ZBot (also known as Zeus, ZeusBot or WSNPoem) is a Trojan engineered to steal sensitive data from compromised computers.
While ZBot focuses mainly on the online banking details that users input on financial organizations’ pages, it also monitors system information and steals additional authentication credentials.
The latest variants can also gather the history of the visited Web sites and other data users provide online, while also capturing screenshots of the their’ desktop.
ZBot is distributed mainly via spam campaigns and Web pages which host its malicious payload, usually under the guise of a popular legitimate application.
Once onto the system, ZBot modifies the files and folders’ structure, adds registry keys, injects code into several processes (such as winlogon.exe or svchost.exe) and adds exceptions to the Microsoft Windows Firewall, providing backdoor and server capabilities. It also sends sensitive information and listens on several ports for possible commands from the remote attackers’ command-and-control center.
This allows cybercriminals to manage the Trojan in order to download and execute additional malicious payloads on or take control over the system, its actions including, without being limited to restarting and shutting down the affected computer.
BitDefender has created a ZBot Removal Tool which checks users’ computers, detects and eliminates most of the ZBot variants spotted in the wild.
Author: Razvan Livintz, BitDefender.