Banking malware at its best: A detailed look at a new Zeus/Wsnpoem (Zbot) variant

I can’t believe that we haven’t blogged about Zeus/Wsnpoem, as it is one of the more common trojans that targets media and social networking websites especially financial institutions worldwide since more than 3 years now. However we are seeing the technology improving throughout this period. It steals user private and confidential information (form grabber), can inject arbitrary HTML code into any website (also encrypted websites), can steal certificates and will take screenshots to defeat virtual keyboards especially those virtual keyboards commonly used by financial institutions still today.

In addition to its business features, Zeus/Wsnpoem continues to be enhanced and is  one of the most advanced trojans from a technical point of view as well. The most important reasons are:

  • incredibly hard to detect once a system is infected (see below)
  • easy to use backend system provided
  • easy to configure by simple (but encrypted) configuration files.

So let’s have a detailed look what this trojan is doing.


Quite often, and simply a Zeus trojan is delivered via a Spam email (e.g. UPS Invoice) and once the dropper is executed, it will inject its self into key windows components. This means that the trojan will not be visible at all (e.g. in task manager), and all internet communication is performed by the “authentic” processes. This way the trojan can invade any firewall as well.

It will install its self (ntos.exe) into the Registry (HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserInit to make sure it will be started every time Windows starts. The initial ntos.exe process will inject its self into winlogon.exe (a core windows process) and will spread from there into every single process. The files on the harddrive are protected with rootkit features so they are not visible in the Windows Explorer. Altogether, it’s incredibly hard even for security professionals to detect whether the system is compromized!!!

A very detailed, very technical and very interesting study of one of the early variants of this trojan by Lance James and Michael Ligh can be found here: Even though this study is from 2006, most of the technical details are still valid and the paper is still current. As you would expect though, we have seen quite a bit of technical improvement.

Technical Details

The sample we looked at was MD5=8f5668c69fb4924ba15313dcf87f4d42 and according to Virustotal only 5 out of 38 detect this dropper. ( Unfortunately we see this with almost all sophisticated trojans. The detection for new threats is way too low.

As discussed before, the trojan is neither visible as a user process nor as a system driver


The only way to detect this trojan is to look at hooked system functions:


Our sample targeted 279 financial institutions, including 36 financial institutions in Australia (First, econd and third tier), including 3 of the four major Australian suppliers of banking backend services to mostly second and third tier financial institutions.

For a full list, please contact us at

A normal user will not notice anything suspicious when he is doing an internet banking session. The trojan will do all its work in the background and our sample was very well written and we did not experience a single crash and could not notice any slowdown of the system at all! The Trojan would then send the captured information to the C&C server where this information is typically onsold. So the fraudsters who compromize the accounts are in most cases not identical with the fraudsters who steal your money! A fact that make life for Law Enforcement around the world very tricky.

How TrustDefender protects the user

TrustDefender will ‘detect’ and ‘successfully protect’ the user from any known Zeus/wsnpoem/zbot infection as TrustDefender will detect the system file hooking and with its secure lockdown it will isolate any potential malicious code (include the hooked code). If implemented by the financial institution, TrustDefender enables the financial institution to notify and provide feedback to the user within the login page based on the security health of the user’s computer and within a web2.0 environment…..most importantly before the customer puts in his or her confidential details i.e. ID, Password, 2nd factor security code.


If you opt to view the details, you can see that TrustDefender will detect the system hooks as part of its forensics engine


However the most important part is not the details, the most important part is that ‘all TrustDefender users and those customers of financial institutions deploying TrustDefender are protected by default and by design’ – straight out of the box! No need to do anything. Let TrustDefender do the hard part.

However as always: Even though TrustDefender protects you from the attack, we believe in defence in depth and we recommend cleaning an infected system as soon as possible.

Are you infected? Removal

As the Trojan is almost impossible to detect from its files, the best way to see whether you are infected is to check the registry key HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserInit. Make sure that there is no ntos.exe in here. It it is, you are infected!!!

A complete removal is quite tricky as the files are rootkit-protected and cannot be easily deleted. However you can disable the trojan by removing the ntos.exe part (just that part!) in the above mentioned registry key. After a restart, the trojan will not be active. However the malicious files (protected by the rootkit) are still on the computer. In addition, the above mentioned study provides removal instructions in chapter 16.

Furthermore you can contact us at TrustDefender for more detailed information at

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>