The Security Intelligence Report team at Microsoft released a new special edition report called “Battling the ZBot Threat.”
Win32/Zbot is a family of password-stealing trojans that contain backdoor functionality which allows attackers to control infected computers remotely through illicit networks called botnets. The Win32/Zbot family warranted a close examination because of evidence that its presence on the World Wide Web was increasing. This family of botnets first drew attention in press and media when Win32/Zbot was detected1 in mid-2007 attacking the U.S. Department of Transportation.
The botnet world is divided between bot families that are closely controlled by independent groups of attackers and those that are created through malware kits. These kits are collections of tools, sold and shared within the malware underground, that enable aspiring botnet operators, or bot-herders, to assemble their own botnets by creating and spreading malware variants. For more detailed information on botnets, see the Featured Intelligence story in Volume 9 of the Microsoft Security Intelligence Report.
Win32/Zbot is a kit-based family; its variants are built using a malware kit called Zeus. Although security professionals and news accounts often make reference to “the Zeus botnet,” it’s important to realize that computers infected with Win32/Zbot do not all belong to a single large botnet, but instead many smaller independently controlled botnets that are controlled by many bot-herders.