• Email
• Facebook
• Twitter
• Google+
• Linkedin

TROJ_ZBOT.BYU

---

• マルウェアタイプ: スパイウェア
• 破壊活動の有無: なし
• 暗号化: なし
• 感染報告の有無: はい

---

  概要

スパイウェアは、特定の銀行および金融機関のWebサイトで利用されるユーザ名やパスワードなどの個人情報を収集します。

---

  詳細

侵入方法

スパイウェアは、以下の悪意あるWebサイトからユーザが誤ってダウンロードすることにより、コンピュータに侵入します。

• http://{BLOCKED}ead.co.cc/setupold/09/setup.exe

インストール

スパイウェアは、以下のフォルダを追加します。

• %Application Data%\{random1}
• %Application Data%\{random2}

(註：%Application Data%フォルダは、 Windows 2000、XP、Server 2003 の場合 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" 、 Windows NTの場合 "C:\WINNT\Profiles\＜ユーザ名＞\Application Data"、Windows 98 および MEの場合、"C:\Windows\Profiles\＜ユーザ名＞\Application Data" です。)

スパイウェアは、以下のプロセスに自身を組み込み、システムのプロセスに常駐します。

• dwm.exe
• rdpclip.exe
• ctfmon.exe
• wscntfy.exe
• taskeng.exe
• taskhost.exe

自動実行方法

スパイウェアは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random CLSID} = %Application Data%\{random1}\{random}.exe

他のシステム変更

スパイウェアは、以下のレジストリキーを追加します。

HKEY_CURRENT_USER\Software\Microsoft\
{random}

作成活動

スパイウェアは、以下のファイルを作成します。

• %Application Data%\{random1}\{random}.exe
• %Application Data%\{random2}\{random}.{random}

(註：%Application Data%フォルダは、 Windows 2000、XP、Server 2003 の場合 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" 、 Windows NTの場合 "C:\WINNT\Profiles\＜ユーザ名＞\Application Data"、Windows 98 および MEの場合、"C:\Windows\Profiles\＜ユーザ名＞\Application Data" です。)

ダウンロード活動

スパイウェアは、以下のWebサイトにアクセスして自身の環境設定ファイルをダウンロードします。

• http://{BLOCKED}ead.co.cc/setupold/09/data.bin

情報漏えい

スパイウェアは、Webサイトにアクセスしてファイルをダウンロードします。ダウンロードされたファイルには、自身のコピーの更新版ファイルのダウンロード元および収集した情報の送信先が記載されています。なお、上記でダウンロードされたファイルは、環境設定ファイルで、このスパイウェアが情報収集の際に対象とする以下の金融関連Webサイトのリストを含んでいます。

