The Zbot botnet continues to raise its ugly head, according to recent research from Zscaler ThreatLabZ. Check out the ThreatLabZ blog post for the full technical analysis. The ultimate goal of Zbot is to harness infected machines to send ad traffic, at times more than 2 Mbps, fraudulently earning ad revenue for the botnet owner.
Zbot maintains persistence by deleting itself once it is run, in order to hinder detection efforts. Next, Zbot establishes a Security Task in Winows, so that even if it is removed it will be reinstalled upon reboot. Finally, Zbot disables key Windows processes, including Safe Boot, to make remediation more difficult.
Once Zbot has established persistence, it communicates with its command and control server (C&C), periodically receiving GET requests to ensure the infected machine is still online. This traffic presents the best avenue for detection. Users may notice a slowdown of Internet traffic and network administrators can monitor for anomalious traffic patterns.
While Zbot may be difficult to detect and remediate on an end user's machine, the fact that it sends as much as 2 Mbps of traffic from an infected machine makes it easier to identify from a networking perspective. Information security neither begins nor ends with the end user nor with networking, but rather the sum of its parts. To adequately protect against these threats, information security and networking teams must be aligned to obtain a comprehensive view of enterprise network traffic.