Microsoft today announced that they have added the win32/zemot family to the malicious software removal tool. The Win32/Zemot family of trojan downloaders are used by malware such aswin32/rovnix, win32/viknok, and win32/tesch with a number of different payloads. Zemot is usually distributed through the spambot malware win32/kuluoz and through the exploit kits Magnitude EK and Nuclear EK. You can see the infection chain above.
We started seeing activity from trojandownloader:win32/upatre.b in late 2013 and identified this threat as the main distributor of the click fraud malware pws:win32/zbot.gen!ap andpws:win32/zbot.cf. We renamed the downloader to Zemot in May 2014.By taking into account both the machine and the file count telemetry, we can see that a single copy of Zemot is often mass distributed to the payload URLs (the download URLs for Win32/Kuluoz and the payload URL for the exploit kits).Some other notable characteristics of the Zemot family include:
- They use several techniques to make sure the downloaded module will be successful on all Windows platforms.
- Each successful download is saved with a unique file name to allow for multiple infections.
- Major variants vary in their static configuration format and download file name format (for example: java_update_<random>.exe, updateflashplayer_<random>.exe).
- Modules such as getting the OS version, user privilege, URL parsing and the downloading routine are taken from the Zbot source code.
- Variants can be bundled with other malware (one trojan downloader can distribute multiple malware payloads).
Read more from the link below.
Source: microsoft
.jpg){kind=logo}
