Microsoft has made available for download a special edition of its Security Inteligence report that is focused entirely on the battle it’s waging against Zbot also known as Zeus.Zbot is the moniker used to refer to a family of password-stealing Trojans, and one of the most prevalent bots in the wild today.
In the “Battling the Zbot Threat” Microsoft Security Intelligence Report, the software giant looks at the background, functionality, prevalence, and geographical distribution of this piece of malicious code.
At the same time, the Redmond company reveals that equipping the Malicious Software Removal Tool (MSRT) to fight Zbot in October 2010 has been a move with real impact on the malware.
“The MSRT removed Win32/Zbot infections from 444,292 computers in the first month after it was released,” Microsoft explained.
“Although the MMPC releases new detection signatures and constantly updates old ones to keep pace with malware creators, 34 percent of the Win32/Zbot variants detected during the first month were detected using older Win32/Zbot signatures that hadn’t changed since May 2010.”
Microsoft warns that Zbot is continually evolving and that in just the last year the malicious code has grown with additional capabilities designed to make it harder to detect as well as to increase its infection rate of success.
The most recent versions of Zbot detected by the Redmond company sport boosted file infection capabilities outmatching those of the original variants.
“In some newer variants of Zbot in the wild, for each infected process it will hook several Windows APIs, modify and infect binary files, and infect files shared in the network.
"One interesting behavior to note is that the infected process thread will continually monitor and infect other processes,” noted Microsoft security researchers Rodel Finones, Holly Stewart, Joe Faulhaber and Matt McCormack.
“In its original form, Zbot hooked around 15 APIs. But newer versions, dubbed Zbot 2.x, hook upwards of 30 APIs.”