Fake Amazon order – New Zbot variant (May 14, 2010)

SonicWALL UTM Research team discovered a new Zbot spam campaign involving fake order payment e-mail from Amazon. The e-mail informs the user to download the attached file which it claims to be a document containing order tracking number.

The e-mail contains malicious executable file inside the zip attachment that has an icon disguised as a Microsoft Word document. This malware executable is a new variant of Zbot Trojan.

The e-mail message looks like:

The downloaded fake tracking number document looks like:

If the user tries to open this document file, it performs the following activities:

• Connects to a malicious domain hulejsoops.ru which is a Zbot Command & Control (C&C) server and sends following HTTP requests:
  • GET /images/bb.php?v=2(REMOVED)m=40
  • GET /images/bb.php?v=2(REMOVED)m=41

• Uppon successful connection & authentication to the C&C server it receives following command strings to further download additional malware as well as encrypted configuration file:

  

• Based on above command strings, it downloads and executes all or some of these files based on the victim machine:
  • (SYSTEM)lowseclocal.ds
  • (SYSTEM)lowsecuser.ds
  • (SYSTEM)lowsecuser.ds.lll
  • (SYSTEM)sdra64.exe [Detected as GAV: Wigon.KG (Trojan)]
  • (SYSTEM)thxr.wgo
  • (SYSTEM)ustftqmbt.exe [Detected as GAV: Wigon.KG (Trojan)]

• Registry modifications in order to ensure that the malware executes on each system reboot:
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(SYSTEM)userinit.exe,(System)sdra64.exe,”
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunustftqmbt: “(SYSTEM)ustftqmbt.exe”
• Downloads configuration file konf1.bin from one of the URLs found in the command string received from C&C server.
• Deletes the original copy of the file.

The Trojan has very low AV detection at the time of writing this alert and is also known as Trojan.Win32.VBKrypt.td [Kaspersky] and Mal/Koobface-E [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.TD (Trojan) signature.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.