that uses the Internet to facilitate cybercrime.
preyed on small and medium-sized companies that may not have a full-time IT/security staff and who rely on one or two people to handle their bank accounts and payroll online.

The botnet’s notoriety led ZBOT Trojans and Trojan spyware to be tagged as one of history’s most dangerous malware, particularly in relation to information and identity theft. First introduced by Rock Phishers early this year (around April), the malware paved the way for the rise of easy-to-use kits that yielded professional-looking phishing pages. They proliferated either via email or exploits and were typically packed, making their codes harder to read in the course of analysis. The latest ZBOT variants, in fact, come compressed in more and more complex packers.

ZBOT malware have rootkit capabilities that allow them to hide the folders and component files they create. They also typically inject their code into system processes so that users have a harder time to terminate malicious processes. They also terminate firewall-related and security application-related processes.
ZBOT malware collect users’ personal information and sell them to other cybercriminals. Underground research and documented cases reveal that the malware presents a thriving business, as infected systems give up their owners’ personal information to remote servers (i.e., cybercriminals). ZBOT variants are especially damaging due to their ever-changing social engineering techniques but their overall impact has been largely underrated.

User Risks and Exposure

ZBOT variants usually prey on users’ naïveté and lack of awareness of phishing scams and how damaging they can be. In this attack, for instance, cybercriminals used several wildcarded subdomains to trick more users into clicking a malicious link.

The spammed message each user got purported to come from his/her employer’s system administrator, sporting a legitimate-looking domain with the company’s name (see Figure 2). This hoped to trick the user to click the URL, get infected, and divulge critical information in the process (e.g., credit card information). The information gathered will then either make it to a malicious server for later use or sold underground to the highest bidder.
Figure 2. A spammed email sent to a Nextel employee

Trend Micro Solutions and Recommendations

Trend Micro Smart Protection Network™ delivers security that is smarter than conventional approaches. It blocks the latest threats before they reach you. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique in-the-cloud reputation technologies and a lightweight client architecture to immediately and to automatically protect your information wherever you connect. It is also the only antivirus technology that is able to correlate threats and identify their individual roles in an entire threat.
In this attack, Smart Protection Network’s Web Protection Service protects users by preventing user access to identified malicious domains and subdomains. File Reputation Service also detects and prevents the download of the malicious file detected as TROJ_ZBOT.CYX. Finally, Email Reputation Service blocks the spammed emails. Mac users can also get protection from similar attacks with Trend Micro Smart Surfing for Mac.

Non-Trend Micro product users are, on the other hand, advised to use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.