Friday, November 22, 2013

Zbot/Zeus Malware Claiming to be a Security Patch

SophosLabs alerted a spam campaign that seemed to originate from a a different unknown security and anti-virus company.

The messages have a variety of subject lines, such as:
Windows Defender: Important System Update -
requires immediate action
AVG Anti-Virus Free Edition: Important System Update -
requires immediate action
AVG Internet Security 2012: Important System Update -
requires immediate action
Kaspersky Anti-Virus: Important System Update -
requires immediate action
Microsoft Security Essentials: Important System Update -
requires immediate action
All emails being sent look pretty much the same, claiming to include an important security update to overcome “the new malware circulating over the net”.


Important System Update – requires immediate action
It’s highly important to install this security update due to the new malware circulating over the net. To complete the action please double click on the system patch KB923029 in the attachment. The installation will run in the silent mode. Please pay attention to this matter and inform us in case there is a problem.

Don’t be fooled

This email uses a CryptoLocker ransomware that locks your files and then makes you may them back to obtain them.

There is no “system patch KB923029,” and even if there were, neither Microsoft or any other security company would send you a reminder for a security update through an email attachment.

Also, if you are a native speaker of English, you should spot the grammatical errors and misuse of words.
→ The fact that an email is grammatically flawless, in English or any other language, is not an indicator of legitimacy. But language blunders in English, in an email purporting to come from the New York office of a legitimate software company, are a strong indicator of bogosity. If the crooks can’t even be both to trying rite and spel decent, you may as well use their linguistic sloppiness against them.

The ZIP file contains an EXE (a program file); that program file is one of the many variants of the Zbot malware, also known as Zeus, that we see on a regular basis.

You’re expected to open the ZIP and run the program inside, which has a name like this:

HOTFIX_patch_KB_00000...many digits...56925.exe
There’s nothing wrong with having an EXE inside a ZIP file.

But a ZIP that contains only an EXE, and that was delivered by email, is just as suspicious as a plain EXE that arrives as an attachment.

If you do run it, the EXE installs itself into:

C:\Documents and Settings\%USER%\Application Data\
with a random filename, and adds itself to the registry key:

so that it gets launched every time you reboot or logon.

We shouldn’t need to remind you, but we’ll do so in case you want to remind someone else:
  • Don’t open email attachments you weren’t expecting.
  • Don’t believe emails that claim to be sending you a security patch – by email.
  • Don’t ignore clues such as poor grammar or spelling in emails that claim to be official.
  • Don’t neglect to keep your software patches up to date – but never by email.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+


Spam from an anti-virus company claiming to be a security patch? It’s Zbot/Zeus malware… – Naked Security

No comments:

Post a Comment