The Latest in IT Security

ZBOT Variant That Uses Domain-Generation Technique Spreads Through Facebook


Our team recently encountered a spam run that leads to the download of a ZBOT variant that uses domain-generation technique. The spam run involves messages that arrive in users’ inboxes as a Facebook friend request notification.

The message bears a link that the user must click to approve the friend request. Clicking the said link, however, will only lead to a page informing the user that they need to install the latest version of Adobe Flash Player in order to proceed. Unsurprisingly, the downloaded file is not the Adobe Flash Player installer, but a malicious file detected as TSPY_ZBOT.FAZ.

Click for larger view Click for larger view

Click for larger view

TSPY_ZBOT.FAZ, like most ZBOT variants, connects to a certain site in order to retrieve a configuration file. The said configuration file contains the list of URLs the malware will monitor, in order to steal related credentials. What makes this particular variant noteworthy however, is that it employs domain-generation technique. This means that unlike other ZBOT variants that already have a preset URL to which they will connect to in order to download the configuration file, TSPY_ZBOT.FAZ randomly generates the URL through a randomizing function that is computed based on the system’s current date.

Note that this is not the first time that we’ve seen ZBOT variants with domain-generation algorithm being distributed through spam. We saw a run that used messages that appear to come from IRS just last month. This usage of the most popular social networking site, however, will definitely hook more unsuspecting users.

ZBOT variants that use domain-generation techniques are not new to us either. We’ve been on the look out for this particular type of malware, especially after we found LICAT/MUROFET using the said technique last year.

Users are now protected from this threat through the Trend MicroT Smart Protection NetworkT. The spam emails are already blocked, as well as all related URLs. The blocked URLs include those generated by the malicious file, which is detected as well.

Past LICAT/MUROFET-related blog entries:

Update as of August 23, 2011, 3:34 AM PST

We’ve received samples of this same spam that connect to a new binary file. The said file is now detected as TSPY_ZBOT.HII.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments