金融行业威胁深入分析与防护 | 绿盟科技博客
两步邮件订阅,方便获取文章
欢迎订阅!现在已有1 889个朋友订阅了。
在后续邮件的尾部,您可以退订及修改订阅内容。
选择订阅组:&&&&&&&&&&&&&&&&&&&&&&&&
(window.slotbydup=window.slotbydup || []).push({
id: '110417',
container: s,
size: '950,60',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '54923',
container: s,
size: '950,60',
display: 'inlay-fix'
(window.slotbydup=window.slotbydup || []).push({
id: '121246',
container: s,
size: '950,60',
display: 'inlay-fix'
您现在的位置:&&>>&&>>&&>>&&>>&正文
谨防QQ大盗及砸波木马病毒
[作者:佚名 来源:
时间:<font color="#08-3-6 【我来说两句
江民今日提醒您注意:在今天的中Trojan/PSW.QQPass.tqj“大盗”变种tqj和TrojanSpy.Zbot.s“砸波”变种s值得关注。
名称:Trojan/PSW.Pass.tqj
中 文 名:“大盗”变种tqj
长度:30842字节
类型:木马
危害等级:★
影响平台:Win 9X/ME/NT/2000/XP/2003
Trojan/PSW.QQPass.tqj“QQ大盗”变种tqj是“大盗”木马家族的最新成员之一,采用编写,经过添加保护壳处理。“大盗”变种tqj运行后,在被感染计算机系统盘的“Program Files\Internet Explorer\PLUGINS”目录下释放文件“DosSys16.Sys”。修改注册表,将“DosSys16.Sys”注册为辅助对象(BHO),实现“大盗”变种tqj开机自动运行。将代码注入到所有的用户进程中运行,隐藏自我,躲避安全软件的查杀。在后台秘密监视用户打开的窗口标题,一旦发现用户打开QQ登陆窗口便记录键击,窃取用户名和密码并发送到骇客指定的远程服务器上,给用户带来一定程度的损失。
名称:TrojanSpy.Zbot.s
中 文 名:“砸波”变种s
长度:44032字节
类型:间谍类木马
危险级别:★★
影响平台:Win 9X/ME/NT/2000/XP/2003
TrojanSpy.Zbot.s“砸波”变种s是“砸波”木马家族的最新成员之一,采用高级语言编写,并经过加壳处理。“砸波”变种s运行后,在被感染计算机系统“%SystemRoot%\system32\”目录下创建病毒文件“ntos.exe”。修改注册表,实现“砸波”变种s开机自动运行。将病毒代码注入到除CSRSS.EXE外的所有进程中并调用运行,保护磁盘上的文件不被复制、删除。破坏多款墙程序,大大降低了被感染计算机上的安全性。窃取被感染计算机上用户的私密信息并发送给骇客,严重威胁用户私密信息安全。另外,“砸波”变种s可能会破坏用户计算机系统内的某些应用程序、数据库、压缩文件、、等,给用户带来极大的损失。
针对以上病毒,江民反中心建议广大电脑用户:
1、请立即升级杀毒软件,开启新一代智能分级高速杀毒引擎及各项监控,防止目前盛行的、木马、有害程序或代码等攻击用户计算机。
2、请及时升级控制中心,并建议相关管理人员在适当时候进行全网查杀,保证企业信息安全。
3、杀毒软件的虚拟机脱壳技术,针对目前主流壳病毒进行虚拟脱壳处理,有效清除“壳”。
4、全面开启BOOTAN功能,在系统启动前杀毒,清除具有自我保护和反攻杀毒软件的恶性。
关注天下网吧微信,了解最新网吧资讯:
上一篇文章:
下一篇文章:
&&&&&&&&&&&&
推荐专题 ┊
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&百度&&谷歌&&雅虎&&搜狗&&搜搜&&有道&&360搜索&&奇虎&
本文来源地址:
声明:本站所发表的文章、评论及图片仅代表作者本人观点,与本站立场无关。若文章侵犯了您的相关权益,请及时与我们联系,我们会及时处理,感谢您对本站的支持!联系邮箱:.,本站所有有注明来源为天下网吧或天下网吧论坛的原创作品,各位转载时请注明来源链接!
