Published: November 27 2009, 01:18 AM
by Mary Grace Gabriel

We have already blogged about several techniques that Zbot uses to infect users.  

First, it was just a malicious link is included in the email body of its spammed emails. By clicking the said link, you will be directed to a bogus website where you will be asked to download and execute different kinds of "report, tools and statements". For example, the IRS Fraud Application, fake Microsoft Outlook Update, FDIC Deposit Insurance Coverage, Social Security Statement, fake Macromedia Flash Player and lately the Photo Scandal.

Second, the attachment of malicious executables in archive format in its spammed emails, for example, Myspace Password Reset Confirmation and Vodafone Balance Checker Tool.

Third, the phishing with a twist technique, though it targets only so far Facebook and Myspace users. The spammed emails contain a link. By clicking the said link, you will be directed to a bogus Facebook or Myspace website where you will be asked to input your login credentials. After logging in, you will be asked to download and execute "update tools".

Now, the latest technique it used in its spammed emails is by using the "Drive-By Download" technique.

CA ISBU recently received new spammed emails disguised as a legitimate email from Internal Revenue Service (IRS) and requests the user to submit their "Tax Refund Request Form" by clicking on the link provided [Figure 1].

                                               [Figure 1 – Sample IRS Tax Refund Email]

The email contains the Subject: IRS e-file refund notification

The email contains the Body:
            --------------------------------------------------------------------------------------------------------
           
            After the last annual calculations of your fiscal activity we have determined that you are eligible to
            receive 760.22$ tax refund under section 501(c) (18) of the Internal Revenue Code. Please submit the
            Tax Refund Request Form and allow us 3-9 days to process it.
           
            Yours faithfully,
            Sarah Hall Ingram, Commissioner
           
           
            This notification has been sent by the Internal Revenue Service, a bureau of the Department of the
            Treasury.
 
            --------------------------------------------------------------------------------------------------------

Once you clicked the "Tax Refund Request Form", you will notice a blank browser window [Figure 02]. It may look as if nothing is happening but behind the scenes malicious code is downloading and installing a variant of the Win32/Zbot malware family.

                                                     [Figure 2 – Malicious Blank Website]

As you can see from Figure 2, by viewing the source code of the website, you will notice highlighted part of the code that there are two iframe tags.

Inspecting the source code of the websites referenced by the iframe tag, there is an encoded java script. Decoding the java script, will show you that the file "example.pdf" and "annonce.pdf" will be executed by the browser since it is also referenced in the iframe tag, as shown in Figure 3 and Figure 4.

                                                           [Figure 3 – Iframe Website No.1]

                                                           [Figure 4 – Iframe Website No.2]

The referenced PDF file contains an encoded JavaScript that exploits Adobe reader. Decoding the streams, there will be a shellcode that will download and execute the file "loadpdf.php" which is actually an executable file (detected by CA as Win32/Oficla variant) that will download and execute a variant of Win32/Zbot [Figure 5 and Figure 6].

CA Anti-Virus solutions detect these malicious PDF files as PDF/Pidief variants.

                                                           [Figure 5 – Malicious PDF 1]

                                                           [Figure 6 – Malicious PDF 2]

It exploits a vulnerability related to the util.printf() function remote code execution (CVE – 2008 - 2992) vulnerability. In addition, it also used to exploit vulnerabilities in collaboration Object related methods: Collab.collectEmailInfo() and Collab.getIcon() (CVE-2007-5659 & CVE-2009-0927 respectively).

All these exploits use the same shell-code, which has the ability to download and execute a malware binary from the Internet.

Again, we advise users to beware of these kinds of emails and always make sure that your software applications are up to date. These sites are still active at the time of publication. Malwares related to this blog are detected by CA, and customers who are running CA Antivirus solutions with up-to-date signatures will be alerted accordingly.

Share this post:  Email

Share