Zeus & Zapchast Malware E-Cards Start the Christmas Offensive

 

Saint Nicholas Day and Christmas are just a couple of days away, and cyber-crooks have already started spamvertising their “best wishes” packed full with malware. This month’s specialty seems to be a main dish of ZBot served with a side of the Zapchast backdoor, which is exactly what you need to infect your system with before the online shopping spree for Christmas gifts.

 

Click here to win a brand-new copy of ZBot, limited edition.

The message is disguised as a holyday joint-venture between search engine and social networking giants offering a preview of the upcoming Google® Chrome™ OS. You only have to open the attached HTML file, which contains a piece of obfuscated JavaScript code. As soon as the page is opened in a browser, it will redirect the user to an executable file.

Obfuscated Javascript code that leads to malware

The downloaded binary file is a .NET application, which means that it requires the .Net framework for it to run properly. This is a typical case of malware that can run on Windows Vista and Windows 7, since both versions of the operating system come with preinstalled .Net framework.  Once executed, the binary file drops another downloader (identified by BitDefender as Trojan.Generic.KD.78236) as well as a legit file called system.data.sqlite.dll.

The latter downloader brings a couple of files which it copies in the Documents and Settings/%USER%/templates folder, in %SYSTEM32%, as well as in in the Windows directory as a screensaver. All these infected files are instances of the ZBot, but the dropper takes the invasion one step ahead by also planting a secondary e-threat intercepted by BitDefender as Worm.Generic.286944.

This worm is an advanced information thief that can extract data either from Registry and configuration files, or by intercepting user’s keystrokes. What’s particularly important about the worm is the fact that it tries to recover CD-keys and software serial numbers, which can then be sold on the gray market as the notorious “OEM offers” we’ve been describing in older issues of the Spam Omelette. The information it collects is deposited in a database (hence the need for the system.data.sqlite.dll file), which will be uploaded on a FTP account.

This indirect installation via a downloader Trojan ensures that the Zbot binary stays undetected for a longer period of time. After all, it’s easier for the malware writer to recompile a regular downloader in order to evade detection than to modify an advanced piece of malware such as the ZBot.

Romanian social engineering: Saint Nicholas spreading malware

Traditionally, winter holiday malware comes as attachments to alleged greeting cards. Backdoor.Zapchast.PI makes no exception to the rule.

This specific spam campaign tries to lure users into involuntarily installing malware, but it targets Romanian computer users only.  Advertised as a greeting card on Saint Nicholas’ Holiday, the message is written in Romanian and features a link pointing to Backdoor.Zapchast.PI, rather than to a greeting card, as promised.

If the unwary user runs the “greeting card”, it will try to install and register an IRC client and also to create the appropriate Registry keys that will launch it upon every system restart. The backdoor connects itself to a pre-determined list of IRC channels and waits for further instructions from the attacker. Some of the most important features of the bot are the ability to download and execute other files as per the remote attacker’s requests, as well as collecting information by intercepting users’ keystrokes.

In order to enjoy your holiday shopping season, ensure that you have installed and updated a security solution before entering credit card information. Alternatively, you may wish to perform a 60-second Quick Scan to see if your computer is infected and might siphon credit card data to cyber-crooks.

Some information in this material is available courtesy of BitDefender antimalware researcher Octavian Minea.