Jump to content

Trojan.Zbot


Jem
 Share

Recommended Posts

I have no idea what Trojan.Zbot is but it arrived this morning by email, undetected by NOD32 7, but detected when saved and scanned manually with Malwarebytes. A manual scan with NOD32 declared it clean.

 

It's a zipped executable attached to an email from 'no-reply@hmrc.gov.uk' with the subject: 'You have received new messages from HMRC'.

 

I've submitted for analysis and used NOD32 to quarantine. But be warned...

 

I admit to being concerned that NOD32 is not catching this type of threat. It's the second time in as many weeks. I submitted the last one for analysis but had no feedback, although I provided my email address.

Link to comment
Share on other sites

  • Administrators

It's probably Win32/TrojanDownloader.Small.AAB, the file was blacklisted about an hour ago. What ESET product and version do you use?

Link to comment
Share on other sites

It's probably Win32/TrojanDownloader.Small.AAB, the file was blacklisted about an hour ago. What ESET product and version do you use?

NOD32 Antivirus 7. Signature: 8963. That's the last update - just checked.

Link to comment
Share on other sites

At what time did you receive the threat by email? It was blacklisted today at about 9 AM CET.

9.00 AM CET is 8.00 AM UK TIME (Until the clocks go back on Sunday morning). I posted here at 10.54 AM (11.54 CET), a few minutes after receiving the email. My second post above is 11.41 AM (12.41 CET), immediately after checking for a signature update - there was no update and the file remained undetected. This concerns me greatly as ESET clearly have an issue pushing updates out in a timely fashion - certainly in the UK. If MWB detected it early so should NOD32, particularly as it had already been blacklisted.

Link to comment
Share on other sites

  • Administrators

Yes, the file was undetected when you scanned it, that's ok. LiveGrid file reputation is not applied on files scanned by the on-demand or on-access scanner. However, it should have been detected and blocked upon receipt provided that you had LiveGrid enabled. The detection would have looked like as follows;

 

 

__________ ESET NOD32 Antivirus warning, version of virus signature database 8953 (20131023) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Government Gateway Reg Form.zip - Suspicious Object - deleted
Government Gateway Reg Form.zip > ZIP > Government Gateway Reg Form.exe - Suspicious Object - was a part of the deleted object

Link to comment
Share on other sites

Live Grid is enabled and always has been. I use secure IMAP email and consequently have SSL protocol scanning on for email and the web - other than that all settings at default. So, I'd like more feedback as to why this didn't get picked up - I did not receive any warnings whatsoever.

Link to comment
Share on other sites

  • Administrators

Has ESET ever detected malware in incoming email? What email client do you use? Since you receive email via IMAPS, a plugin for your email client is required to scan email as long as SSL scanning is disabled (which is by default).

Link to comment
Share on other sites

1) Yes, it has - on one occasion.

2) Outlook 2010

3) SSL scanning is enabled by me. And in any case the NOD32 plugin is installed in Outlook and always has been.

4) That's not the point though is it? You're telling me that LiveGrid should have picked this up - which it didn't

Link to comment
Share on other sites

Marcos said live grid did Not detect it at the time you stated.

After the fact are what he is stating for Live Grid.

 

It should be detecting it now. Can you test again by e-mailing it to yourself then reporting back here ?

If it doesnt now, their may be a setup issue or something else !

Edited by Arakasi
Link to comment
Share on other sites

Marcos said live grid did Not detect it at the time you stated.

After the fact are what he is stating for Live Grid.

 

It should be detecting it now. Can you test again by e-mailing it to yourself then reporting back here ?

If it doesnt now, their may be a setup issue or something else !

No, that isn't what Marcos said. He said that Live Grid reputation is not applied to a manual scan at the time I did it.....(I now quote):

 

"However, it should have been detected and blocked upon receipt provided that you had LiveGrid enabled." ...which, as I said in the next post, I did. From that I must assume that Live Grid (if up to date) will warn of a problem regardless of the state of the virus database used by a manual scan.

 

I cannot email it to myself using IMAPS as my email host is now trapping it at the server (so they are obviously now up to date). Good old British Telecom however is letting it through. So I sent and received it via my BT POP email account and NOD32 deleted it on receipt.

 

At the moment, based on my interpretation of the way NOD32 works I am still assuming that Live Grid was either:

 

1) Not functioning as intended - for whatever reason.

2) Not up to date - at least for users in the UK.

 

If ESET would like to respond fully, I am more than happy to carry out more tests. In the meantime it was a disappointing experience.

Edited by Jem
Link to comment
Share on other sites

Sorry for your dissapointing experience.

A threat that may have been seen for the first time.

Definitions need to be updated so the product knows the proper way to clean or dispose of.

If your computer was the first to see it and report it to live grid, you could be potentially helping thousands of users who run into it next.

So thank you.

Link to comment
Share on other sites

  • Administrators

I was talking about the last malware we received with "HMRC" in the subject so we'd need to compare the hash of our and your file to find out if they are same or different. Regardless of this, it's important to keep in mind that no antivirus protection provides 100% protection and opening unknown files is not safe and may lead to infection.

