A few hours ago (22 July 2008, 03:41 a.m. PST), our EMEA threat analysts were able to catch the following UPS spam samples from our honeypots. Apparently, the spam run we saw last week (discussed in the blog entry Trojans Deliver) is just beginning to pick up.
Here are fresh new UPS spam:
Banking perhaps on a previous observation from the earlier UPS post:
The B2C (business-to-consumer) parcel industry is set to be the next big thing in Europe, says market research company Datamonitor, according to M2 Presswire in this report. European users, especially those who routinely have purchases delivered to them, should be extra careful when receiving communications from their parcel delivery company of choice. At most it is recommended to challenge such messages when they have different format (in content, sender address, attachment type) as the original ones. It might be best to prefer tracking deliveries online or by phone.
Fortunately, the Trend Micro Smart Protection Network already detects these files as TSPY_ZBOT.PF. As we write this, more samples are being seen.
Updates as of 22 July 2008
TSPY_ZBOT.PF downloads an encrypted configuration file from a remote site. The said file contains banking-related URLs which the spyware monitors in Internet browser address bars. When a user accesses any of the listed URLs, the spyware logs keystrokes to capture data entered in login boxes. Gathered data is then saved in a file, then sent to a remote site through HTTP post. The URLs listed in the downloaded configuration file may change at any time.