Trend Micro advanced threat researchers recently came across a new ZBOT/ZeuS binary file detected as TROJ_ZBOT.BTM.

ZBOT/ZeuS variants are well-known for stealing banking information from its victims via various social engineering tactics (e.g., spammed messages, malicious links sent to social networking site members in the guise of messages, and compromised legitimate sites), as evidenced by the following documented noteworthy occurrences:

• Phishing in the Guise of Enhancing Security
• ZBOT Targets Facebook Again
• Several Compromised Thai Sites Serve Malware

Apart from the usual information-stealing tactics ZBOT/ZeuS Trojans are known for, however, this new variant came with a hidden message that thanks and taunts some well-known antivirus companies for the help they provide the cybercriminals behind the malware to constantly improve on their craft. The said message, however, will only be visible after the binary file (version 1.3.3.3) unpacks and copies itself onto affected systems’ memory.

This taunting message shows that cybercriminals have systems that monitor the performance of antivirus companies in detecting their craft and they are constantly updating their software to avoid detection.

Trend Micro™ Smart Protection Network™ already protects product users from this threat by blocking access to the malicious site, http://{BLOCKED}p.com/consc/cons.exe, where the binary file could be downloaded via the Web reputation service and by detecting and preventing the file’s execution on affected systems via its file reputation service.

Non-Trend Micro product users, on the other hand, can also stay protected by using free tools like Web Protection Add-On, which was especially designed to block user access to potentially malicious websites in real-time.

As previously announced in the Microsoft Security Bulletin Advance Notification released last week, this month’s patch cycle includes 13 bulletins intended to patch 26 vulnerabilities in several versions of Windows OS and Office. The record release is a far cry from last month’s lone patch.

The long list includes five bulletins rated “critical,” which specifically patch nine vulnerabilities that could lead to remote code execution. Unless patched, an attacker could exploit any of the said vulnerabilities to gain control of the user’s system. Most notable on the list is MS10-013, which could give an attacker complete control of an affected system. Considering the damage that exploiting this vulnerability could cause, it is very important that users patch their systems as soon as possible.

The February release also includes seven bulletins rated “important” and one rated “moderate.” It is also important to note the addition of MS10-015 to the list, which addresses the so-called 17-year-old hole described in Security Advisory 979682. However, Microsoft reiterates that while it is aware of publicly available proof-of-concept (POC) code for the issue, it has yet to see any active exploits. More information on the complete list of security advisories can be found in this Trend Micro Security Advisory page.

Coinciding with this month’s release is yet another FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.BLJ, this FAKEAV incidentally purports to be a Windows Automatic Update that supposedly installs a Windows XP update. It then proceeds to use the same old scareware tactics that warn users of bogus system infections. Users are thus advised to download security updates only from the official Microsoft Security Bulletin page.

Trend Micro™ Smart Protection Network™ protects users from this threat by detecting and preventing the download of harmful codecs and malicious files such as TROJ_FAKEAV.BLJ.

Even non-Trend Micro product users can stay protected via HouseCall, Trend Micro’s free on-demand scanner that identifies and removes viruses, Trojans, worms, unwanted browser plug-ins, and other malware from infected systems.

Update as of February 1, 2010, 9:06 p.m. (GMT +8:00):

Microsoft has released an official statement concerning restart issues that some users are currently experiencing after installing this month’s patch updates. Specifically, initial analysis suggests that a limited number of users encounter a blue screen after installing MS10-015. As the Microsoft team continues to conduct tests, they have temporarily stopped offering the Windows Update. However, a workaround has been made available with a Microsoft Fix.