New Zbot Sample Thanks Antivirus Firms
Trend Micro security researchers spotted a new variant of the banking Trojan Zeus/Zbot which they named TROJ_ZBOT.BTM. The variant arrives through an e-mail whose senders sarcastically thank some antivirus firms because they seemingly helped the malware creators (e-mail senders) to improve their malicious software. The e-mail expresses particular gratitude to Avira and Kaspersky Lab.
Trend Micro states that the e-mail is exposed with the unpacking of a binary file which replicates and copies itself in the infected computer memory. The sarcastic message suggests that cyber criminals can watch the antivirus companies making malware detections so that they continuously modify their software against possible detection.
Explaining how the Trojan works, the researchers state that it comes like a file obtained from a remote website. After making a copy, the malware drops itself into the Windows system directory and adds certain garbage code that makes it elusive to detection. Subsequently, the Trojan tries to obtain a configuration file from a website to place an updated replica of itself along with the destination for transmitting stolen data. The configuration file further displays various bank-related websites from where information would be stolen.
Moreover, TROJ_ZBOT.BTM tries to capture usernames and passwords - the credentials needed for logging into users' online banking sites.
The variant then stores and transmits the stolen credentials through HTTP POST to the ZBot controllers' chosen website. It also opens a particular website and downloads a configuration file that names the place where the Trojan's latest copy will be placed, along with the destination for sending the captured details.
A lot has been reported about Zbot during the 2nd week of February 2010. A pair of fresh trojans vying the well-known malware has been detected. One of this is distributed through the Zeus/Zbot botnet, while the other can remove Zeus from a contaminated machine to establish itself as the only malware on that system.
Besides, Websense warned that a surge of Zeus attacks were currently targeting military departments and government agencies worldwide.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 19-02-2010