New UPS ZBot Trojan spam (Dec 18, 2008)


SonicWALL UTM Research team observed a new wave of the on-going UPS invoice spam campaign starting Wednesday, December 17, 2008. The email has a zip archived attachment which contains the new ZBot Trojan variant.

SonicWALL has received more than 1,500 e-mail copies of this malware till date. This malware is spread in the same way as the previous ZBot variant of Nov 21 (described here), but the sample has been updated to thwart antivirus detection.

The behavior is identical to the previous one, except this variant connects to download an encrypted configuration file from a different location:

* GAV: Zbot.GSV (Nov 21, 2008) –
* GAV: Zbot.GAB (Dec 17, 2008) –

At this time only 6 antivirus vendors detect this malware.

The Trojan is also known as Trojan-Spy.Win32.Zbot.idq [Kaspersky], Mal/Zbot-G [Sophos], and TR/Spy.ZBot.IAX [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GAB (Trojan) and GAV: Zbot.GAA (Trojan) signatures.

The GAV: Zbot.GAB (Trojan) signature received more than 55,000 hits in the last 24 hours, demonstrating that this malware is very active in the wild at the moment. The following figure shows the hits per hour so far.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.