New Microsoft Data Shows Zbot Decline

Microsoft cleaned up close to a half-million machines infected with the Zbot botnet the month detection for the malware was added to the software giant's Malicious Software Removal Tool (MSRT).

The Win32/Zbot is a family of password-stealing Trojans that typically targets online banking credentials, stealing everything from website certificates to browser cookies; it's based on the Zeus malware kit. Last October, Microsoft added Win32/Zbot detection for 500 variants of the malware to its MSRT, and some 444,292 computers were found that month to be infected with the Trojan, according to new data released today from Microsoft. Around 34 percent of the Win32/Zbot variants were using older versions, according to newly released data from Microsoft.

And while Win32/Zbot infections among enterprises using Microsoft's Forefront Endpoint Protection and Threat Management Gateway in September hit a high of 134 percent of the monthly average number of detections for 2010, once MSRT began scanning for Zbot, the number of infections found by Microsoft's enterprise tools declined by about 46 percent.

One unexplained trend: In both August and October 2010, Win32/Zbot Hotmail detections jumped. "It is unclear what prompted botnet operators to greatly increase email distribution of the Win32/Zbot malware," according to Microsoft's new white paper, "SIR: Special Edition -- Battling the Zbot Threat."

The Trojan was most prevalent in Spain, where one out of every 100 computers running Microsoft Security Essentials had at least one Win32/Zbot attack attempt.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.