Our team recently encountered a spam run that leads to the download of a ZBOT variant that uses domain-generation technique. The spam run involves messages that arrive in users’ inboxes as a Facebook friend request notification.
The message bears a link that the user must click to approve the friend request. Clicking the said link, however, will only lead to a page informing the user that they need to install the latest version of Adobe Flash Player in order to proceed. Unsurprisingly, the downloaded file is not the Adobe Flash Player installer, but a malicious file detected as TSPY_ZBOT.FAZ.
 |  |
TSPY_ZBOT.FAZ, like most ZBOT variants, connects to a certain site in order to retrieve a configuration file. The said configuration file contains the list of URLs the malware will monitor, in order to steal related credentials. What makes this particular variant noteworthy however, is that it employs domain-generation technique. This means that unlike other ZBOT variants that already have a preset URL to which they will connect to in order to download the configuration file, TSPY_ZBOT.FAZ randomly generates the URL through a randomizing function that is computed based on the system’s current date.
Note that this is not the first time that we’ve seen ZBOT variants with domain-generation algorithm being distributed through spam. We saw a run that used messages that appear to come from IRS just last month. This usage of the most popular social networking site, however, will definitely hook more unsuspecting users.
ZBOT variants that use domain-generation techniques are not new to us either. We’ve been on the look out for this particular type of malware, especially after we found LICAT/MUROFET using the said technique last year.
Users are now protected from this threat through the Trend MicroT Smart Protection NetworkT. The spam emails are already blocked, as well as all related URLs. The blocked URLs include those generated by the malicious file, which is detected as well.
Past LICAT/MUROFET-related blog entries:
- File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
- ZeuS Ups the Ante with LICAT
- ZeuS’ Response to Automated Analysis
- The Plot Thickens for ZeuS-LICAT
- Full Analysis of the ZeuS-LICAT Trojan
- Updated ZeuS-LICAT Variant Spotted
- LICAT Variant Distributed via IRS-Related Spam
Update as of August 23, 2011, 3:34 AM PST
We’ve received samples of this same spam that connect to a new binary file. The said file is now detected as TSPY_ZBOT.HII.
Leave a reply
