Home Malware Programs Trojans TSPY_ZBOT.PN

TSPY_ZBOT.PN

Posted: January 30, 2014

Threat Metric

Threat Level: 9/10
Infected PCs: 85
First Seen: January 31, 2014
OS(es) Affected: Windows


TSPY_ZBOT.PN is a new variant of Zeus, the infamous banking Trojan that has received various anti-security updates throughout its lifespan, all while compromising bank accounts to transfer money to its criminal clients. Although new versions of Trojan Zeus have long since stopped being a surprise to malware researchers, they were taken slightly aback on finding that TSPY_ZBOT.PN uses a virus – traditionally a relatively primitive and highly-visible PC threat – for handling its distribution. With criminals seemingly trading stealth for broad infection capabilities, TSPY_ZBOT.PN is particularly likely to compromise other PCs through networks and even peripheral devices, similar to a worm. Conclusive and thorough disinfection tools for removing TSPY_ZBOT.PN, therefore, are strongly advised.

The Reign of the King of Spyware Continues... with a Virus

TSPY_ZBOT.PN is one of the all-too-common variants of Zeus (sometimes transcribed as ZeuS) or Zbot, a Trojan, sometimes rootkit, that steals privileged information through multiple attacks, including keylogging and man-in-the-middle functions. This particularly infamous banking Trojan is known for the sophistication of its attacks, but has taken a turn towards distributing itself with a type of threat that normally is considered the work of amateur coders: viruses. Due to the relative ease with which viruses may be detected (since they modify multiple files in a relatively obvious manner), this makes for a risky, but potentially lucrative change in the strategies of TSPY_ZBOT.PN's clients.

TSPY_ZBOT.PN's virus (or 'file infector') of choice, Patnote, injects its body into all EXE or executable files. This attack also includes files that can be accessed through any networks, as well as files that are stored on removable hard drives, such as USB devices. The latter is a particular security risk since malware experts find it a simple way for Patnote to distribute TSPY_ZBOT.PN to computers that don't have Internet access. Since it distributes the Trojan's code directly, Patnote doesn't need an Internet connection to install TSPY_ZBOT.PN; all it needs to do is infect your PC in the first place.

Declining to Let Your PC Be Attacked by a Virus and Spy Couple

The pairing of viruses with advanced threats like TSPY_ZBOT.PN isn't completely unheard of, but is sufficiently rare to be worthy of emphasizing. The coders behind Patnote also appear to have utilized some of TSPY_ZBOT.PN's tactics for evading PC security software: Patnote disables itself whenever it detects certain brands of software commonly used by PC security researchers. Malware researchers always stress updating your anti-malware programs to combat these kinds of advanced PC threats, but in the case of TSPY_ZBOT.PN and Patnote, you also may want to monitor any network-connected machines and peripheral devices.

Patnote will, of course, increase the file sizes of EXE files infected by it. TSPY_ZBOT.PN may also display some minor symptoms, of which the most obvious are its occasional requests for additional privileged information. These requests are disguised as additional security measures implemented by your bank of choice's website. However, malware researchers find the likelihood of detecting or deleting TSPY_ZBOT.PN without the use of appropriate anti-malware products to be relatively poor.

Loading...