Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Our team recently came across a spam run that leads to the download of a ZBOT variant that uses a domain-generation technique. The spam run involves messages that arrive in users’ inboxes as Facebook friend request notifications.

    The message bears a link that the users must click to approve the friend request. Clicking the said link, however, will only lead to a page informing the users that they need to install the latest version of Adobe Flash Player in order to proceed. Unsurprisingly, the downloaded file is not the Adobe Flash Player installer but a malicious file detected as TSPY_ZBOT.FAZ.

    Click for larger view Click for larger view
    Click for larger view

    TSPY_ZBOT.FAZ, like most ZBOT variants, accesses a certain site in order to retrieve a configuration file. The said configuration file contains the list of URLs that the malware will monitor in order to steal related credentials. What makes this particular variant noteworthy, however, is that it employs a domain-generation technique. This means that unlike other ZBOT variants that already have a preset URL to access in order to download the configuration file, TSPY_ZBOT.FAZ randomly generates URLs to access through a randomizing function that is computed based on the system’s current date.

    Note that this is not the first time that we’ve seen ZBOT variants use a domain-generation algorithm distributed through spammed messages. We, in fact, previously come across a run that used messages that appear to come from the IRS just last month. The use of the most popular social networking site, however, will definitely hook more unsuspecting users.

    ZBOT variants that use domain-generation techniques are not new to us either. We’ve been on the lookout for this particular type of malware, especially after we found LICAT/MUROFET use the said technique last year.

    Users are now protected from this threat through the Trend Micro™ Smart Protection Network™. The spammed messages are already being blocked, along with related URLs. The blocked URLs include those generated by the malicious file, which we detect as well.

    Past LICAT/MUROFET-related blog entries:

    Update as of August 23, 2011, 3:34 AM PST

    We received samples of the same spam that downloads a new binary file. The said file is now detected as TSPY_ZBOT.HII.

    Update as of August 24, 2011, 9:31 PM PST

    We’re still receiving spam samples leading to yet another binary file. It is now detected as TSPY_ZBOT.FAD.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice