Fresh Zbot Disseminating E-Mail Scams Seen

Researchers at Websense, the security laboratory are cautioning that fresh e-mail campaigns involving ZBot are circulating while using a combination of pharmaceutical spam and malevolent attachments.

Spreading in bulk, these malicious e-mails (more than 100,000) show captions such as "Labels and such" or "Greetings from Rivermark Bill Payer!" along with malevolent HTML or ZIP attachments.

Further, these campaigns have an association with the much known pharmaceutical spam which is observed daily except that these use a technique of social engineering in combination with a ZIP or HTML attachment, an idea that resembles the usual phishing e-mail scams.

To cite an instance, it may be said in the e-mail that the recipient is about to get a $375 deposit into his account and so the transaction can be seen via an included web-link. But, if the user views the attachment, a JavaScript masked behind the HTML file attachment compromises his system.

Moreover, the content of this obfuscated JavaScript is encrypted via an HTML obfuscation program that's available for sale. Apparently, a user, who tries to see the decrypted 'JavaScript' content, finds that he's diverted with the aid of one 'meta' refresh label the JavaScript utilizes.

The diversion, however, takes place only if the JavaScript on checking finds the user running either a KHTML browser (Safari and Chrome) or a Gecko (Firefox) browser. Moreover, the diversion happens onto a pharma website.

In the meantime, the campaigns deliver other e-mails too that have attachments namely label.zip, which reportedly carries a malicious executable that plants a ZBot variant.

Besides, the Zeus Tracker scheme finds that the mean number of the malware's detections by signature-based anti-viruses right now is 44.84%.

Specialists state that as of present, ZBot is a highly prevalent malware family that has basically caused the massive number of ZIP attachment junk e-mails over the last many months. And since a crimeware toolkit spuriously available on sale is used to generate the Trojan, numerous fresh ZBot variants emerge every day.

Hence, it's highly advisable that users install an authorized anti-virus that's routinely updated as also maintain vigilance while viewing e-mails or dealing with dubious attachments.

Related article: Fark.com Files Suit against Suspected Hacker from Fox13

» SPAMfighter News - 9/29/2010