What is the infection mechanism of Trojan-Spy.Win32.ZBot.a?
- Users clicking on links in emails that go to infected web pages (social engineering).
- Users browsing an infected website (drive-by download).
Technical details
PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.
User behavior and precautions
Trojan.Zbot relies heavily on social engineering in order to infect computers. The spam email campaigns used by attackers attempt to trick the user by referencing the latest news stories, playing upon fears their sensitive information has been stolen, suggesting that compromising photos have been taken of them, or any number of other ruses.
Users should use caution when clicking links in such emails. Basic checks such as hovering with the mouse pointer over each link will normally show where the link leads to. Users can also check online Web site rating services such as safeweb.norton.com to see if the site is deemed safe to visit.
Patch operating system and software
The attackers behind this threat have been known to utilize exploit packs in order to craft Web pages to exploit vulnerable computers and infect them with Trojan.Zbot.
As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:
- AOL Radio AmpX ActiveX Control 'ConvertFile()' Buffer Overflow Vulnerability (BID 35028)
- Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (BID 35558)
- Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
- Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114)
- Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID 30035)
- Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)
- Adobe Reader and Acrobat (CVE-2009-2994) U3D 'CLODMeshDeclaration' Buffer Overflow Vulnerability (BID 36689)
- Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.
...
INFECTION METHOD
This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.
Spam emails
The attackers behind Trojan.Zbot have made a concerted effort to spread their threat using spam campaigns. The subject material varies from one campaign to the next, but often focuses on current events or attempt to trick the user with emails purported to come from well-known institutions such as FDIC, IRS, MySpace, Facebook, or Microsoft.
Drive-by downloads
The authors behind Trojan.Zbot have also been witnessed using exploit packs to spread the threat via drive-by download attacks. When an unsuspecting user visits one of these Web sites, a vulnerable computer will become infected with the threat.
The particular exploits used to spread the threat vary, largely depending on the proliferation and ease-of-use of exploits available in the wild at the time the Trojan is distributed.
As of February 24, 2010, Trojan.Zbot has been seen using the following vulnerabilities:
- AOL Radio AmpX ActiveX Control 'ConvertFile()' Buffer Overflow Vulnerability (BID 35028)
- Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (BID 35558)
- Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID 10514)
- Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114)
- Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID 30035)
- Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)
- Adobe Reader and Acrobat (CVE-2009-2994) U3D 'CLODMeshDeclaration' Buffer Overflow Vulnerability (BID 36689)
- Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)