• *.ebay.*/*eBayISAPI.dll?*
• *.hsbc.co.uk/1/2/HSBCINTEGRATION/*
• *.partnerandaffinitycards.co.uk/servicing/Logon.aspx?*
• */CapitalOne_Consumer/*
• */atl.osmp.ru/*
• */login.osmp.ru/*
• */my.ebay.*/*
• */my.ebay.*/*CurrentPage=MyeBayPersonalInfo*
• *alliance-leicester.co.uk*
• *banking.bankofscotland.co.uk*
• *banking.co.at*
• *barclaycard.co.uk*initialLogon*
• *business.co-operativebank.co.uk*
• *business.hsbc.co.uk*
• *commerzbank-privat.de*
• *commissioncontrol.net*
• *coventrybuildingsociety.co.uk*
• *ebanking.bawag.com*
• *fdonline.co-operativebank.co.uk*
• *fiducia.de*
• *home.cbonline.co.uk/ralu*
• *home.ybonline.co.uk/ralu*
• *iblogin.com/hobsinternet*
• *ksk-*.de*
• *kskgrossgerau.de*
• *ksklb.de*
• *kskms.de*
• *kskrhein-hunsrueck.de*
• *kskwd.de*
• *ksn-northeim.de*
• *lzo.com*
• *mybusinessbank.co.uk/cs70_banking*
• *naspa.de*
• *nationet.com/AppServices/SignOn/SignOnProcess*
• *nospa.de*
• *npbs.co.uk*
• *online-business.lloydstsb.co.uk*
• *rbsdigital.com/AccountSummary.aspx
• *rbsdigital.com/login.aspx*
• *sls-direkt.de*
• *sparkasse*.de*
• *spk-*.de*
• *sskm.de*
• *tuxedomoney.com*
• *vspk-*.de*
• *your.egg.com/customer*
• htt*.firstdirect.com/1/2/balances;jsessionid=*?BlitzToken=true&fsdtSideMenuState=0
• http*.aol.co*
• http*.firstdirect.com/1/2/!ut/p/kcxml/*jsessionid=*
• http*.firstdirect.com/1/2/*
• http*.firstdirect.com/1/2/;jsessionid=*=idv.Authentication
• http*.firstdirect.com/1/2/idv.Logoff?nextPage=fsdtBalances
• http*.firstdirect.com/1/2/sLink;jsessionid=*IBSelectedAccount=*
• http*.firstdirect.com/1/2/transactions;jsess*
• http*://*alliance-leicester.co.uk*
• http*://*cbonline.co.uk*
• http*://*co-operativebank.co.uk*
• http*://*hsbc.co.uk*
• http*://*smile.co.uk*
• http*://*ybonline.co.uk*
• http*halifax*co.uk*
• http*mail.live.com/mail*
• http*online-business.lloydstsb.co.uk/miheld.ibc
• http*yahoo.com*
• https://*.banking.first-direct.com/1/2/balances*
• https://*abbeynational.co.uk*
• https://*cbonline.co.uk/*/accountDetailsProcessSelectAccount.ctl*
• https://*cbonline.co.uk/*/acctInfo_tranHist.ctl*
• https://*cbonline.co.uk/*/payments_transferNewConfirm.ctl*
• https://*cbonline.co.uk/*/setupSecurityQuestionPage.ctl
• https://*cbonline.co.uk/*setupPartialPasswordPage.ctl
• https://*cbonline.co.uk/cbib/cbib/acctInfo_acctBal.ctl*
• https://*cbonline.co.uk/cbib/cbib/index.jsp*
• https://*cbonline.co.uk/cbib/cbib/payments_transferNew.ctl*
• https://*cbonline.co.uk/cbib/cbib/payments_transferNewValidate.ctl*
• https://*ibank.internationalbanking.barclays.com/*
• https://*ulsterbankanytimebanking.*/login.aspx*
• https://*ulsterbankanytimebanking.co.uk/*
• https://*ybonline.co.uk/*/accountDetailsProcessSelectAccount.ctl*
• https://*ybonline.co.uk/*/acctInfo_tranHist.ctl*
• https://*ybonline.co.uk/*/payments_transferNewConfirm.ctl*
• https://*ybonline.co.uk/*/setupSecurityQuestionPage.ctl
• https://*ybonline.co.uk/*setupPartialPasswordPage.ctl
• https://*ybonline.co.uk/ybib/ybib/acctInfo_acctBal.ctl*
• https://*ybonline.co.uk/ybib/ybib/index.jsp*
• https://*ybonline.co.uk/ybib/ybib/payments_transferNew.ctl*
• https://*ybonline.co.uk/ybib/ybib/payments_transferNewValidate.ctl*
• https://cardservicing.tescofinance.com/RBSG_Consumer/UserLogin.do*
• https://cardservicing.tescofinance.com/RBSG_Consumer/VerifyLogin.do*
• https://cardsonline-consumer.com/RBSG_Consumer/*
• https://database.acornmediauk.com/*
• https://ebanking.northernbank.co.uk/northernnetbank/startnbac.htm
• https://ibank.cahoot.*/servlet/com.aquarius.security.authentication.servlet.LogonServlet*
• https://ibank.cahoot.com/*
• https://ibank.internationalbanking.barclays.com/logon*
• https://ibank.reliancebankltd.com/*/home*
• https://ibank.reliancebankltd.com/i.web/home*
• https://my.if.com/*
• https://my.if.com/PlanReviewAct/plan.asp*
• https://my.if.com/_mem_bin/formslogin.asp*
• https://myonlineaccounts*.abbeynational.co.uk/CentralLogonWeb/MyPersonalHomepage*
• https://myonlineaccounts3.abbeynational.co.uk/GPCC_ENS/BtoChannelDriver.ssobto*
• https://olb2.nationet.com*
• https://online-business.lloydstsb.co.uk/*
• https://online-business.lloydstsb.co.uk/account.ibc?Account=*
