Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    It’s been said that a picture is worth a thousand words. Unfortunately, there’s one that’s worth your bank accounts. We came across malware that uses steganography to hide configuration files within images. However unique this technique might seem, it is hardly new—we previously featured targeted attacks that use the same technique.

    The ZBOT malware, detected as TSPY_ZBOT.TFZAH, downloads a JPEG file into the affected system without the user’s knowledge. The user does not even see this particular image, but if someone did happen to see it it would look like an ordinary photo. We encountered an image of a sunset, but other security researchers reported encountering a cat image. (This particular photo appears to have been lifted from popular photo-sharing sites, as it appears in these sites if you search for sunset.)

    Using steganography, a list of banks and financial institutions that will be monitored is hidden inside the image. The list includes institutions from across the globe, particularly in Europe and the Middle East. Once the user visits any of the listed sites, the malware will proceed to steal information such as user credentials.

    Figure 1. Image appended with the list of targeted institutions

    This particular attack has another unusual routine: it downloads onto the system other malware, namely TROJ_FOIDAN.AX. This Trojan removes the X-Frames-Options HTTP header from sites the user visits, allowing websites to be displayed inside a frame. Webmasters use this setting to ensure their sites are not used in clickjacking attacks.

    ZBOT has not traditionally been linked to clickjacking in the past. However, it has been linked to other threats, such as ransomware and file infectors.

    The use of steganography, along with the inclusion of clickjacking-related malware, shows that established malware threats are still expanding their techniques and routines.

    With additional insights from Mark Manahan.

    Update as of 7:00PM PST, March 6, 2014

    The hashes of the malicious files related to this attack are as follows:

    • 3e545d7776064f22e572e92b9c0a236280459917
    • bf3052fd93ba6c80ede96ed7c03a6c03235e6235
    • ebdb802aa5e274d76252d65841100a1a021408d9

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • IKnowUAgree

      Does this mean if I download a picture from the internet it might contain content that releases a virus? How do you check if the picture is safe before downloading? Will spyware/anti-virus programs catch it?

    • Jason Wright

      Facts? FACTS? We don’t need no steeeenking facts!

      FUD FUD FUD all the way.

    • Jim Johnson Jr.

      Very misleading, seems the AV companies do this intentionally. You have
      to have the virus already, or get it with the image, the image is
      merely a config file. The image itself is not the virus. Trendlabs
      should be ashamed to publish such nonsense. JPG files are not active
      content unless a program actually runs it as such. No software, outside
      of this virus, handles JPG files in that manner. C’mon guys, this is why
      folks are so confused.

    • Dave Noonan

      This article is very unclear. My interpretation is that I’d have to already be infected with ZBOT and then it could receive instructions via the image. The image is not the source of the infection.

      • TrendLabs

        Hi Dave,

        Your interpretation is correct. The entry presents the use of a technique called steganography, wherein the malware uses images to store configuration information. It is not stated anywhere in the entry that the image is the source of infection, since it is not the case.

        We hope this helps.

    • who’sthetarget?

      Which platforms does this run on?

    • Sam

      So if we look at any image ever on the internet we could be having our bank accounts looted? I would like to know more about this.

      • TrendLabs

        Hi Sam,

        Good question! The answer to that is no. What this means is that malware now utilize many different file types in order to execute their routines (among those we’ve recently reported include ZeuS variants embedded in RTF files, control panel files also embedded in RTF files, and malicious AutoCAD files).

        This calls for more precaution when it comes to dealing with files in general, not just the types that are typically seen, like .EXE, .PDF, and .DOC.

        Hope this helps!

    • Genthar

      Would be nice to know if these are coming via e-mails, or is it via downloading or what is the main attack vector for these?

      • TrendLabs

        Hi Genthar,

        The malware involved here is ZeuS (also known as ZBOT). ZBOT has been known to arrive mainly via spammed messages. However, it has also been seen spreading via different means, such spammed posts in social networks.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice