The old Zbot Trojan can easily bypass mailbox security detection after it is installed.

The old Zbot Trojan can easily bypass mailbox security detection after it is installed.

Recently, the 360 security center intercepted a Zbot variant Trojan to steal personal information such as bank cards and email passwords from netizens. This variant of trojan uses three-layer protection technology to bypass the security detection of QQ mail. However, 360 of QVM engines have comprehensive collection and training for such samples, so that the latest variants can be detected in time. The Trojan has been intercepted and killed by 360 security guard.

An email from "outlook official"

Recently, the engineer received an email that showed the sender as "Microsoft outlook" and the attachment seemed to be an audio file. However, downloading the attachment to a local device is a Zbot Trojan.

Zbot is actually a very old Trojan. It will inject malicious code into all processes except CSRSS. EXE. These malicious codes are linked to many functions related to network operations to monitor network data and steal personal information such as bank card information and email password. The stolen information is stored locally and then sent to the specified address in the configuration file. However, this variant is somewhat innovative, and uses some disguised means to bypass the security detection of QQ mail. The following is a detailed analysis:

See how the old Trojan can be changed to a new one"

Trojan Loading Process

First-layer kill-free: The program will first copy an array to the memory for shellcode Execution.

Obtain the memory data and use IDA to view it.

It can be seen that this piece of code has been obfuscated. These methods are used to escape the soft feature scanning and removal.

Second-layer kill-free: a block of code is allocated to copy the Host Program, and then search for data starting with B4E32392 from the end of the file for decryption.

Then, shellcode calls VirtualAlloc to re-allocate a space (prepare to fill in the extracted data), and then calls RtlDecompressBuffer to decompress the decrypted data to the re-allocated space, the decrypted data is the file data of the zbot Trojan.

In this way, the trojan file can be obtained to avoid the file release operation, avoiding the scanning of the Trojan file by the kill software.

Layer-3 kill-free: After that, the program creates a new process (zombie process) in a suspended manner and calls the memory ing to release the slave process. This prepares for modifying the thread context later.

Re-allocate space and set properties to executable to store the memory ing of the parent file.

Write the file header and Sections respectively.

Call GetThreadContext to obtain the thread context, modify the Eip of the slave process, and point the Eip to the program entry. This is the entry point for the program to run to the zbot Trojan.

Finally, call SetThreadContext and restore the thread. The Trojan program starts to run.

In this way, Trojans avoid loading the parent process directly, thus avoiding some soft detection.

Conclusion: why can I scan and kill in 360?

Main file usage.. NET, written. NET program, and copy a piece of obfuscated code to this space, and then load; then, the obfuscation code searches for a piece of compressed data in the file to decompress it to obtain the parent file. Finally, the parent file is triggered by suspending a new process and modifying the thread context.

To put it simply, the trojan will run only after the following parts: the host file, the obfuscation code, the compressed data, the parent file, the suspended thread, and the modification eip, trigger the Trojan.

This variant uses three-layer protection technology to increase the difficulty of anti-virus software testing. Fortunately, 360 of QVM has comprehensive collection and training for such samples and can detect the latest variants.