• https://online-business.lloydstsb.co.uk/actionaccount.ibc?Account=*&PageRequired=MostRecent&*
• https://online-business.lloydstsb.co.uk/customer.ibc
• https://online-business.lloydstsb.co.uk/customer.ibc*
• https://online-business.lloydstsb.co.uk/logon.ibc
• https://online-business.lloydstsb.co.uk/miheld.ibc
• https://online-business.lloydstsb.co.uk/statement.ibc?Account=*
• https://online-business.lloydstsb.co.uk/transferpaym.ibc?Account=*
• https://online-offshore.lloydstsb.com/*
• https://online.islamic-bank.com/online/aspscripts/secret*.asp*
• https://online.lloydstsb.co.u*
• https://online.ybs.co.uk/public/authentication/login2.do*
• https://onlinebanking.firsttrustbank.co.uk/*
• https://secure.ingdirect.co.uk/INGDirect.html?command=displayClientAccountSummary*
• https://secure.ingdirect.co.uk/InitialINGDirect.html*
• https://secure.lloydstsb.co.uk/personal/*
• https://secure.lloydstsb.co.uk/personal/a/account_details/*
• https://secure.lloydstsb.co.uk/personal/a/account_overview/
• https://secure.lloydstsb.co.uk/personal/a/deletepayee/deletepayee.jsp
• https://secure.lloydstsb.co.uk/personal/a/logon/*ntermemorableinformation.jsp
• https://secure.lloydstsb.co.uk/personal/a/makepayment/confirmpayeedetails.jsp
• https://secure.lloydstsb.co.uk/personal/a/makepayment/payeesetupsuccessfully.jsp
• https://secure.lloydstsb.co.uk/personal/a/viewproductdetails/ViewProductDetails.jsp
• https://secure.lloydstsb.co.uk/personal/a/viewproductdetails/ViewProductDetails.jsp?pnlTabpane=1&al=
• https://secure.natweststockbrokers.co.uk/nws-secure2/*
• https://service.oneaccount.com/*/OSV2?event=login&pt=3
• https://service.oneaccount.com/onlineV2/*
• https://service.oneaccount.com/onlineV2/*viewPortal*
• https://uk.virginmoney.com/virgin/service/credit-card/*
• https://welcome10.co-operativebankonline.co.uk/*security?*
• https://welcome23.smile.co.uk/SmileWeb/*
• https://welcome23.smile.co.uk/SmileWeb/passcode.do
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/*
• https://welcome27.co-operativebank.co.uk/CBIBSWeb/passcode.do
• https://www.365online.com/servlet/Dispatcher/*
• https://www.365online.com/servlet/Dispatcher/login.htm
• https://www.365online.com/servlet/Dispatcher/login2.htm
• https://www.365online.com/servlet/Dispatcher/validate.htm
• https://www.accessmycardonline.com/RBS_Consumer/*
• https://www.bankcardservices.co.uk/NASApp/NetAccessXX/*
• https://www.bankcardservices.co.uk/NASApp/NetAccessXX/AccountSnapshotScreen?acctID*
• https://www.bankline.coutts.com/CWSLogon/*
• https://www.bankline.coutts.com/CWSLogon/4P/CheckId.do
• https://www.bankline.coutts.com/CWSLogon/4P/CheckPPPP.do
• https://www.bankline.rbs.com/CWSLogon/4P/CheckId.do*
• https://www.bankline.rbs.com/CWSLogon/logon.do*
• https://www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsNotStored
• https://www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginSigning
• https://www.capitaloneonline.co.uk/*
• https://www.cardonebanking.com/auth*
• https://www.caterallenonline.co.uk/WebAccess.dll
• https://www.citibank.co.uk/*/portal/Index*
• https://www.citibank.co.uk/*/signon/uname/HomePage*
• https://www.edirectdebit.com/administration/client/logon.aspx
• https://www.hsbc.co.uk/1/2/*
• https://www.hsbc.co.uk/1/2/personal/internet-banking;*
• https://www.icicibank.co.uk/UKRET/BANKAWAY*
• https://www.moneybookers.com/app/my_account.pl
• https://www.mybusinessbank.co.uk/cs70_banking/*
• https://www.mybusinessbank.co.uk/cs70_banking/logon*
• https://www.mybusinessbank.co.uk/cs70_banking/logon/challenge/submit
• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/enrollPassword
• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/password
• https://www.mybusinessbank.co.uk/cs70_banking/logon/logon/pmPassword
• https://www.mybusinessbank.co.uk/cs70_banking/logon/sbuser/getPassword
• https://www.nochex.com/*
• https://www.paypal.com/*/cgi-bin/webscr?cmd=*_account*
• https://www.paypal.com/*/cgi-bin/webscr?cmd=_account*
• https://www.paypal.com/*/cgi-bin/webscr?cmd=_login-done*
• https://www.paypal.com/*/webscr?cmd=_login-done*
• https://your.egg.com/customer/personaldetails/yourinformation.aspx
• https://your.egg.com/customer/yourmoney.aspx

