TSPY_ZBOT.PN

Posted: January 30, 2014

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	85

First Seen:	January 31, 2014
OS(es) Affected:	Windows

TSPY_ZBOT.PN is a new variant of Zeus, the infamous banking Trojan that has received various anti-security updates throughout its lifespan, all while compromising bank accounts to transfer money to its criminal clients. Although new versions of Trojan Zeus have long since stopped being a surprise to malware researchers, they were taken slightly aback on finding that TSPY_ZBOT.PN uses a virus – traditionally a relatively primitive and highly-visible PC threat – for handling its distribution. With criminals seemingly trading stealth for broad infection capabilities, TSPY_ZBOT.PN is particularly likely to compromise other PCs through networks and even peripheral devices, similar to a worm. Conclusive and thorough disinfection tools for removing TSPY_ZBOT.PN, therefore, are strongly advised.

The Reign of the King of Spyware Continues... with a Virus

TSPY_ZBOT.PN is one of the all-too-common variants of Zeus (sometimes transcribed as ZeuS) or Zbot, a Trojan, sometimes rootkit, that steals privileged information through multiple attacks, including keylogging and man-in-the-middle functions. This particularly infamous banking Trojan is known for the sophistication of its attacks, but has taken a turn towards distributing itself with a type of threat that normally is considered the work of amateur coders: viruses. Due to the relative ease with which viruses may be detected (since they modify multiple files in a relatively obvious manner), this makes for a risky, but potentially lucrative change in the strategies of TSPY_ZBOT.PN's clients.

TSPY_ZBOT.PN's virus (or 'file infector') of choice, Patnote, injects its body into all EXE or executable files. This attack also includes files that can be accessed through any networks, as well as files that are stored on removable hard drives, such as USB devices. The latter is a particular security risk since malware experts find it a simple way for Patnote to distribute TSPY_ZBOT.PN to computers that don't have Internet access. Since it distributes the Trojan's code directly, Patnote doesn't need an Internet connection to install TSPY_ZBOT.PN; all it needs to do is infect your PC in the first place.

Declining to Let Your PC Be Attacked by a Virus and Spy Couple

The pairing of viruses with advanced threats like TSPY_ZBOT.PN isn't completely unheard of, but is sufficiently rare to be worthy of emphasizing. The coders behind Patnote also appear to have utilized some of TSPY_ZBOT.PN's tactics for evading PC security software: Patnote disables itself whenever it detects certain brands of software commonly used by PC security researchers. Malware researchers always stress updating your anti-malware programs to combat these kinds of advanced PC threats, but in the case of TSPY_ZBOT.PN and Patnote, you also may want to monitor any network-connected machines and peripheral devices.

Patnote will, of course, increase the file sizes of EXE files infected by it. TSPY_ZBOT.PN may also display some minor symptoms, of which the most obvious are its occasional requests for additional privileged information. These requests are disguised as additional security measures implemented by your bank of choice's website. However, malware researchers find the likelihood of detecting or deleting TSPY_ZBOT.PN without the use of appropriate anti-malware products to be relatively poor.

TSPY_ZBOT.PN

Threat Metric

The Reign of the King of Spyware Continues... with a Virus

Declining to Let Your PC Be Attacked by a Virus and Spy Couple

Leave a Reply