New Wave of Zbot-Infected Emails

Security researchers warn of a new wave of spam emails with different subjects and content distributing a variant of the Zbot trojan in attachments.

Judging from the subjects of the rogue emails, like "Another candidate brought to you", "EBOD Meeting MEC Update", "Fw: New Taxes Coming", "Summary of payments" or "Sales Dept" the attack targets business users.

The interesting aspect of this campaign is that there are several emails with different subject and content that carry the same payload – a new Zbot variant with a very low detection rate.

One of the messages, which sounds credible enough, even misuses IBM's name in order to trick recipients into opening the malicious attachment and executing the malware.

"This is Charles Brand working as a Technical Team Lead in IBM with over 10 years of solid mainframe development experience. I am confident that my skills will match for this requirement.

"Please find the resume as a word attachment. I am available at 404-353-5442 for a discussion. BTW I am in EST time zone," it reads.

Another one references software produced by the company: "Attached are two files showing the amounts paid this past year.

"The files are in Lotus 1-2-3 but I think you can open these in Excel or the Open office spread sheet. This is working very nicely."

According to researchers from Belgian email security vendor MX Lab, who intercepted and analyzed many of these messages, the attached zip files also have different names, like "2010 MEC Update.zip", "2010 Financing.123.zip", "resume.zip" or "six_months.zip".

Meanwhile, malware analysts from security giant McAfee note that the piece of malware was generated with ZeuS 2.x and as such it has characteristics particular to this version of the crimeware toolkit.

This includes HTTPS communication with the command and control server or the ability to allow incoming rogue Remote Desktop connections by patching the Windows termsrv.dll.

Zbot (ZeuS bot) is a banking trojan commonly used by financial fraudsters to siphon hundreds of thousands of dollars from the accounts of small companies, government institutions and non-profit organizations.