Microsoft Adds Win32/Zemot Trojan Family To The Malicious Software Removal Tool

MSRT Zemot

Microsoft today announced that they have added the Win32/Zemot family to the Malicious Software Removal Tool. The Win32/Zemot family of trojan downloaders are used by malware such as Win32/Rovnix, Win32/Viknok, and Win32/Tesch with a number of different payloads. Zemot is usually distributed through the spambot malware Win32/Kuluoz and through the exploit kits Magnitude EK and Nuclear EK. You can see the infection chain above.

We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF. We renamed the downloader to Zemot in May 2014.

By taking into account both the machine and the file count telemetry, we can see that a single copy of Zemot is often mass distributed to the payload URLs (the download URLs for Win32/Kuluoz and the payload URL for the exploit kits).

Some other notable characteristics of the Zemot family include:

  • They use several techniques to make sure the downloaded module will be successful on all Windows platforms.
  • Each successful download is saved with a unique file name to allow for multiple infections.
  • Major variants vary in their static configuration format and download file name format (for example: java_update_<random>.exe, updateflashplayer_<random>.exe).
  • Modules such as getting the OS version, user privilege, URL parsing and the downloading routine are taken from the Zbot source code.
  • Variants can be bundled with other malware (one trojan downloader can distribute multiple malware payloads).

Read more from the link below.

Source: Microsoft

Some links in the article may not be viewable as you are using an AdBlocker. Please add us to your whitelist to enable the website to function properly.

Related
Comments