Zbot is the kind of malware you really don’t want to see on anyone’s computer, stealing banking passwords and financial information.

We’ve been seeing more reports and ThreatFire preventions of the malware delivered along with a somewhat common email-based social engineering scheme. The Zbot variant is attached to an official sounding warning from the worldwide delivery group UPS. The file currently in circulation has a name somewhat like “Exl6512721.ZIP”, and the contents of the email looks something like this text:

“Sorry, we were not able to deliver postal package you sent on November the 25th in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS Support Team “

The Zbot variant attempts to steal banking information and passwords from unsuspecting users, and this one sends the information off to a waiting server in russia. Fortunately, at this time, the servers are down.
You can see here that ThreatExpert now decodes the config files delivered with this nastiness. The post includes a list of financial institutions commonly being targeted.

As always, exercise caution when opening unusual emails and especially when opening attachments.

This entry was posted on Thursday, December 18th, 2008 at 9:54 am and is filed under Password stealing, Social Engineering, Spyware, ZBot, cybercrime. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.