Zeus Network-of-Bots Attacking NACHA Subscribers
A phishing message reportedly is targeting users of e-mail while posing as a communication from NACHA stating that the ACH membership of the recipients has expired. Naked Security published this on May 4, 2011.
Notably an association not necessarily for profit, NACHA under the guidance of payments associations and financial institutions receive the developmental, governance and administrative services from them for its ACH Network. Those getting the said phishing e-mail and are subscribers of ACH Network get socially engineered in a way that they load Zeus, which compromises their PCs for inclusion into the malware's botnet.
This inclusion represents an important aspect since the Zeus network-of-bots does several malicious things like executing DDoS assaults, dispatching fake ACH membership expiry e-mails as well as clandestinely gathering financial data or those related to ACH transactions from users' systems.
Usually, a web-link in the e-mail leads onto an .info URL named nacha-download-infonow.info or nacha-download-ifo.info. The associated files pulled down from the websites are executables that serve fake anti-virus; however, they carry a sophisticated Zeus too. Sophos has identified this software as Troj/FakeAV-DDY and Mal/FakeAV-EA.
But if the Zeus is executed on the victim's PC, the payload navigates onto the Application Settings and gets activated whenever the system boots up. Furthermore, it renders IE incapable of deleting cookies, deactivates Sources for data access over Web-domains as well as though enables "Display mixed content," so configures the setting that the end-user wouldn't get any prompts.
Subsequently, the Zeus collects the victim's private data from his website repositories, e-mail databases or address lists.
Lastly, it communicates with the C&C server of its botnet for taking commands about its tasks like dispatching the fake NACHA e-mail, executing a DDoS assault, posting collected data online as also taking down its fresh editions along with the associated configuration file.
Nevertheless, if a potential victim isn't a NACHA subscriber, Zeus would dispatch him Internet banking notices and malevolent e-cards, while include his PC to its bot-network as well as collect his personal banking details.
Meanwhile, to remain safe, Internet users are advised for avoiding downloading, and running or following unfamiliar files or links.
Related article: Zeus Trojan Stole Huge Amount of Information
» SPAMfighter News - 11-05-2011