Infostealer Trojan Spread via Bogus UPS E-mail

Malware analysts from MX Lab, the security provider for e-mail communication, have warned that a fresh variant of information stealing banking Trojan is being spread through e-mail that supposedly arrives from United Parcel Service (UPS).

The bogus e-mail claiming to notify about the delivery problem does not contain spelling errors unlike the regular spam messages. Further, "From" field of the e-mail displays an address spoofed as tracking@ups.com, while the text of the message says that the postal package the e-mail recipient sent on February 23rd could not be delivered as the address for delivery was incorrect. The message then directs the recipient to print out a copy of the invoice given as an attachment and use it to pick up the parcel from the nearest UPS office.

However, on opening the attachment which contains a rogue .exe installer, a Trojan is installed on the system. This installer compressed in the name Invoice_8612112.zip that could also be named and numbered differently carries the Zbot Trojan.

Security analysts state that the Zbot Trojan (also called Infostealer) is a malicious application with rootkit features and a hazardous payload. The program is designed to steal financial information like Internet banking login credentials and credit card details.

Besides, it deactivates the Windows firewall to allow a remote attacker to gain control over the infected computer. The Trojan also takes the desktop's screenshots from the victim PC and transmits them elsewhere along with downloading and planting additional malware.

The security analysts at MX Lab also disclosed that when they scanned the infected computers on March 2, 2009, they found that many of the prominent antivirus software could not detect the sample. In fact, merely seven of the 38 antivirus solutions could make the detection, and that too related with just general information.

Meanwhile, there are numerous variants of the Zbot group spreading through different means. One more incident involving a Zbot Trojan was reported when the malware was downloaded from Paris Hilton's website after it was first compromised.

Further, malware distribution via bogus UPS notification is not new as it happened earlier in 2008 as well.

Related article: Infection in Chinese Security Website

» SPAMfighter News - 3/19/2009