The Zemot family of trojan downloaders are frequently used by malware with a number of different payloads. We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF. We renamed the downloader to Zemot in May 2014.
Recently, other malware such as Win32/Rovnix, Win32/Viknok, and Win32/Tesch also began using Zemot to distribute their malicious payloads. It is necessary for any real-time security software to effectively remediate these downloaders to prevent reinfection with these payloads.
Zemot is usually distributed through the spambot malware Win32/Kuluoz and through the exploit kits Magnitude EK and Nuclear EK. An example of this infection chain is shown in the following illustration.
Figure 1: The Zemot infection chain
The graphs below show Zemot infection telemetry since November 2013.
Figure 2: Monthly machine telemetry for Win32/Zemot
Figure 3: Monthly file telemetry data for Win32/Zemot
By taking into account both the machine and the file count telemetry, we can see that a single copy of Zemot is often mass distributed to the payload URLs (the download URLs for Win32/Kuluoz and the payload URL for the exploit kits).
Some other notable characteristics of the Zemot family include:
- They use several techniques to make sure the downloaded module will be successful on all Windows platforms.
- Each successful download is saved with a unique file name to allow for multiple infections.
- Major variants vary in their static configuration format and download file name format (for example: java_update_<random>.exe, updateflashplayer_<random>.exe).
- Modules such as getting the OS version, user privilege, URL parsing and the downloading routine are taken from the Zbot source code.
- Variants can be bundled with other malware (one trojan downloader can distribute multiple malware payloads).
This complex threat model makes it important that your installed security software covers every part of the infection chain, including the downloaders that can otherwise pose a risk of reinfection.
Given the popularity of the Zemot family of downloaders we added the family to the MSRT this month to help protect our customers. We also recommend you run an up-to-date real-time security products such as Microsoft Security Essentials.