MSRT September 2014 – Zemot


​This month we added the Win32/Zemot family to the Malicious Software Removal Tool.

The Zemot family of trojan downloaders are frequently used by malware with a number of different payloads. We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF. We renamed the downloader to Zemot in May 2014.

Recently, other malware such as Win32/Rovnix, Win32/Viknok, and Win32/Tesch also began using Zemot to distribute their malicious payloads. It is necessary for any real-time security software to effectively remediate these downloaders to prevent reinfection with these payloads.

Zemot is usually distributed through the spambot malware Win32/Kuluoz and through the exploit kits Magnitude EK and Nuclear EK.  An example of this infection chain is shown in the following illustration.

Infection chain

Figure 1: The Zemot infection chain

The graphs below show Zemot infection telemetry since November 2013.

Machine telemetry

Figure 2: Monthly machine telemetry for Win32/Zemot

File telemetry

Figure 3: Monthly file telemetry data for Win32/Zemot

By taking into account both the machine and the file count telemetry, we can see that a single copy of Zemot is often mass distributed to the payload URLs (the download URLs for Win32/Kuluoz and the payload URL for the exploit kits).

Some other notable characteristics of the Zemot family include:

  • They use several techniques to make sure the downloaded module will be successful on all Windows platforms.
  • Each successful download is saved with a unique file name to allow for multiple infections.
  • Major variants vary in their static configuration format and download file name format (for example: java_update_<random>.exe, updateflashplayer_<random>.exe).
  • Modules such as getting the OS version, user privilege, URL parsing and the downloading routine are taken from the Zbot source code.
  • Variants can be bundled with other malware (one trojan downloader can distribute multiple malware payloads).

This complex threat model makes it important that your installed security software covers every part of the infection chain, including the downloaders that can otherwise pose a risk of reinfection.

Given the popularity of the Zemot family of downloaders we added the family to the MSRT this month to help protect our customers. We also recommend you run an up-to-date real-time security products such as Microsoft Security Essentials.

Rodel Finones
MMPC

SHA1s:
10881873606b0aa0a432cdb4966f54169518dd6d
E9e28793353b3db905545682c8812e04f9fe7db8
A35f95868f4bdf54ce130edfc8afc527b3a731fe


Comments (5)

  1. Eudon Tneedtuno Mainaem says:

    It's almost as if Microsoft engineers its software to have security problems so that you have to keep getting Malicious Software Removal Tools, etc. from them. Wonder why that could be?

    The best Malicious Software Removal Tool is a GNU/Linux installation disc. Obviates all future need for Microsoft's Malicious Software Removal Tools. Haven't used or even needed one for YEARS now!

  2. Ethan Tremblay says:

    As an added bonus, the Linux disc also provides hours of endless fun trying to configure the system to do basic tasks, and makes using popular games and a range of software a joy too!

    2014 – the year of Linux!!

  3. rp says:

    haha! how many People use linux derivates? how many use Windows osses? Keep on the carpet, Linux Guys!

  4. Mr Sax o Beat says:

    what a great comment – i am wondering why you are posting here, go back to the debian troll board

  5. Jeff25 says:

    I have found uninstalling Internet Explorer takes care of a lot of security problems.