天下网吧 网吧天下
&&&&&&&&&&
&&&&&&&&&&
&&&&&&&&&&
&&&&&&&&&&
&&&&&&&&&&
本站通过多款杀毒软件等安全工具检测无毒无害请大家放心浏览Add Bookmark or Share
Trojan.Zbot
Risk Level 2: Low
Discovered:
January 10, 2010
August 16, :12 AM
Also Known As:
Trojan-Spy:W32/Zbot [F-Secure], PWS-Zbot [McAfee], Trojan-Spy.Win32.Zbot [Kaspersky], Win32/Zbot [Microsoft], Infostealer.Monstres [Symantec], Infostealer.Banker.C [Symantec], Trojan.Wsnpoem [Symantec], Troj/Zbot-LG [Sophos], Troj/Agent-MDL [Sophos], Troj/Zbot-LM [Sophos], Troj/TDSS-BY [Sophos], Troj/Zbot-LO [Sophos], Troj/Buzus-CE [Sophos], Sinowal.WUR [Panda Software], Troj/QakBot-D [Sophos], Troj/Agent-MIR [Sophos], Troj/Qakbot-E [Sophos], Troj/QakBot-G [Sophos], Troj/QakBot-F [Sophos], Troj/Agent-MJS [Sophos], Troj/Agent-MKP [Sophos], Troj/Zbot-ME [Sophos], Troj/Dloadr-CYP [Sophos], Win32/Zbot.WY [Computer Associates], Troj/DwnLdr-IBQ [Sophos], Troj/Zbot-NG [Sophos], W32/Zbot-NI [Sophos], Troj/Zbot-NN [Sophos], Troj/DwnLdr-ICV [Sophos], Troj/DwnLdr-ICY [Sophos], Troj/DwnLdr-IDB [Sophos], Troj/Dldr-DM [Sophos], Troj/Zbot-NR [Sophos], Troj/Zbot-NS [Sophos], Troj/Agent-MWK [Sophos], Troj/FakeAV-BDB [Sophos], Troj/Agent-MYL [Sophos], Troj/Agent-NAX [Sophos], Troj/Zbot-OD [Sophos], Troj/Zbot-OE [Sophos], Troj/Zbot-OT [Sophos], Troj/FakeAV-BGJ [Sophos], Troj/VB-EPV [Sophos], Troj/VB-EQA [Sophos], Troj/Zbot-PE [Sophos], Troj/Zbot-OZ [Sophos], Troj/Zbot-PA [Sophos], Troj/Zbot-OY [Sophos], Troj/FakeAV-BHP [Sophos], Troj/Zbot-OX [Sophos], Troj/Agent-NIV [Sophos], Troj/Zbot-PM [Sophos], Troj/Zbot-PQ [Sophos], Troj/Agent-NKD [Sophos], Troj/Zbot-PP [Sophos], Troj/Zbot-PN [Sophos], Troj/Zbot-PX [Sophos], Troj/Zbot-PW [Sophos], Troj/Zbot-PY [Sophos], Troj/Zbot-PT [Sophos], Troj/Zbot-PV [Sophos], Troj/Zbot-QC [Sophos], Troj/Zbot-QD [Sophos], Troj/Zbot-QK [Sophos], Troj/Zbot-QZ [Sophos], Troj/VB-ERY [Sophos], Troj/Zbot-RA [Sophos], Troj/Zbot-RK [Sophos], Troj/Dloadr-DAD [Sophos], Troj/Zbot-RP [Sophos], Troj/Zbot-RY [Sophos], Troj/Zbot-SC [Sophos], Troj/Zbot-SD [Sophos], Troj/Zbot-SB [Sophos], Troj/Zbot-SF [Sophos], Troj/Zbot-SV [Sophos], Troj/Agent-NUO [Sophos], Troj/Zbot-SP [Sophos], Troj/Meredrop-K [Sophos], Troj/Zbot-SX [Sophos], Troj/Zbot-SY [Sophos], Troj/Zbot-SR [Sophos], Troj/Zbot-TG [Sophos], Troj/Zbot-TQ [Sophos], Troj/Zbot-TY [Sophos], Troj/ZBot-UL [Sophos], Troj/Zbot-VN [Sophos], Troj/Zbot-VM [Sophos], Troj/Zbot-VQ [Sophos], Troj/Zbot-WD [Sophos], Troj/Zbot-WF [Sophos], Troj/Zbot-XA [Sophos], Troj/Agent-OLW [Sophos], Troj/Zbot-XO [Sophos], Troj/Zbot-XN [Sophos], Troj/Zbot-YB [Sophos], Troj/Zbot-YE [Sophos], Troj/Zbot-YO [Sophos], Troj/Zbot-YP [Sophos], Troj/ZBot-ZJ [Sophos], Troj/Zbot-AAN [Sophos], Troj/Zbot-AAM [Sophos], Troj/Zbot-ACI [Sophos], Troj/Zbot-AGC [Sophos], Troj/Zbot-AGJ [Sophos], Troj/Zbot-AHE [Sophos], Troj/Zbot-AHD [Sophos], Troj/Zbot-AIR [Sophos]
Systems Affected:
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
2. Infection method
2.1 Spam emails
2.2 Drive-by downloads
3. Functionality
3.1 Toolkit
3.2 System modifications
3.3 Command and control server
3.4 Information gathering
3.5 Password stealing
4. Additional information
1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.
