Win32/Zbot is a family of password-stealing trojans that contain backdoor functionality which allows attackers to control infected computers remotely through illicit networks called botnets. This family of botnets first drew attention in press and media when Win32/Zbot was detected in mid-2007 attacking the U.S. Department of Transportation.
The botnet world is divided between bot families that are closely controlled by independent groups of attackers and those that are created through malware kits.
These kits are collections of tools, sold and shared within the malware underground, that enable aspiring botnet operators, or bot-herders, to assemble their own botnets by creating and spreading malware variants. For more detailed information on botnets, see the Featured Intelligence story in Volume 9 of the Microsoft Security Intelligence Report.
Win32/Zbot is a kit-based family; its variants are built using a malware kit called Zeus. Although security professionals and news accounts often make reference to “the Zeus botnet,” it’s important to realize that computers infected with Win32/Zbot do not all belong to a single large botnet, but instead many smaller independently controlled botnets that are controlled by many bot-herders.
Some of the functions that Win32/Zbot-infected computers can be commanded to perform include:
Steal browser data in the following ways:
- Take screenshots of banking sites
- Modify webpages to extend forms to require extra information
- Obtain HTML form data
- Transparently redirect users to fake sites that appear to be legitimate
Steal system information, including:
- Protected storage credentials
- Credentials from FTP, email, and custom applications such as WinSCP
- Files uploaded from the system
Modify system settings to accomplish the following:
- Render the system unbootable to cover its tracks
- Download and execute other binaries, which effectively means that anything could be on a system infected by Win32/Zbot
This document Battling the Zbot Threat released by Microsoft, provides an overview of the Win32/Zbot family of password-stealing trojans. The document examines the background of Win32/Zbot, its functionality, how it works, and provides telemetry data and analysis from calendar year 2010 about how this threat is detected and removed.