ZBot Trojan Proliferating Inside Facebook: Trend Micro

Trend Micro the computer security company cautioned that Trojan ZBot within a friend request in Facebook, utilized techniques for generating domains so that data could be pulled out from victims' PCs, published Technology in news on August 23, 2011.

Specifically, unsolicited e-mails are landing inside users' inboxes notifying of friend request on the popular social-networking website.

Furthermore, there's a web-link embedded on the spam mails requiring recipients to click as an approval for the said request. But, on clicking, a web-page appears telling them that they require loading Adobe Flash Player (newest edition) to enable them for proceeding.

At this juncture, users, who are unable to understand the fact that it's most absurd to necessarily have Flash Player's latest edition for approving friend request on Facebook alternatively seeing the website, actually end up getting infected with a Trojan that steals information.

Not surprisingly, whatever is downloaded actually represents one malevolent file Trend Micro identified as TSPY_ZBOT.FAZ rather than the promised Flash Player.

This malware, similar to most variants of ZBot, leads onto one particular website so that certain configuration file can be restored which specifies the URLs the Trojan must utilize for stealing related data and credentials.

Nevertheless, different from other variants of ZBot, which utilize an existing URL, TSPY_ZBOT.FAZ arbitrarily produces a URL based upon whatever data is found on the computer at the time.

In addition to this, TSPY_ZBOT.FAZ is further different from earlier ZBot variants in that the websites the malware goes to for taking down the specified configuration file is not hard-coded inside its payload. Rather, it performs a computation of the website it'll go to after considering the information the infected computer indicates.

Significantly, it's stated that while the utilization of domain-creating algorithms by ZBot isn't something new, the technique of utilizing Facebook can likely dupe many unwary end-users. As per Trend Micro, it witnessed similar spam mails during July 2011 that supposedly came from IRS.

Meanwhile, according to security researchers, users must be extremely cautious while approving friend requests in Facebook as well as never forget to access the authorized website when considering downloading an Adobe product.

Related article: Zbot Effectively Dodging Majority of anti-virus Programs

» SPAMfighter News - 9/3/2011