User behavior and precautions
Trojan.Zbot relies heavily on social engineering in order to infect computers. The spam email campaigns used by attackers attempt to trick the user by referencing the latest news stories, playing upon fears their sensitive information has been stolen, suggesting that compromising photos have been taken of them, or any number of other ruses.
Users should use caution when clicking links in such emails. Basic checks such as hovering with the mouse pointer over each link will normally show where the link leads to. Users can also check online Web site rating services such as
to see if the site is deemed safe to visit.
1.2 Patch operating system and software
The attackers behind this threat have been known to utilize exploit packs in order to craft Web pages to exploit vulnerable computers and infect them with Trojan.Zbot.
As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:
(BID 35028) (BID 35558)
(BID 10514) (BID 30114) (BID 30035) (BID 34169) (BID 36689) (BID 27641)
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.
2. INFECTION METHOD
This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.
2.1 Spam emails
The attackers behind Trojan.Zbot have made a concerted effort to spread their threat using spam campaigns. The subject material varies from one campaign to the next, but often focuses on current events or attempt to trick the user with emails purported to come from well-known institutions such as FDIC, IRS, MySpace, Facebook, or Microsoft.
2.2 Drive-by downloads
The authors behind Trojan.Zbot have also been witnessed using exploit packs to spread the threat via drive-by download attacks. When an unsuspecting user visits one of these Web sites, a vulnerable computer will become infected with the threat.
The particular exploits used to spread the threat vary, largely depending on the proliferation and ease-of-use of exploits available in the wild at the time the Trojan is distributed.
As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:
(BID 35028) (BID 35558)
(BID 10514) (BID 30114) (BID 30035) (BID 34169) (BID 36689) (BID 27641)
3. FUNCTIONALITY
The Zeus threat is actually comprised of three parts: a toolkit, the actual Trojan, and the command & control (C&C) server. The toolkit is used to create the threat, the Trojan modifies the compromised computer, and the C&C server is used to monitor and control the Trojan.
This video describes these aspects of Zeus:
3.1 Toolkit
Trojan.Zbot is created using a toolkit that is readily available on underground marketplaces used by online criminals. There are different versions available, from free ones (often back doored themselves) to those an attacker must pay up to $700 USD for in order to use. These marketplaces also offer other Zeus-related services, from bulletproof hosting for C&C servers, to rental of already-established botnets.
Regardless of the version, the toolkit is used for two things. First, the attacker can edit and then compile the configuration file into a .bin file. Secondly they can compile an executable, which is then sent to the potential victim through various means. This executable is what is commonly known as the Zeus Trojan or Trojan.Zbot.
The ease of use of the toolkit user interface makes it very easy and quick for nontechnical, would- be criminals to get a piece of the action. Coupling this with the multitude of illicit copies of the toolkit circulating in the black market ensures that Trojan.Zbot continues to be one of the most popular and widely seen Trojans on the threat landscape.
3.2 System modifications
While unusual in today’s threat landscape, Trojan.Zbot tends to use many of the same file names across variants. Given the way that the toolkit works, each revision tends to stick to the same file names when the executables are created. While the initial executable can be named whatever the attacker wants it to be, the files mentioned in the following subsections refer to the names used by the currently known toolkits.
User account privileges
The location that Trojan.Zbot installs itself to is directly tied to the level of privileges the logged-in user account has at the time of infection.
If the user is an administrator, the files are placed in the %System% folder. If not, they are copied to %UserProfile%\Application Data.
Trojan executable
Trojan.Zbot generally creates a copy of itself using one of the following file names:
ntos.exeoembios.exetwext.exesdra64.exepdfupd.exe
Configuration file
The threat creates a folder named “lowsec” in either the %System% or %UserProfile%\Application Data folder and then drops one of the following files into it:
video.dllsysproc32.sysuser.dsldx.exe
While the extensions vary here, these are all text-file versions of the configuration file previously created and then compiled into the Trojan using the Zeus toolkit. This file contains any Web pages to monitor, as well as a list of Web sites to block, such as those that belong to security companies. It can also be updated by the attacker using the threat’s back door capabilities.
