The king of criminal ware, a bot designed specifically for stealing very important information (think bank accounts, SSN, credit cards, etc.). Today we are going to talk what it is and how to find it with and without anti-virus programs.
Zeus (Zbot) is a Trojan malware that runs on Windows systems. It is called the king of criminalware because it is mainly used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
Infection usually occurs through drive-by downloads and phishing schemes (think spam emails). Beware social engineering!
Zeus has three parts: a toolkit, the Trojan, and the command & control server. The toolkit creates the threat, the Trojan modified the infected system, and the C&C server monitors and controls the Trojan.
Zbot was first identified in July 2007 when it stole information from the United States Department of Transportation and has become more widespread since then affected some pretty renown companies.
Number of Zbots Over Time
So when using an anti-virus software I recommend Malware Byte because it has a great track record of finding it.
Without anti-virus software
Run ProcExp and include the column of verified signatures to make sure that all the processes are legitimate. When the video pops up an unsigned/unverified process will pop up. Use this information to find the location of the Zbot executable. You can also use the command netstat -bano to return which processes are operating on which ports. Since Zbot communicates to the C&C server you will see it operating with this command.
- ProcExp v16.05 - Windows SysInternals Suite
- Displays information about which handles and DLLs processes have opened or loaded. Use this to view the suspicious process when the Rick Roll video is running and then view which files it has open or loaded.
- Displays active TCP connections, ports on which the computer is listening, and more.
- -a: Displays all active TCP connections on which the computer is listening
- -n: Addresses and ports are expressed numerically
- -o: Includes process ID for each connection
- Run this command to see the Zbot PID running on a connection and then look up the PID in the Process Explorer
Additional Information
McAfee has a pretty detailed analysis report for those who want more in depth information.
No comments:
Post a Comment