Link to comment
Share on other sites

I was talking about the last malware we received with "HMRC" in the subject so we'd need to compare the hash of our and your file to find out if they are same or different. Regardless of this, it's important to keep in mind that no antivirus protection provides 100% protection and opening unknown files is not safe and may lead to infection.

Your second point about 100% protection is well understood and accepted. I'm questioning it as you originally seemed to think that Live Grid should have caught it based on the blacklist timing and when I received the e-mail. Also, the 'name' (Win32/TrojanDownloader.Small.AAB) is certainly what NOD32 is seeing now when I email it to myself here.

 

With the hash comparison, do you have the file I submitted or would you like me to submit it again / email it somewhere?

Link to comment
Share on other sites

Jem & Marcos,

 

I don't believe this is an isolated incident.  Twice now in the past month our network has been compromised with the Win32/Spy.Zbot.AAU trojan.  In both cases the systems infected reported an infection only after running a scheduled full scan.  The systems were compromised by the Trojan while running current real-time protecion under ESET NOD32 AntiVirus 4.2.76 and current definitions on Windows 7 PCs.  We were also have the Outlook Add-In installed on all our systems, and the there was no indication of a threat detected prior to the full manual scan.  Our company was blacklisted due to the infection.  What steps can be taken to mitigate future risk to our network?  I have also submitted a support request but would appreciate any feedback you may have.

 

We will be re-evaulating our anti-virus and anti-malware solution as our license expires next March.

Link to comment
Share on other sites

afloyd, a few questions.

 

Do you host your own exchange ?

What service provider do you use for emails, and how is it setup in outlook? POP, IMAP, Exchange, Exchange ActiveSync or Webmail ?

 

Just a few questions so i can ponder on your current setup and any additional that may be available.

 

Thanks :)

Link to comment
Share on other sites

I was talking about the last malware we received with "HMRC" in the subject so we'd need to compare the hash of our and your file to find out if they are same or different. Regardless of this, it's important to keep in mind that no antivirus protection provides 100% protection and opening unknown files is not safe and may lead to infection.

 

Marcos,

 

I'm interested in any feedback, including the hash comparison. Any update? I can see that this trojan has hopefully been cornered as I had another one today under a different name, but NOD32 caught it (zipped) as it came into my Inbox. So in answer to your original question "Has ESET ever detected malware in incoming email?" - clearly that does work, even with an IMAPS account. I have the Oultook plugin installed (as I always have) and SSL scanning is OFF (as per the default setting). Still a bit bothered about the Live Grid thing that you thought should have worked but according to VirusTotal, ESET are one of the few vendors detecting this one even now.

 

Thanks.

Edited by Jem
Link to comment
Share on other sites

  • Administrators

I've tested LiveGrid blocking and it works fine. Should you come across a similar problem again, let me know and send me the malware attached to a personal message so that I can investigate when we started to block it.

Link to comment
Share on other sites

I've tested LiveGrid blocking and it works fine. Should you come across a similar problem again, let me know and send me the malware attached to a personal message so that I can investigate when we started to block it.

OK. Thanks. I've re-installed everything from scratch in the meantime - completely clean install for good measure.

Link to comment
Share on other sites

Marcos,

 

Yes we host our own Exchange 2003 server and use it with Outlook, ActiveSync, and OWA.  We have ESET Mail Security 4.2.xx running on it, however, during my recent discussion with an ESET support rep I was informed the more recent 5.0.xx version has better spam and filtering capabilities so we're going to upgrade it this weekend.  We also have filtering at the external DNS level (via Barracuda RBL, SpamCop, Spamhaus SBL, and Spamhaus XBL), and at the router (via our SonicWALL Content Filter, Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, and Botnet protection).  None of these caught the Zbot intrusion either.  I will be reaching out to SonicWALL support to see what else we can do at the router level to prevent this.

 

The ESET rep was kind enough (after sending me a very basic security response and little else) to take a closer look at our current versions (hence the upgrade) and current configuration (to determine it was in good shape).  I got the spiel about 'methods of attack are always changing and sometimes we are not able to anticipate new attack vectors'. I understand no security product will ever be 100% effective.  But, I don't really want to argue the harsh reality of IT Security - I'm much more interested in what can be done with our current resources (or ones we haven't considered) to minimize our vulnerability as much as possible.

 

Thanks again for responding.

-Aaron

Link to comment
Share on other sites

  • ESET Insiders

LiveGrid file reputation is not applied on files scanned by the on-demand or on-access scanner.

So, the LiveGrid option in ThreatSense engine parameters  is some type of background file-queue for building file reputation across all users?

Reputation blocking should be enabled for Web-Mail protection even if data recopilation for LiveGrid is off.

Link to comment
Share on other sites

  • Administrators

LiveGrid file reputation is not applied on files scanned by the on-demand or on-access scanner.

So, the LiveGrid option in ThreatSense engine parameters  is some type of background file-queue for building file reputation across all users?

Reputation blocking should be enabled for Web-Mail protection even if data recopilation for LiveGrid  is off.

 

Partially. In order to use file reputation for blocking malicious files, you'd need to have "Participate in ESET LiveGrid" option enabled under Tools -> ESET LiveGrid. Probably the separate LiveGrid setting in the ThreatSense setup will be removed in future versions.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...