Published:
November 22 2009, 09:35 PM
by
Satyendra Kumar
By Mary Grace Gabriel & Satyendra Teppalavalasa
“Zbot as Flash Update?”
CA Research team has identified new spam e-mail in the wild with embed URL link to malware.
[Figure 1 – Sample Spam Email]
The email contains the Subject: please update your user@<yourdomain> mailbox
The email contains the Body:
-----------------------------------------------------------------------------------------------------------------------
Dear owner of the user@<yourdomain> mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:
http://accounts.{yourdomain}.dirddrf.be/webmail/settings/noflash.php?mode=standart&id=5236183961831736912306248671355740858547&email={email address}
-----------------------------------------------------------------------------------------------------------------------
Other emails may contain the following Subjects:
dear owner of the {email address}
for {email} owner
for {yourdomain} email service user
for {email address} email service user
This spam e-mail spoofs From, To addresses and it changes the message and subject to fit to the target receiver, tries to pretend it is from a legitimate source.
This embedded link points to the following website where you will have a notice “You don't have the latest version of Macromedia Flash Player”. The following figure shows this:
[Figure 2 – Fake Flash Player download page]
Clicking on the links in above mentioned website will download a Zbot malware variant and compromises the user's computer on execution.
CA Research team has also observed different web sties where this fake flash download page is being hosted:
- http://accounts.<yourdomain>.verzzm.org.uk/webmail/settings/noflash.php?mode=standart&id=&email=<removed>
- http://accounts.<yourdomain>.ftpddrs.be/webmail/settings/noflash.php?mode=standart&id=2&email=<removed>
CA Customers are protected and CA detects this malware as Win32/Zbot.BH & Win32/Zbot.BI.
CA Research team also identified the following two email messages tricking the users to download the malware which is attached to these emails.
The following message claims "unusual activity” in the users email box and instructs the user to download the attachment and run it.
[Figure 3 – Sample Spam Email]
The email contains the Subject: your mailbox has been deactivated
The email contains the Body:
-----------------------------------------------------------------------------------------------------------------------
We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.
Best regards, {yourdomain} technical support.
-----------------------------------------------------------------------------------------------------------------------
The email contains a malicious zipped file attachment with the filename utility.zip. This file is detected by CA as a Win32/Oficla variant.
Another Email, that was identified more in the wild with similar intention for compromising the user system with the malicious attachment. This e-mail tricks the user if they don’t wish to pay the amount mentioned in the e-mail they should install the “Transaction Inspector Module” which is a malicious attachment.
[Figure 4 – Sample Spam Email]
The email contains the Subject: payment request from "Starbucks"
The email contains the Body:
-----------------------------------------------------------------------------------------------------------------------
We recorded a payment request from "Starbucks" to enable the charge of $4173.90 on your account.
The payment is pending for the moment.
If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "Starbucks".
If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).
-----------------------------------------------------------------------------------------------------------------------
The email contains a malicious zipped file attachment with the filename module.zip. This file is detected by CA as a Win32/Oficla variant.
In the both cases CA customers are protected. Don’t forget to update your antivirus software regularly.
Well these emails deserve a deletion.
Tags: spam, fake, Satyendra, Teppalavalasa, update, Emails, Utility.Zip, Module.Zip, Grace, Marry, Flash