Balance checker Trojan – New Zbot variant (Nov 17, 2009)


SonicWALL UTM Research team observed a new Zbot Trojan variant being spammed targeting Verizon wireless customers. The e-mail messages pretend to arrive from Verizon Wireless and inform the users that their account is over the limit. They also ask the user to download the attachment which pretends to be a balance checker program to review payments.

The email messages look like this:


The spam campaign started during the morning of November 13th, 2009 and lasted until early hours of November 16th, 2009. SonicWALL UTM Research team saw e-mails being spammed at a rate of 200,000 emails per hour steady throughout the weekend.

The fake balance checker application included in the e-mail is the new Zbot Trojan variant. This Zbot variant was re-packaged six times over the weekend in order to evade antivirus detection. Previous Zbot spam campaigns also used social engineering like “Myspace password reset confirmation” – link and “Fake IRS notice” – link

SonicWALL Gateway AntiVirus provided proactive protection against this entire spam campaign via GAV: Regrun (Trojan) signature. There were close to 9 million hits recorded for this signatures in last five days.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.