Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Return of Zbot


  • Please log in to reply
16 replies to this topic

#1 Fardooste

Fardooste

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 19 November 2014 - 12:46 PM

I have recently seen more and more computers infected with the thought-dead Zbot virus. I have seen it both with and without Cryptowall.  Sequel is just as bad as the original. Is there any info on this new zeus botnet?



BC AdBot (Login to Remove)

 


#2 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 19 November 2014 - 01:21 PM

I have been seeing the same. I believe the zbot is back up and running to some extent. About 2 months ago emails similar to those which carried zbot and installed cryptolocker (before it was shut down) started showing up in at least 10-20 times the volume they were in September, and zbot was installed which then installed cryptowall in some circumstances.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#3 persmash

persmash

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 19 November 2014 - 03:22 PM

Torrentlocker is spreading itself again for Turkey.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 AM

Posted 19 November 2014 - 06:57 PM

I wasn't aware that Zbot ever was pronounced dead. Zbot was reported to download and execute CryptoLocker Ransomware as a secondary payload when it first appeared back in 2013.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 20 November 2014 - 08:18 AM

I wasn't aware that Zbot ever was pronounced dead. Zbot was reported to download and execute CryptoLocker Ransomware as a secondary payload when it first appeared back in 2013.

There were a bunch of articles this last summer about the feds shutting down GameOver Zeus Botnet and Cryptolocker. It was only a matter of time before it returned or something similar.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 AM

Posted 20 November 2014 - 08:46 AM

I read those articles but GameOver Zeus Botnet was not the only Zbot variant at that time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 20 November 2014 - 09:08 AM

I read those articles but GameOver Zeus Botnet was not the only Zbot variant at that time.

I have definitely seen a few different zbot versions but for some reason I thought they took down the entire zbot network. I will say for a few months I did not personally see any zbot infections what so ever after the feds said they shut it down.

 

I suppose the feds can't shut down every botnet and even if they could, someone would think of something else a few weeks or months later.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 AM

Posted 20 November 2014 - 09:29 AM

I suppose the feds can't shut down every botnet and even if they could, someone would think of something else a few weeks or months later.

Like....CryptoDefense, CryptoWall, CTB Locker, TorrentLocker, CoinVault, SuperCrypt, ZeroLocker, etc
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 20 November 2014 - 09:43 AM

Are those all using zbot to spread? I saw a few cryptowalls that were unrelated to zbot a few months back. They were direct cryptowall email drops. Only recently have I seen zbot infections while removing cryptowall. I haven't been affected by any of the other crypto ransomwares.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 AM

Posted 20 November 2014 - 09:57 AM

No...I was just replying in regards to "someone would think of something else a few weeks or months later".

Crypto malware, like other forms of ransomware, is typically spread through social engineering and user interaction...i.e. opening suspicious emails and opening an infected word docs with embedded macro viruses and sometimes via exploit kits.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:13 PM

Posted 20 November 2014 - 10:59 AM

Zbot, amongst other malware (ZeroAccess, Tracur, Chromeinject, CryptoWall 2.0, etc) is commonly downloaded, and seen on systems infected with Poweliks.

I haven't noticed a significant decrease in the number of Zbot cases coming to online help forums. As quietman said, Gameover Zeus was just one variant.

Telltale signs of Zbot include a randomly named .exe running at startup with the file path (%appdata%\[random]\[random].exe), and a task with an associated .job named "Security Center Update". I've continued to see these signs in logs before and after the takedown of Gamerover Zeus.
Posted Image

#12 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 20 November 2014 - 11:43 AM

The version that I have seen on the rise where I work is: PWS:Win32/Zbot.gen!plock I could not find any direct link online about this zbot and cryptowall drops but It seems in my case it may have opened some door somewhere.

 

With at least 5 new cases of that zbot in the last 2 weeks and 2 cryptowall infections, I am suspicious about this zbot, it was on both computers that had cryptowall but a few other trojans were on 1 of them. The other computer that was infected with this zbot, intune (basically MSE with domain control and email warnings) warned me the computer was infected. I booted the computer to a linux distro, backed up all of the local data on the computer, rebooted to windows, removed it from the local network, put it on a hot spot and let it run. Cryptowall installed after about 5 hours of time. Whether or not this zbot was the cause I can not say 100% but it seems likely. There was no evidence of cryptowall running prior to me putting this computer on the hot spot, I looked through all locations and registry keys that are generally tied to cryptowall and found nothing until it was let run on the hotspot for ~5 hours. I did run scans on the computer prior to letting it run on the hotspot from safe mode but did not delete or quarantine anything. Zbot and a few pups were on the computer. Zbot was the only Trojan. It is possible that scans failed to pickup some random trojan that actually dropped cryptowall. The computer was needed the next day so I re-imaged the computer and got it back into production without any further study.


Edited by zingo156, 20 November 2014 - 11:58 AM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 AM

Posted 20 November 2014 - 01:49 PM

The version that I have seen on the rise where I work is: PWS:Win32/Zbot.gen!plock I could not find any direct link online about this zbot...

PWS:Win32/Zbot.gen!plock is the name given by Microsoft.

PWS:Win32/Zbot.gen!AP is another variant.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 20 November 2014 - 02:30 PM

I read the descritption for gen!plock the day that mse (intune) caught it which was a while back. It didn't mention anything about installing other malware only key logging. That is why I am still a bit confused about 1 of the computers I had. PWS:Win32/Zbot.gen!plock was the only trojan that was found by multiple scanning softwares. The PUPs were just random addons in chrome or IE such as ask tool bar etc. I found no traces of any other malware running anywhere, yet when I let the computer run on a hot spot to see what would happen, cryptowall somehow installed. It wasn't there before at least not in known locations/registry, there were not any other strange processes running outside of the one zbot.gen!plock created. After cryptowall installed there were many new processes and one new random one. Again, I do not know with 100% certainty that zbot.gen!plock is to blame but it seems to be.

 

I do not know how MSE recognizes malware specifically (version by version) but maybe the version of gen!plock I had was new and was capable of not only key logging but installing other trojans which is what the zbot trojan family is generally known to do.


Edited by zingo156, 20 November 2014 - 03:18 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:13 AM

Posted 20 November 2014 - 05:04 PM

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the threat without knowing more information about the actually file(s) involved. Names with Generic, PUP or Patched are all very broad categories. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is.

Names are created for in-the-wild malware which has been released to infect computers, non-wild ("Zoo" viruses and worms) created by labs and anti-virus vendors to test their ability to detect new threats, proof-of-concept viruses created by ethical groups and zero-day malware...all of which can be renamed at any given time. Since there is no universal naming standards, all this leads to confusion by the end user.

The compilation of a unified list of computer viruses is made difficult because of naming. To aid the fight against computer viruses and other types of malicious software, many security advisory organizations and developers of anti-virus software compile and publish lists of viruses. When a new virus appears, the rush begins to identify and understand it as well as develop appropriate counter-measures to stop its propagation. Along the way, a name is attached to the virus. As the developers of anti-virus software compete partly based on how quickly they react to the new threat, they usually study and name the viruses independently. By the time the virus is identified, many names denote the same virus. Another source of ambiguity in names is that sometimes a virus initially identified as a completely new virus is found to be a variation of an earlier known virus, in which cases, it is often renamed...

List of computer viruses: Naming

As you know VirusTotal.com and similar sites (i.e. Jotti's virusscan, VirSCAN) typically show the names that most of the major Anti-virus companies use for malware description but even those can change via renaming
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users