Archive for the ‘Win32/Zbot’ Category

Stratfor customers targeted by cybercriminals

February 14th, 2012 No comments

Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor – a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database.

The spammed email contains an attached PDF file named “stratfor.pdf”. Upon opening the PDF file, it displays the following content, with a reference to using security software to scan for the fictional “Win32Azee virus”:


The link displayed in the emails appears legitimate at first glance, but looking closely at the target address, you notice that it doesn’t originate from the address in the email text. Stratfor is based in Texas, United States however the download URL is located somewhere in Turkey. A sample of another PDF file contained a download link for yet another compromised site, this time in Poland.

Clicking on the link, Adobe Reader will display a warning message asking you to verify if you trust the website. The file for download is actually a Win32/Zbot variant, which Microsoft already detects as PWS:Win32/Zbot.gen!R. The malicious PDF file is detected as Trojan:Win32/Pdfphish.A.

38421197bc27f9ae76c01595424b41d720adea05 (detected as Trojan:Win32/Pdfphish.A)
818ef49e658aa78df4a0d9b424fafcd37bcb288c (detected as PWS:Win32/Zbot.gen!R)

– Rodel Finones, MMPC

Categories: MSRT, phishing, spam, Win32/Zbot Tags:

Friendly spam carries Zbot

December 6th, 2011 No comments

​This morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier’s website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation message after paying the bill, also through email.

Today, however, one message stood out in several ways. First, the subject line was quite varied from what I was expecting to see:

Important Account Information from Verizon Wireless TRACK-ID: 15730301098

I was also addressed in the email in a rather peculiar way, “Hello Dear!“. Only my aunt ever calls me “dear”, so I knew it was a phony. Below is a copy of the spammed message:

The email messages have been spammed with varying elements among recipients. For instance, the “Total Balance Due” amount is different among samples spotted in-the-wild, with a leading zero when the amount is less than 1000:

Total Balance Due: $1589.55
Total Balance Due: $1366.06
Total Balance Due: $0257.93

The subject line is also not fixed and alters among recipients, in at least three different formats:

Subject: Important Account Information from Verizon Wireless TRACK-ID: 70341011278
Subject: Important Account Information from Verizon Wireless TRACK-ID: 12904962494
Subject: Important Account Information from Verizon Wireless, ID: 79PZ0SZ95HCLD
Subject: Important Account Information from Verizon Wireless, ID: OW0ORPE4SGTST
Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 16:59:40 +0100
Subject: Important Information from Verizon Wireless, Tue, 6 Dec 2011 20:13:33 +0200

This suggests automation may be at play. The email carries a file attachment as a ZIP archive, commonly named ““, such as ““. Within the attached archive, is an executable bearing a similar name such as “Verizon-Wireless-Account-Status-Notification-Dec-2011.exe” (SHA1: d4b12df0eb31457ad3d2197e9993f16a1f1a53eb).

While I was writing this article, the spam campaign altered to target Adobe software:

From: <no-reply @>
Date: 12/6/2011 9:00:59 AM
Subject: Adobe Software Critical Upgrade Notification ID: RA4NFDKPJBD
Attachment: AdobeSystems-Software_Critica

Hello Dear,

Adobe is pleased to announce new version upgrades for Adobe Acrobat Reader and Adobe X Suite
Advanced features include:
– Collaborate across borders
– Create rich, polished PDF files from any application that prints
– Ensure visual fidelity
– Encrypt and share PDF files more securely
– Use the standard for document archival and exchange
To upgrade and enhance your work productivity today please open attached file.
Copyright 2011 Adobe Systems Incorporated. All rights reserved.
TrackNum: MK20N1-3369338
Adobe Systems Incorporated,
Tue, 6 Dec 2011 18:00:59 +0100

At this time, there is limited detection among vendors – we identify it as PWS:Win32/Zbot.gen!Y. Be wary of messages that may appear to be from known entities and use security software to minimize the chance of infection.

— Patrick Nolan, MMPC

Categories: spam, Win32/Zbot Tags: