ZBot variant masked as settings file for MS Outlook

Published by: MX Lab

MX Lab has been tipped regarding a new 0-day email related virus by Alan Dougherty from the company Synergistix. Thanks for sharing this with us. MX Lab intercepted only one sample of the email so we had the possibility to investigate this.

The email comes from suport@****.com where **** stands for the domain that is being used in the recipient email address. This will make that the receiver thinks it is from the support department of his own company. Now, if you don’t have a support department it should be clear that this is spoofed and that the email must be handled as being suspicious. If you have a support department don’t accept the fact that they will give you instructions on how to install and run executables.

Possible subjects are:

A new settings file for the andre@****.com mailbox
The settings for the andre@****.com mailbox

The body of the email:

Dear user of the beweb.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (andre@b****.com) settings were changed. In order to apply the new set of settings click on the following link:

hxxp://b****.com/owa/service_directory/settings.php?email=andre@b****.com=b****.com=andre

Best regards, beweb.com Technical Support.

The malware is not attached at the email but the inluded link will take you to a web site where you need to download the .exe file and apply the new settings. The malware listens to the names Trojan-Spy.Win32.Zbot.gen (F-Secure), Mal/Zbot-R (Sophos) or PWS:Win32/Zbot.gen!R (Microsoft). The file itself is about 92 kB big and has the name settings-file.exe.

Regarding ZBot: it is a trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The trojan will create a file %System%sdra64.exe and the hidden files %System%lowseclocal.ds and %System%lowsecuser.ds in combination with a hidden directory %System%lowsec. There were new memory pages created in the address space of the system process(es): services.exe, lsass.exe, alg.exe, iexplore.exe and svchost.exe.

Several registry settings are modified and the trojan could make connection to a remote host on the IP 195.93.208.106 on port 80. Data requested is: hxxp://195.93.208.106/livs/rec.php, hxxp://195.93.208.106/lcc/ip1.gif and hxxp://195.93.208.106/ip.php.

In the sample from Alan Dougherty was the domain oikkkkuy.co.uk in use and ur sample contained bertdffm.co.uk. These domains are registered by the same licensee today and already offline. These are so called fast-flux domains.

With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux domains use a large number of servers and a fast-changing domain A record to turn shutdown attempts into a game.

"*" indicates required fields