Softpedia >News >Security >Spyware Threats
Softpedia Homepage   

Banking Trojan Distributed Through Fake UPS E-mails

New variant of the Zbot trojan spreading in the wild

Mar 3, 2009 10:14 GMT  ·  By
New Zbot trojan variant propagates through fake UPS delivery failure notification e-mails
   New Zbot trojan variant propagates through fake UPS delivery failure notification e-mails

Malware analysts from e-mail communication security vendor MX Lab, warn about a new version of the Zbot banking information-stealing trojan being distributed as an attachment to fake UPS delivery failure notification e-mails.

The Zbot trojan, also known as Infostealer, is a rootkit-enabled malicious application with a dangerous playload. It is aimed at stealing financial data such as credit card information and online banking login credentials.

In addition, it disables the Windows firewall and gives an attacker remote access to the infected system. It is also able to take screenshots of the desktop on the victim computer and upload them to a remote location, as well as download and install more malware.

The Zbot-family of trojans amounts to numerous variants, which are distributed through various means. The latest version reported by MX Lab propagates through fake e-mails, however we have recently reported another incident that involved a Zbot installer being served for download from the compromised website of Paris Hilton.

The fake UPS delivery notification e-mail, used to distribute this latest variation of the trojan, is not poorly spelled, unlike the usual spam e-mails, and has the "From" field spoofed to [email protected]. It reads:

Hello!

Sorry, we were not able to deliver postal package you sent on February the 23th in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.

Your UPS Support Team  

 The malicious .exe installer is packed into a .zip attached to the e-mail. The archive is called Invoice_8612112.zip, but the researchers warn that the "Names and numbers may vary." The playload of the trojan includes contacting an IP based in Ukraine and issuing a GET command for the /ejik/admin.bin and /ejik/hot.php files hosted there.

The MX Lab analysts point out that, when scanned with the Virus Total scanner yesterday, the sample was not detected by most of the popular antivirus engines. In fact, only 7 of the 38 AV products available on the online service complained about the file, and most of those detections were generic.

MX Lab is a company headquartered in Belgium, focused on protecting e-mail communications from spam and other threats. It offers antivirus and anti spam solutions to a wide-range of customers including "organizations, self-employed individuals, small-to-medium sized businesses and enterprises."