Here is a portion of a sample configuration file:
Entry “DynamicConfig”
url_loader “http://[REMOVED].com/zeusbot/ZuesBotTrojan.exe”
url_server “http://[REMOVED].com/zeusbot/gate.php”
file_webinjects “webinjects.txt”
entry “AdvancedConfigs”
entry “WebFilters”
“!http://[REMOVED].com”
“https:// [REMOVED].com/*”
“!http://[REMOVED].ru/*”
entry “WebDataFilters”
“!http://[REMOVED].ru/*” “login”
entry “WebFakes”
“http://[REMOVED].com” “http://[REMOVED].com” “GP” “” “”
entry “TANGrabber”
“https://[REMOVED].com/*/jba/mp#/SubmitRecap.do” “S3C6R2” “SYNC_TOKEN=*” “*”
entry “DnsMap”
Stolen data file
A second file is dropped into the “lowsec” folder, with one of the following file names:
audio.dllsysproc86.syslocal.ds
This file serves as a storage text file for any the stolen information. When a password is obtained by the threat, it is saved in this file and later sent to the attacker.
Registry subkeys and entries created
In addition, the threat adds itself to the registry to start when Windows starts, using one of two subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe, %System%\sdra64.exe"HKEY_CURRENT_USER\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\”userinit” =
“%UserProfile%\Application Data\sdra64.exe”
If the logged-in account at the time of infection has administrative privileges, the first entry is created. If the account has limited privileges, the second is used.
Service injection
Depending on the level of privileges, Trojan.Zbot will inject itself into one of two services. If the account has administrative privileges, the threat injects itself into the winlogon.exe service. If not, it attempts to do the same with the explorer.exe service.
The threat also injects code into an svchost.exe service, which it later uses when stealing banking information.
3.3 Command and control server
When Trojan.Zbot is installed, it reports back to the C&C server that is referenced in the configuration file when the executable was created using the toolkit. The first thing it checks for is an updated version of its configuration file.
The back door to the C&C server provides the attacker with a versatile set of options for how he or she can use the compromised computer. For example, attackers can perform any of the following actions, if they so wish:
Restart or shut down the computerDelete system files, rendering the computer unusableDisable or restore access to a particular URLInject rogue HTML content into pages that match a defined URLDownload and execute a fileExecute a local fileAdd or remove a file mask for local search (e.g. hide the threat’s files)Upload a file or folderSteal digital certificatesUpdate the configuration fileRename the bot executableUpload or delete Flash cookiesChange the Internet Explorer start page
The domains that the back door connects to vary, depending on what the attacker has included in the configuration file.
Server-side control panel
The C&C server not only allows the attacker to perform a number of functions on a compromised computer, but also gives them the ability to manage a botnet of Zeus-infected computers. An attacker can monitor statistics on the number of infected computers he or she controls, as well as generate reports on the stolen information the bots have gathered.
3.4 Information gathering
Once installed Trojan.Zbot will automatically gather a variety of information about the compromised computer, which it sends back to the C&C server. This information includes the following:
A unique bot identification stringName of the botnetVersion of the botOperating system versionOperating system languageLocal time of the compromised computerUptime of the botLast report timeCountry of the compromised computerIP address of the compromised computerProcess names
3.5 Password stealing
The core purpose of Trojan.Zbot is to steal passwords, which is evident by the different methods it goes about doing this.
Upon installation, Trojan.Zbot will immediately check Protected Storage (PStore) for passwords. It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.
A more versatile method of password-stealing used by the threat is driven by the configuration file during Web browsing. When the attacker generates the configuration file, he or she can include any URLs they wish to monitor.
When any of these URLs are visited, the threat gathers any user names and passwords typed into these pages. In order to do this, it hooks the functions of various DLLs, taking control of network functionality. The following is a list of DLLs and the APIs within them that are used by Trojan.Zbot:
WININET.DLL
HttpSendRequestWHttpSendRequestAHttpSendRequestExWHttpSendRequestExAInternetReadFileInternetReadFileExWInternetReadFileExAInternetQueryDataAvailableInternetCloseHandle
WS2_32.DLL and WSOCK32.DLL
sendsendtoclosesocketWSASendWSASendTo
USER32.DLL
GetMessageWGetMessageAPeekMessageWPeekMessageAGetClipboardData
Trojan.Zbot can also inject other fields into the Web pages it monitors. To do this, it intercepts the pages as they are returned to the compromised computer and adds extra fields. For example, if a user requests a page from their bank’s Web site, and the bank returns a page requiring a user name and password, the threat can be configured to inject a third field asking for the user’s Social Security Number.
4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:
(PDF Research Paper - November 18, 2009) (Video - August 25, 2009)
RecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
For further information on the terms used in this document, please refer to the .
Writeup By: Ben Nahorney and Nicolas Falliere
| Technical Details|
OUR OFFERINGS:
CONNECT WITH US:
