Monday, December 8, 2008

Escort Agency Serves Naughty Trojan

ThreatFire team has busted another "in-the-wild" ZBot trojan.

Interesting detail this time is that the trojan is currently hosted at the server with the IP - this is a web server of "London Escorts & Escort Agencies" and its domain name is

When run, the trojan downloads an encrypted configuration file from The config file instructs the bot to update itself right from the escort site mentioned above.

The trojan attempts to deactivate a number of AV products and firewalls by deleting their registry keys, terminating the processes and modifying the hosts file.

ZBot attempts to steal the contents of online banking forms of the following banks:

  • Bank of America

  • CheBanca!

  • Banca Mediolanum

The targeted banking sites can be seen in its memory contents:

Full ThreatExpert report is available here.