As you may recall, last October
we updated MSRT to include the well-known malware Zbot (aka Zeus), one of the more prolific bots we see in the wild today. Today, we released a special-edition Security Intelligence Report, entitled “Battling the Zbot Threat
,” that documents the background, functionality, prevalence, and geographical distribution of Zbot malware. The paper also shows how Microsoft has had a measurable effect on the Zbot ecosystem since broadening its attack efforts to include the Malicious Software Removal Tool (MSRT) in October 2010.
As always, we continue to update MSRT with the result of ongoing research by the MMPC, all the while improving our detections. This is necessary because, as with most malware, Zbot itself is continually evolving, having undergone many changes in the last year or so, ‘updates’ to the file-based obfuscation, anti-AV defensive techniques, information stealing capabilities, configuration file protection, API hooking, pseudo-random domain generation, process injection and file infection. We’ll not go into details of many of these here, but we can show the telemetry we’ve gathered from the MSRT and Microsoft Security Essentials over the last four months documenting the percentage of Zbot detections exhibiting these new features, shown as Zbot 2.x in the chart below: