Evasive Malware Delivered In Fake BBB Complaint
Malicious emails claiming to be from the Better Business Bureau have been hitting our spam and virus filters en-masse today. These messages attempt to convince the recipient that the BBB has received a complaint from a customer and that it the file attached to the email contains a summary of the complaint. You are instructed to open and read the attached “report” and reply with your response to the claim. The problem is that the “report” is actually an executable file that contains a nasty Trojan/Virus.
Here is a look at the message:
Preliminary examination of the file indicates that it is a variant of the ever popular Zeus or Zbot. However, some behaviors differ slightly from some of the most recent Zbot infections we have examined. Once this variant launches and hides itself it does a good job of disarming the host machine by making the following changes :
Disables the TaskManager:
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem"DisableTaskMgr" = 0x00000001
Malware disabling signed binary check:
REGISTRYUSERS-1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftInternet ExplorerDownload"CheckExeSignatures" = no
Malware modifying windows explorer settings:
1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments"SaveZoneInformation" = 0x00000001
Malware reduced executable download risk
1-5-21-2861947270-1595359862-2473858597-1000SoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations"LowRiskFileTypes" = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi,.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;
Communication is observed with the following domains:
Currently only 9 of 42(21%) AV providers are identifying this threat as malicious and in the past 24 hours we have seen nearly one half million of these messages hit our filters. The Zbot or Zeus malware family has been stealing money from people’s bank accounts and other sensitive logins since 2008. In addition to capturing your bank account login credentials Zeus has been known to steal Facebook logins as well. In addition to information theft, Zbot also hijacks your machine and enslaves it to a botnet. Avoid falling for this attack and if your ever in doubt pick up the phone and call the sender to see if it is real.