ZBOT’s New Trick –Self-Propagation, Detects Trend Micro

Trend Micro the security company says that one fresh ZBOT variant has been observed as spreading of its own. This is quite unlike of the malware that characteristically proliferates via drive-by downloads, a process which happens when website-visitors access hijacked sites that actually harbor attack toolkits delivering the malware.

According to Abigail Pichel, Security Researcher at Trend Micro, the mentioned ZBOT variant spreads via one malevolent PDF file pretending to be a sales bill. Securityweek.com published Pichel's blog-post on June 11, 2013.

Suppose any end-user views that file while running Adobe's Reader application, certain attack code gets triggered which pops up one dialog box.

And as the victim goes through the message in that dialog box, the attack code pulls down and executes the ZBOT sample dubbed WORM_ZBOT.GJ. There are twin chief features added to this sample. These include: one, it has an own autoupdater; and two, the worm self-propagates through USB drives. The latter becomes possible once the variant hunts for detachable devices followed with crafting one concealed folder having its own copy, as also one shortcut that leads onto that copy, elaborates the researcher. Infosecurity-magazine.com reported this dated June 11, 2013.

It isn't really clear from the report if ZBOT's creation of its copy involves the purpose of altering its signature i.e. the particular definition of malicious software which anti-viruses utilize for spotting particular threats. However, that appears possible. Actually, when such polymorphic tendency occurs, the idea is for the malware making anti-malware subservient to it. Consequently, it successfully circumvents detection.

Pichel observes that the current manner of ZBOT's propagation isn't normal. ZBOT is habitually disseminated via malevolent attachments and/or attack toolkits. The current behavior isn't what Trend Micro anticipated. Therefore, it may imply a rise in ZBOT contaminations thrusting ahead. However, the current unexpected behavior of ZBOT matches the 2013 predictions Trend Micro made, according to which, older threats were more likely to go on through 2013, albeit with greater sophistication for increasing their efficacy. Earlier too, a few ZBOT samples employed non-traditional methods such as file infectors for their propagation, notes Pichel. Blog.trendmicro.com published this dated June 10, 2013.

» SPAMfighter News - 6/17/2013