1

Since a couple of days I have a prompt from my KIS 2016 saying that he found this Trojan in MEM. I try to clean and restart the PC, all goes well, but in a while this message appears again. I have tried to download the ZBotKiller from Kaspersky website but it does not find anything (maybe because my antivirus has already cleaned the object). My question is, how can I understand in which way it infects and background runs again? I logically wish to solve this problem from the source! Maybe I have an open port in my firewall? I am not a newbie and I have never had this kind of problem.

P.S. Computer performances are excellent and I do not notice anything strange in behavior (like ads, popups, etc.). My main concern regards sensible data stored in my PC.

P.P.S. I do not click on spam or phishing mails nor I have downloaded anything strange.

Leonardo Urbano
  • 13
  • 5

1 Answers1

0

What is the infection mechanism of Trojan-Spy.Win32.ZBot.a?

Technical details

PREVENTION AND AVOIDANCE

The following actions can be taken to avoid or minimize the risk from this threat.

User behavior and precautions

Trojan.Zbot relies heavily on social engineering in order to infect computers. The spam email campaigns used by attackers attempt to trick the user by referencing the latest news stories, playing upon fears their sensitive information has been stolen, suggesting that compromising photos have been taken of them, or any number of other ruses.

Users should use caution when clicking links in such emails. Basic checks such as hovering with the mouse pointer over each link will normally show where the link leads to. Users can also check online Web site rating services such as safeweb.norton.com to see if the site is deemed safe to visit.

Patch operating system and software

The attackers behind this threat have been known to utilize exploit packs in order to craft Web pages to exploit vulnerable computers and infect them with Trojan.Zbot.

As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:

  • AOL Radio AmpX ActiveX Control 'ConvertFile()' Buffer Overflow Vulnerability (BID 35028)
  • Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (BID 35558)
  • Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
  • Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114)
  • Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID 30035)
  • Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)
  • Adobe Reader and Acrobat (CVE-2009-2994) U3D 'CLODMeshDeclaration' Buffer Overflow Vulnerability (BID 36689)
  • Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)

Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.

...

INFECTION METHOD

This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.

Spam emails

The attackers behind Trojan.Zbot have made a concerted effort to spread their threat using spam campaigns. The subject material varies from one campaign to the next, but often focuses on current events or attempt to trick the user with emails purported to come from well-known institutions such as FDIC, IRS, MySpace, Facebook, or Microsoft.

Drive-by downloads

The authors behind Trojan.Zbot have also been witnessed using exploit packs to spread the threat via drive-by download attacks. When an unsuspecting user visits one of these Web sites, a vulnerable computer will become infected with the threat.

The particular exploits used to spread the threat vary, largely depending on the proliferation and ease-of-use of exploits available in the wild at the time the Trojan is distributed.

As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:

  • AOL Radio AmpX ActiveX Control 'ConvertFile()' Buffer Overflow Vulnerability (BID 35028)
  • Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (BID 35558)
  • Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
  • Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114)
  • Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID 30035)
  • Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)
  • Adobe Reader and Acrobat (CVE-2009-2994) U3D 'CLODMeshDeclaration' Buffer Overflow Vulnerability (BID 36689)
  • Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)

Source Trojan.Zbot Technical Details

DavidPostill
  • 153,128
  • 77
  • 353
  • 394
  • Thanks for answer. I receive tons of spam but I never click on them or, worse, download something from those links either! – Leonardo Urbano Sep 01 '15 at 13:26
  • @LeonardoUrbano It also could be an infected website. See updated answer. – DavidPostill Sep 01 '15 at 13:30
  • I saw.. I use my PC only to write C++/MQL codes and to surf on (always) the same websites to get soccer news.. No more! Furthermore I have always had an antivirus in my PC (I am loyal to KIS due to quality and performance it has) and so I cannot figure out how it is possible. For these reasons I wrote to have a more "raw" way to check if there is something really strange in my PC behavior. – Leonardo Urbano Sep 01 '15 at 13:35
  • It doesn't really matter how you got infected. Check [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](http://superuser.com/q/100360) for other ways to cleanup your PC if it keeps coming back. – DavidPostill Sep 01 '15 at 13:40
  • I did.. Mine was curiosity on why it keeps me prompting to clean something that was already cleaned. I read what that guy argued saying that it is impossible to clean an infection up completely, and I wanted to have a more technical answer if possible. :) – Leonardo Urbano Sep 01 '15 at 13:48
  • I answered as best as I was able to ... – DavidPostill Sep 01 '15 at 14:02
  • Do not misunderstand me! Your answer was very exhaustive and I really appreciate your explanations! I expressed badly myself while formulating main question, it is my fault! – Leonardo Urbano Sep 01 '15 at 14:20