Archive for the ‘ZBot’ Category

« Older Entries

Who Fell for the Facebook Password Reset Scam Yesterday?

Wednesday, October 28th, 2009

Unfortunately, a lot of people didn’t realize that the email and attachment we posted yesterday was not really from “The Facebook Team”. ThreatFire users were protected from the Bredolab downloader and its Zbot payload, and it’s a good thing too. Here is some information on who fell for it by country:

Facebook_pass

The bulk of the protected systems were in the U.S., where the number of Facebook users are higher than anywhere else. Below is a non-exhaustive list of banks that the group has targeted with Zbot payloads from the ip address that the Bredolab downloaders pulled from. Surprisingly, the cybercrime group decided to mess with U.S. military members at usaa.com:

https://businessonline.huntington .com
https://business-eb.ibanking-services .com
https://securentrycorp.nbarizona .com
https://treas-mgt.frostbank .com
https://www8.comerica .com
https://cashmgt.firsttennessee .biz
https://www.usaa .com
https://*netspend .com
https://www.mybank.alliance-leicester.co .uk

Posted in Bredolab, Crimeware, Social Engineering, ZBot | No Comments »

Facebook Password Reset Confirmation Spam — Bredolab, Zbot, Adware

Tuesday, October 27th, 2009

Another cybercriminal group is abusing the face of Facebook in another malware spam blast, fooling users to install banking password stealing malware and adware on their systems.

The message of the email claims to arrive from “The Facebook Team”, but in fact, the spam is spoofed and not from the team at all:

“Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team”

The real Facebook Team maintains threat-related information, “what-to-do-if” information, and security related stuff here.

The emails maintain an attachment that may have various names. Here are a some of the attachment names that when unzipped and run, ThreatFire has protected its community against in the past day:

Facebook_Password_e9081.zip
FACEBOOK_PASSWORD_52132.ZIP
Facebook_Password_6dd19.zip
Facebook_Password_4cf91.zip
FACEBOOK_PASSWORD_50573-1.ZIP
Facebook_Password_c92dd.zip
FACEBOOK_PASSWORD_7A343.zip

So what is being sent out? Unfortunately, the AV vendors that are starting to detect this variant do not always identify what they are detecting accurately (lucky that they are detecting it at all!). But in the end, the zipped attachment contains an armored downloader. Some of the spammed downloader executables drop multiple variants of multiple families. Adware, spyware, spambots, why not all of them? They are all money makers for this malware distribution group.

The malware package, in some cases, includes the highly active and highly malicious Zbot family. It seems that the Bredolab protector and dropper/downloader in active development has proven to be effective enough against AV scanner detections, so the crimeware groups are re-wrapping their zbot malware with it. Also interesting is that these two families of malware have recently been distributed by groups that implement methods to remove the other bot from victim systems. It’s been described as another “War of the Bots” with Bredolab v. Zbot. Clearly, this active cybercrime group is a separate one with different aims and no internal wars.

Koobface, Bredolab, and Zbot-distributing cybercrime groups all spoof Facebook and other highly popular social networking sites to deliver their malware to victim systems. Avoid the confusion and install a behavioral based layer of protection like ThreatFire that reliably and effectively prevents Bredolab, Zbot, and other highly dangerous malware families. Surf where you want, PC Tools Facebook group here.

Posted in Bredolab, ZBot | No Comments »

Zbot Targets Major Banks Across the World

Tuesday, October 6th, 2009

At Virus Bulletin, we presented on some of the nastiest families of 2009, and zbot was one of them. Early Sunday morning was the first that the ThreatFire community started seeing a newer variant of the banking password stealing family “Zbot” in fairly high prevalence, served on a system hosted in Sweden (83.140.191.170). This variant is interesting in that it indiscriminately targets banks all over the world — the U.S., Germany, Italy, Spain, Russia, England, Ireland, etc. (the ThreatExpert report lists the banking sites here), but the users being attacked appear to be concentrated within the U.S. for now.

As always, be sure to update third party plugins (like flash players and pdf readers) in addition to your system software and add a behavioral layer of protection like ThreatFire.

Posted in ZBot | No Comments »

« Older Entries