Botnets are networks of compromised computers controlled by cybercriminals. Botnets can send out spam, spread malicious software, steal passwords, and more.
Zbot (also known as the "Zeus Botnet") has been responsible for stealing passwords and other financial information from infected computers worldwide.
Microsoft today published a special-edition Security Intelligence Report, entitled "Battling the Zbot Threat," that documents the background, functionality, prevalence, and geographical distribution of Zbot malware. The paper also shows how Microsoft has had a measurable effect on the Zbot ecosystem since broadening its attack efforts to include the Malicious Software Removal Tool (MSRT) in October 2010.
MSRT and Microsoft Security Essentials over the last four months documenting the percentage of Zbot detections exhibiting these new features, shown as Zbot 2.x in the chart below:
The diagram below shows the simple way to visualize the code injection and hooking process cycle:
In its original form, Zbot hooked around 15 APIs. But newer versions, dubbed Zbot 2.x, hook upwards of 30 APIs. The API that we are most interested in however is NtCreateFile(), which is invoked upon opening files. As we see in the first diagram, Zbot can infect both directly and upon opening files. This provides a severe hindrance for attempts to manually clean the system. However, if a tedious manual cleaning process doesn't sound all that palatable, you can sleep well knowing MSRT handles cleaning of an infected system properly.
More Info: Battling the Zbot Threat
[tags]zbot,security intelligence report,antivirus,anti-virus,anti malware[/tags]