By: Clinton Karr

Zscaler Research Flips the Script on VBScript Bot

I've worked with a lot of well-known and respected information security companies during the past decade, but Zscaler continues to impress me with the quality of its security research. Today, I wanted to highlight a recent Zscaler ThreatLabZ research blog post, focused on analyzing a VBScript bot.

You can check the link for all of the delicious technical details, but there are a few points here I wanted to highlight:

  • At the time of analysis only 14 out of 50 anti-virus vendors could detect this threat;
  • This is largely because this threat obfuscates (or hides) its code inside an encrypted extension;
  • This threat also establishes "persistence" by copying itself into the Windows startup folder, a registry entry to run at system startup, a copy in the Windows temporary folder, and finally a connection with its command and control server;
  • Once this persistence is established, the command and control server can execute commands to send updates, exfiltrate data and ultimately to uninstall the traces of the malware.

This malware can obtain drive names and types, the contents of a directory, the processes running on the machine and ultimately, it can even execute all DOS commands on the infected machine.

The good news, is that the command and control server appears to be offline; however, this sort of malware serves as both a warning and a reminder about this new breed of advanced threats that can evade detection and establish persistence to inflict long-term damage.

Be sure to stay tuned to research.zscaler.com for the latest security research from Zscaler.

Learn more about Zscaler.