Skip to content


ZeuS/ZBOT Uses LICAT File Infector to Spread

by Trend Micro Employee ‎10-24-2010 06:17 PM - edited ‎10-24-2010 06:17 PM

The Threat Defined

 

ZBOT-LICAT-ZBOT Cycle

 

Initial findings on the new ZBOT variant, TSPY_ZBOT.BYZ, show that this Trojan spyware exhibits more than the usual ZBOT malware data theft routines.

 

In a recent attack, this ZBOT variant was downloaded onto users’ systems via traditional arrival means. Typical TSPY_ZBOT variants arrive via spam purporting to come from legitimate sources that ask recipients to click an embedded link. The same is true for TSPY_ZBOT.BYZ, which is downloaded onto a system whenever the embedded link in a particular spam is clicked. The Trojan spyware then silently sits in affected systems to wait for users to key in their credentials to certain target sites, usually those of banks and other financial institutions.

 

In this particular attack, however, apart from the usual ZBOT malware routines, TSPY_ZBOT.BYZ also decrypts and executes a file infector detected as PE_LICAT.A-O in an infected system’s memory. Further analysis showed that the said file infector is the uncompressed version of TSPY_ZBOT.BYZ. This file infector triggers the process of infecting .EXE files on an infected system though it is not an infected file on its own. Its injection into Explorer.exe causes a malicious code to infect any file executed after a certain date and time. These infected files are then turned into PE_LICAT.A.

 

WTS-75.jpg
Figure 1. ZBOT-LICAT infection diagram

 

PE_LICAT.A-O generates a list of pseudorandom domain names from which it downloads another malicious file, which later on was discovered to be the same ZBOT variant that started the infection. Every time it is executed, it attempts to download the ZBOT variant from any of the said domains at a maximum of 800 times. Every time the file infector successfully accesses a live URL, it downloads TSPY_ZBOT.BYZ onto the infected system.

 

Several of the domains from which PE_LICAT.A-O downloads files have been confirmed to be ZeuS/ZBOT-related domains as of late September. One particular domain was, in fact, hosted by an ISP that is known for engaging in significant levels of ZeuS/ZBOT-related activity in the past and is a known haven for cybercrime.

 

ZeuS/ZBOT-LICAT as a Framework for More Effective Data Theft

 

ZeuS was primarily designed to steal data, particularly users’ account information for various online banking, social networking, ecommerce, and other such sites. Almost anyone can thus fall prey to its schemes. The ZBOT variant, TSPY_ZBOT.BYZ, along with the domain generation algorithm (DGA) used by the new and highly dangerous infector, PE_LICAT.A, spelled out a lot of trouble for those who have been afflicted by these threats.

 

Each time PE_LICAT.A-O successfully accesses a live URL, it downloads TSPY_ZBOT.BYZ onto an affected system. The Trojan spyware then generates a list of targeted financial sites for which it attempts to steal sensitive user information such as user names and passwords. It then monitors the affected users’ Web browsing activities (both HTTP and HTTPS) using browser window titles or address bar URLs as triggers.

 

User Risks and Exposure

 

At its most basic level, ZeuS has always been known for engaging in cybercriminal activities. It, in fact, brought about a new means by which different cybercriminal organizations can cooperate with one another to perpetrate outright online theft and fraud. This renders users at risk of not only data theft but also of becoming victims of unauthorized online transactions. Users with ZBOT-infected systems who log in to any of the targeted sites are at risk of losing pertinent personal information to cybercriminals.

 

The fact that PE_LICAT infections appear to have hit the North American and European regions the hardest spells out that even more ZBOT variants can hit these regions. Even more pressing, however, is the continued evolution of the ZeuS botnet. Its persistent existence in the wild, combined with the increasing use of online banking sites around the world, make for a very dangerous combination. Cybercriminals may either directly siphon money from victims’ accounts. They may either steal money directly from the victim or use them as conduits or money mules who help transfer funds from the victims’ to the cybercriminals’ bank accounts.

 

In several cases, the convenience that comes with conducting transactions over the Web becomes a high price to pay whenever ZeuS/ZBOT is involved. ZeuS/ZBOT victims may save time and money when they bank online but may, unfortunately, also lose far more than what they bargained for.

 

Trend Micro Solutions and Recommendations

 

Trend Micro™ Smart Protection Network™ delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.

 

Solutions supported by the Smart Protection Network prevent the download and execution of the malicious files on users’ systems via file reputation services. They also block access to related malicious sites and prevent phone-home attempts wherein an infected system tries to upload stolen data or to download additional malware from command-and-control servers via Web reputation services. Finally, the solutions prevent related spam from even reaching users’ inboxes via email reputation services.

 

Users are also advised to use a firewall to monitor incoming Web connections. They must ensure that all of the programs installed in their systems are kept up-to-date with the latest patches. It would also help if system users are given the lowest level of privileges necessary to complete their tasks. Users should also be advised to avoid visiting untrustworthy sites that may redirect to malicious sites or may lead to the download of malware onto their systems.

 

The following posts at the TrendLabs Malware Blog discuss this threat:

 

http://blog.trendmicro.com/file-infector-uses-domain-generation-technique-like-downadconficker/

http://blog.trendmicro.com/links-between-pe_licat-and-zeus-confirmed/

http://blog.trendmicro.com/zeuss-response-to-automated-analysis/

 

The virus reports are found here:

 

http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.BYZ

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_LICAT.A-O

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_LICAT.A