スパイウェアは、以下の銀行もしくは金融機関で利用される個人情報を収集します。

• Alliance & Leicester
• BAWAG
• Bank of Ireland - 365 Online
• Bank of Scotland
• Barclays
• Cahoot
• Capital One
• Cater Allen
• Citibank
• Clydesdale
• Co-Operativebank
• Commerzbank
• Coutts Bankline
• Coventry Building Society
• Ebay
• Egg
• Fiducia
• First Direct
• First Trust Bank
• HSBC
• Halifax
• ICICI Bank
• ING Direct
• Intelligent Finance
• Islamic Bank
• Kreis-Sparkasse Northeim
• Kreissparkasse Gross-Gerau
• Kreissparkasse Ludwigsburg
• Kreissparkasse München Starnberg
• Kreissparkasse Rhein-Hunsrück
• Kreissparkasse Wiedenbrück
• Lloyds
• Moneybookers
• Nassauische Sparkasse
• NatWest Stockbrokers
• Nationwide
• Nochex
• Northern Bank
• Norwich and Peterborough Building Society
• OSPM
• PayPal
• RBS
• Reliance Bank
• Santander
• Smile
• Sparkasse
• Sparkasse Langen-Seligenstadt
• Stadtsparkasse München
• Tesco Bank
• Tuxedo Money Solutions
• Ulster Bank
• Virgin Money
• Yahoo
• Yorkshire
• eDirectDebit

情報収集

スパイウェアは、HTTPポスト を介して、収集した情報を以下のURLに送信します。

• http://{BLOCKED}ead.co.cc/admin/Admin/Setup_files/base.php

ハッシュ値情報

スパイウェアは、以下のMD5ハッシュ値を含んでいます。

• 4969c6682734abeee3c46f35e5e186ba

スパイウェアは、以下のSHA1ハッシュ値を含んでいます

• 4665034127a674d8ec438133951fb695d83ff697

---

  対応方法

ご利用はいかがでしたか？　アンケートにご協力ください