The Latest in IT Security

Zbot Trojan spreads through fake ConEdison billing notification email


Today we came across a new malicious spam campaign that is actively sent out by the Cutwail spam botnet. The suspicious email claims to be a bill summary from the New York-based energy company Con Edison, Inc. It may use the subject line “ConEdison Billing Summary as of <DATE>” and the attachment uses the filename format Billing-Summary-ConEdison-<random numbers>-<Date>.zip.

The attached zip file contains an executable file, which unsurprisingly is a Zbot malware variant. When extracted, the malicious executable uses no disguise. It uses no fake icons of Adobe Reader or Microsft Word, no double file extensions, or excessive use of space in the file name to hide the .EXE extension. The attached file is so dull that average users should easily spot that the file is suspicious.

The good news is that when this particular Zbot sample was run, it failed to communicate to its command and control (CnC) server at plantlunch[dot]ru which turns out to be currently offline.


In conclusion, bill notifications do not usually arrive with an executable file so emails like this should be treated with extreme suspicion. When you see these obvious signs of malware, just stop and delete the email. M86 MailMarshal customers were protected against this campaign from the moment it began.


  1. Thomas January 17, 2012

    I have a question regarding this problem, I unfortunately did not recognize this as a virus and accidentally installed it, last wednesday 1/11/12, when i realized the next day it was probably a virus I downloaded the necessary virus scanner software and got rid of the virus. My question is whether or not I should be worried about identity theft due to having this virus and then getting rid of it. I see from this blog that the C&C server was down during the time when I had the virus, does this mean that as long as I got rid of it, and it was down during the time that I had it, that no information could have been sent? I am obviously worried and want to make sure I take the correct steps to avoid any type of identity theft or criminal stealing my account information. Any help with this would be greatly appreciated.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments