Troj_zbot.pq - Malware Advisories (RSS)

iBot · #1 (**permalink**) 07-26-2008

This Trojan arrives on a system as a file dropped by other malware or as a downloaded file from http://{BLOCKED}v.ru/test/ldr.exe.

It downloads an encrypted configuration file from http://{BLOCKED}v.ru/test/cfg.bin. Once decrypted, the downloaded configuration file contains a list of financial-related Web sites which this Trojan monitors. Note that the contents of the file, hence the list of Web sites to monitor, may change any time.

This Trojan attempts to steal sensitive online banking information. When a user attempts to access any of the monitored sites in the configuration file, it captures user input, specifically those entered in the input boxes designed for user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

The gathered information is then sent to http://{BLOCKED}v.ru/test/s.php via HTTP POST.

This Trojan terminates itself once firewall-related processes are running in the system.

More...

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Troj_zbot.pk	iBot	Malware Advisories (RSS)	0	07-25-2008 09:20 PM
Troj_zbot.oy	iBot	Malware Advisories (RSS)	0	07-23-2008 04:20 AM
Troj_zbot.ox	iBot	Malware Advisories (RSS)	0	07-21-2008 07:00 PM
Troj_zbot.om	iBot	Malware Advisories (RSS)	0	07-17-2008 07:50 PM
Troj_zbot.mh	iBot	Malware Advisories (RSS)	0	06-18-2008 06:20 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode