New UPS ZBot Trojan spam (Dec 18, 2008)
SonicWALL UTM Research team observed a new wave of the on-going UPS invoice spam campaign starting Wednesday, December 17, 2008. The email has a zip archived attachment which contains the new ZBot Trojan variant.
SonicWALL has received more than 1,500 e-mail copies of this malware till date. This malware is spread in the same way as the previous ZBot variant of Nov 21 (described here), but the sample has been updated to thwart antivirus detection.
The behavior is identical to the previous one, except this variant connects to download an encrypted configuration file from a different location:
* GAV: Zbot.GSV (Nov 21, 2008) – pavelmoous.ru/pavel/conf.bin
* GAV: Zbot.GAB (Dec 17, 2008) – reservpptppp20.ru/igor.bin
At this time only 6 antivirus vendors detect this malware.
The Trojan is also known as Trojan-Spy.Win32.Zbot.idq [Kaspersky], Mal/Zbot-G [Sophos], and TR/Spy.ZBot.IAX [AntiVir].
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GAB (Trojan) and GAV: Zbot.GAA (Trojan) signatures.
The GAV: Zbot.GAB (Trojan) signature received more than 55,000 hits in the last 24 hours, demonstrating that this malware is very active in the wild at the moment. The following figure shows the hits per hour so far.
