Over the Christmas period, we here at Webroot have noticed a large amount of Zeus infections that are spoofing the Bitdefender name.
While infections spoofing AV companies aren’t unusual, it’s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone!
The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into their online banking website.
Infection Information:
- File size is normally around 200-300kb
- It’s located in one path of the users appdata folder with a random path+file name
- C:\users\testPC\Appdata\<random letters>\<random letters.exe
- Usually dropped via an exploit kit (Blackhole being the most popular)
- However, it has also been seen attached to Spam emails
- Can disable Windows Firewall and Security Center
- Has the ability to connect to a remote server to download updates
- Can download other infections
Behaviour:
This infection can get onto a user’s PC via a number of different methods, but the most common is through an exploit kit. The commonly used Blackhole exploit kits uses Java Exploits to drop and execute a file.
Unless the user is very alert, they typically won’t even notice they are infected. Once executed, the infection will try a number of methods to make sure it is automatically ran on start-up.
The first is a registry key which points to the infection directly [1]
The second is a fake Security Center update scheduled task [2]
The third is to create a service that auto starts again point to the infection [3]
- hklm\software\microsoft\windows\currentversion\run “C:\Users\User\Application Data\Obunat\ongekie.exe”
- %windir%\tasks\ SECURITY CENTER UPDATE – 4048458695.JOB
- hklm\system\currentcontrolset\services\securitycenterserver673348880 U5″C:\WINDOWS\system32\igizhaot.exe” -service “C:\Users\User\Application Data\Obunat\ongekie.exe”
After this, the infection may connect to a remote server and receive updates and it can also download other infections (Cryptolocker/ICE and other Rogue AV`s)
Due to the large number of variants, I won’t go through all the behaviours, but generally the infection route follows one of the patterns above. This infection can disable the Windows security center or modify the Firewall settings to allow remote access to the PC.
Examples:
| MD5 | PATH | FILE NAME | FILE SIZE |
| 83890496EB018EA524E72CE18CD37209 | %appdata%\ukhecy | REHEI.EXE | 221,334KB |
| 70AACDCEC7C9D35393CD9D382C8A0454 | %appdata%\pawary | YVPULUV.EXE | 217,222KB |
| ED098AB9A5E13D1B12BE816659C4172C | %appdata%\qaxuile\ | PAIDP.EXE | 217,222KB |
| 79776C5BE35DFC4089312D42EC70F903 | %appdata%\hoydatem\ | SAAFIFV.EXE | 217,222KB |
| 25D00FC9F06E1720A7B4E4C9293D32AE | %appdata%\siuvmyw\ | PYRUOV.EXE | 218,783KB |
| 79776C5BE35DFC4089312D42EC70F903 | %appdata%\zoobir\ | EQDUG.EXE | 215,105KB |
| MD5 | PATH | FILE NAME | FILE SIZE | PC Count |
| A748FEB8EE581E2225CE7F983E364EC0 | %temp% | JAVA_UPDATE_71972350.EXE |
222,827 |
181 |
| EC9FC4EE2AA75D0CD6E0490853F27B21 | %temp% | JAVA_UPDATE_7bb116be.EXE |
215,105 |
105 |
| DB97134AFFDA00379CAF3FCD00BBFFFF | %temp% | JAVA_UPDATE_93D4FD64.EXE |
216,678 |
231 |
| 4FCD4FD7D3D3A5D24EF663CE3419D7CC | %temp% | JAVA_UPDATE_0EEF9307.EXE |
217,222 |
174 |
| D4BC7886F04574E5628FD6BBFBB01C19 | %temp% | JAVA_UPDATE_8C3C4799.EXE |
218,873 |
134 |
In total, we have seen over 40k files and this is increasing every hour. Most of the files have a digital vendor that is close to the real version (shown below). As you can see from the screenshot above, a number of the files are pretending to be Java updates.
BitKefender S.R.L. with 869 unique MD5`s
BitNefender S.R.L.|BitNefender Antivirus Scanner with unique 19,305 MD5`s
Removal:
Due to the infection route of this particular infection, it is advisable to have the latest version of Java installed and preferably use a modern secure browser with the latest Windows updates installed. The latest build of Firefox disables Java plugins by default, which should help stop this particular attack vector.
As mentioned earlier, this infection has also been seen to be spread by email. It is advisable to use an email provider that has good SPAM filtration. Google and Microsoft mail services are efficient at blocking these emails.
Always be alert to any email attachments, even if they’re from friends/relatives, and especially executable files that are inside a zip file. Over the Christmas period, we have also noticed a targeted attack from malware authors using well known store names lie Costco, Walmart, etc. in spoof emails.
Since SecureAnywhere doesn’t rely on traditional definitions, we can react instantly to this new trend of Zeus. Webroot SecureAnywhere can safely block this infection. Likewise, if installed on a pre-infected PC, Webroot SecureAnywhere can remove the infection.
I have webroot secureanywhere. I got notification from Windows that I may have the zeus virus on home computer. I have run a scan but no threat detected, but how can I be sure? What can be run from Webroot to ensure my computer is rid of the zeus or can at least find it? Thanks
The message you’re seeing is not a real virus but simply just a browser hijack (or popup) that leads you to believe you are infected so you call the phone number they provide. Webroot protects against the real Zeus virus, but it can’t protect against a popup that can’t cause any real harm.
Please reach out to our Support Team so they can review your system and ensure what is causing this to appear is remediated entirely.
Support Number: 1-866-612-4227 M-F 7am−6pm MT
Send a Support Ticket
Best Regards,
Josh P.
Digital Care Coordinator