The recent Michael Jackson Zbot variant implements a variety of IAT hooks to perform its data stealing and stealth on victims’ compromised systems. Its user-mode hook techniques have been described as “implemented properly” for malicious user-mode hooks. The Zbot releases have changed in various ways over time, and a couple of new additions reveal ongoing development by the same writers.
The Zbot family of malware continues to use multistaged component injection to achieve its final goal of stealing sensitive and confidential information off of the machine. It attempts to kill off two fairly prevalent firewalls at startup, functionality that seems to be present across all Zbot releases. It also continues to hide its ondisk components by hooking NtQueryDirectory within ntdll, and uses much of the same list of hooked win32 calls since the original release as its basis to plant more hooks:
A couple of hooks have been a common part of their ongoing releases to steal data:
GetClipboardData has always been used to steal information from the clipboard — copying and pasting your username/password won’t get past this malware.
TranslateMessage – buffers keyboard input from windows messages, converts the input to unicode, and sends it to the controller process’s pipe to be sent off of the victim’s machine.
A couple of newer hooks placed by the malware are new and related to what is known as screenscraping:
BeginPaint/EndPaint – appear to be hooks designed to determine when to perform the screenshot functionality found in the DefWindowProcW hook.
DefWindowProcW – mechanism to extract a device context from a window and generate a bitmap from it. In other words, this functionality is used to take screenshots on the victim’s machine as they are using it.
All in all, Zbot is one of the nastier malware families in circulation with a fairly regular release cycle and is actively used by cybercrooks. ThreatFire has been effectively preventing this malicious family from stealing information for a couple of years now.