Phishing Alerts - WebSense

Please update your RSS readers and bookmarks, we've moved to a new home!In addition to the new look-and-feel we have a few new things in place.

- We have merged the blog and alerts. If you subscribe to our Alerts you will still get emails when we see something that warrants an alert

- Added Categories to posts. This will make it much easier to find stories around the same topic

- Added Fliptop integration which makes it really easy to subscribe to this blog in different ways

We will add the ability to post Comments to the blog as well in the near future.

We hope you'll like it. Remember to update your RSS feeder address by clicking on "Subscribe" in the top-right corner as the old RSS feed will not be updated.

Do stop by to say hi to us at http://community.websense.com/blogs/securitylabs/

Websense Security Labs™ has received several reports of a Zbot trojan campaign spreading via email. We have seen over 2200 messages so far.

Zbot (also known as Zeus) is an information stealing trojan (infostealer) collecting confidential data from each infected computer. The main vector for spreading Zbot is a spam campaign where recipients are tricked into opening infected attachments on their computer.

This new variant uses a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks to save a PDF file called Royal_Mail_Delivery_Notice.pdf. The user falsely assumes that the file is just a PDF, and therefore safe to store on the local computer. The file, however, is really a Windows executable. The malicious PDF launches the dropped file, taking control of the computer. At time of writing this file has a 20% anti-virus detection rate (SHA1 : f1ff07104b7c6a08e06bededd57789e776098b1f).

The threat creates a subdirectory under %SYSTEM32% with the name "lowsec" and drops the "local.ds" and "user.ds" files. These are configuration files for the threat. It also copies itself into %SYSTEM32% as "sdra64.exe" and modifies the registry entry "%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory. This Zbot variant connects to malicious remote sever in China using an IP address of 59.44.[removed].[removed]:6010.

Screen shot of the email message:

Saves the malicious embedded file

Adobe Acrobat Reader shows a warning about launching the file:

The problem lies deep inside the PDF file format. This technique is similar, but not the same, as explained in this blog post.

Update: In addition to the Royal Mail emails we have also seen emails that look like they are coming from Canada Post.  These are primarily being sent to email addresses in the .ca domain space.  See below for a screenshot.

Websense Messaging and Websense Web Security customers are protected against this attack.