14 DAY TRIAL // A new aggressive spam campaign is distributing a Zbot variant disguised as a Social Security statement. Security researchers warn that over 600 million emails carrying the infected attachment have been sent out by the Cutwail botnet in the past 24 hours.
The infected emails masquerade as official noficiations from the Social Security Administration. Their subject is “Review your annual Social Security statement” and the From field is spoofed to appear as if they originate from a [email protected] address.
“Due to possible calculation errors, your annual Social Security statement may contain errors. Open attached file to review your annual Social Security statement,” the rogue messages read. The attachment is an archive file called statement.zip containing a malicious executable file.
In order to disguise it, the cyber crooks have forged the file properties to present it as a “VMware Virtual Disk Manager” and list “VMware Inc.” as publisher. But, in reality, running the .exe installs a variant of the Zbot trojan, which as of earlier today is detected by 17 of the 42 antivirus engines on VirusTotal.
According to MessageLabs, the spam campaign is very aggressive and the infected messages are sent out by the Cutwail/Pushdo spam botnet. “Cutwail botnet email 'Review your annual Social Security statement' started 29-Jul-2010 13:00 GMT, estimate 600 million sent globally so far,” Symantec's hosted email security services arm, warned via Twitter.
However, it should be noted that this is a variation of a similar campaign that has been spotted in November 2009. The lure was identical, but the message instructed recipients to click on a link instead of opening an attachment. The link led users to a page serving a different Zbot installer for download as a file called statement.exe.
The change in delivery method is consistent with the findings of most antivirus companies, which reported that email-borne threats are making a comeback this year. Users are advised to treat email attachments with suspicion and run an up-to-date antivirus program on their computer at all times.
You can follow the editor on Twitter @lconstantin