Jul 28, 2011 14:44 GMT  ·  By

A new ZBot distribution campaign produces fake emails that pose as notifications about a vulnerability in RSA's SecurID tokens and direct recipients to malware.

According to security researchers from email security firm AppRiver who spotted the fake emails, the trojan is being passed as a security update for the SecurID product.

"Dear customers, a unsafe vulnerability has been discovered in a certain types of our token devices. Please, check that your token device is safe, checking the following link.

"If your token is listed as unsafe, please, download and install the security update, available here [LINK]. It will exclude the possibility of misuse" the emails read.

In an attempt to look more credible the messages also includes the seals of the National Security Agency and the Central Security Service, however, the poor spelling should give them away.

It's clear that the people behind this campaign are trying to exploit the public's interest into the breach at RSA Security that resulted in the theft of information related to SecurID.

RSA's authentication tokens are used by employees in thousands of government agencies, contractors, companies and organizations worldwide.

The vendor initially claimed the information did not pose any serious risk, but after several large US military contractors suffered breaches involving cloned tokens, RSA agreed to replace all devices.

The link included in the fake emails leads to a variant of the ZBot trojan designed as a deployment platform for other malware. The trojan tries to connect to 15 random-looking domain names with .info, .biz, .org, and .net extensions in search of commands from its creators.

"While I don’t expect most individuals to fall for this, there is also a great amount that will, some of which who will mentally make some connection to the RSA breach. This connection may give the messages the air of legitimacy that they need to be opened and clicked through," notes Troy Gill, security researcher at AppRiver.