Our team recently came across a spam run that leads to the download of a ZBOT variant that uses a domain-generation technique. The spam run involves messages that arrive in users’ inboxes as Facebook friend request notifications.
The message bears a link that the users must click to approve the friend request. Clicking the said link, however, will only lead to a page informing the users that they need to install the latest version of Adobe Flash Player in order to proceed. Unsurprisingly, the downloaded file is not the Adobe Flash Player installer but a malicious file detected as TSPY_ZBOT.FAZ.
TSPY_ZBOT.FAZ, like most ZBOT variants, accesses a certain site in order to retrieve a configuration file. The said configuration file contains the list of URLs that the malware will monitor in order to steal related credentials. What makes this particular variant noteworthy, however, is that it employs a domain-generation technique. This means that unlike other ZBOT variants that already have a preset URL to access in order to download the configuration file, TSPY_ZBOT.FAZ randomly generates URLs to access through a randomizing function that is computed based on the system’s current date.
Note that this is not the first time that we’ve seen ZBOT variants use a domain-generation algorithm distributed through spammed messages. We, in fact, previously come across a run that used messages that appear to come from the IRS just last month. The use of the most popular social networking site, however, will definitely hook more unsuspecting users.
ZBOT variants that use domain-generation techniques are not new to us either. We’ve been on the lookout for this particular type of malware, especially after we found LICAT/MUROFET use the said technique last year.
Users are now protected from this threat through the Trend Micro™ Smart Protection Network™. The spammed messages are already being blocked, along with related URLs. The blocked URLs include those generated by the malicious file, which we detect as well.
Past LICAT/MUROFET-related blog entries:
- File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
- ZeuS Ups the Ante with LICAT
- ZeuS’ Response to Automated Analysis
- The Plot Thickens for ZeuS-LICAT
- Full Analysis of the ZeuS-LICAT Trojan
- Updated ZeuS-LICAT Variant Spotted
- LICAT Variant Distributed via IRS-Related Spam
Update as of August 23, 2011, 3:34 AM PST
We received samples of the same spam that downloads a new binary file. The said file is now detected as TSPY_ZBOT.HII.
Update as of August 24, 2011, 9:31 PM PST
We’re still receiving spam samples leading to yet another binary file. It is now detected as TSPY_ZBOT.FAD.