Symantec experts have located the source of the Changeup worm
Last week we learned that a new version of the old Changeup malware was doing the rounds once again. Symantec experts have further analyzed the threat and found some interesting things about it.While some security firms have found Changeup spreading via social media websites, Symantec researchers have found that in some cases, it’s actually distributed via fake emails that purport to come from financial institutions.
Recipients of these emails are instructed to download an attachment which hides a downloader identified as Downloader.Ponik.
Once it’s executed, Ponik contacts various URLs in an attempt to locate and download a peer-to-peer version of Trojan.Zbot, commonly known as ZeuS. In turn, ZeuS downloads and executes W32.Changeup.
The interesting thing is that this isn’t always the order in which the malicious elements are downloaded. In some cases, it’s Changeup that downloads the Zbot.
Experts believe that Changeup’s latest run might actually be an attempt to distribute a peer-to-peer variant of Trojan.Zbot.