Battling the Zbot Threat (with MSRT)

Hello Internet!

As you may recall, last October we updated MSRT to include the well-known malware Zbot (aka Zeus), one of the more prolific bots we see in the wild today. Today, we released a special-edition Security Intelligence Report, entitled “Battling the Zbot Threat,” that documents the background, functionality, prevalence, and geographical distribution of Zbot malware. The paper also shows how Microsoft has had a measurable effect on the Zbot ecosystem since broadening its attack efforts to include the Malicious Software Removal Tool (MSRT) in October 2010.


As always, we continue to update MSRT with the result of ongoing research by the MMPC, all the while improving our detections. This is necessary because, as with most malware, Zbot itself is continually evolving, having undergone many changes in the last year or so, ‘updates’ to the file-based obfuscation, anti-AV defensive techniques, information stealing capabilities, configuration file protection, API hooking, pseudo-random domain generation, process injection and file infection. We’ll not go into details of many of these here, but we can show the telemetry we’ve gathered from the MSRT and Microsoft Security Essentials over the last four months documenting the percentage of Zbot detections exhibiting these new features, shown as Zbot 2.x in the chart below:




Of all the changes that Zbot has undergone
however, the most
significant from an MSRT perspective is the move towards file infection. Since
its inception, Zbot has employed process injection targeting multiple processes
on the system,
the extent of which is governed by the privilege level of the user who
unwittingly triggers the infection. (TIP: If you’re going to run an attachment you got
from an email or a link, or via Facebook, don’t elevate
it to admin via UAC.)


In some newer variants of Zbot in the wild, for each infected process it will hook several Windows APIs, modify and infect binary files, and infect files shared in the network. One interesting behavior to note is that the infected process thread will continually monitor and infect other processes.


The diagram below shows the simple way to visualize the code injection and hooking process cycle:



In its original form, Zbot hooked around 15 APIs. But newer versions, dubbed Zbot 2.x, hook upwards of 30 APIs. The API that we are most interested in however is NtCreateFile(), which is invoked upon opening files. As we see in the first diagram, Zbot can infect both directly and upon opening files. This provides a severe hindrance for attempts to manually clean the system. However, if a tedious manual cleaning process doesn’t sound all that palatable, you can sleep well knowing MSRT handles cleaning of an infected system properly. 


As always, we recommend using a reputable Anti-Virus product to help ensure you don’t get infected in the first place, like one of the products listed here. You may also consider using Microsoft’s no cost Anti-Virus product, Microsoft Security Essentials


These patched/infected files are detected as Virus:Win32/Zbot.B, and Virus:Win32/Zbot.C. For detailed information on the more recent malicious behavior of Zbot, please refer to the description on our Encyclopedia: PWS:Win32/Zbot.gen!Y


Rodel Finones, Holly Stewart, Joe Faulhaber and Matt McCormack

Comments (0)

Skip to main content