Fake FDIC bank deposit insurance coverage notification leading to ZBot

This week’s malware distribution campaign, relying on a
medium size spam wave, features the abusive use of the governmental independent
agency name and identification elements to swindle the recession-panicked
account owners into downloading and endangering their computers.

The unsolicited message informs the assumed holders of an FDIC-insured
bank account that the agency has declared the bankruptcy of the supposed
financial institution where their accounts were opened. The message also asks
the recipients to check the status of their deposit insurance coverage, by
following an alleged customized link towards the Federal Deposit Insurance
Corporation Web site.

The link does not lead to the agency portal, but to a Web
page (registered on a .uk domain) that mimics a personal insurance
on-line account, employing several visual identification components of the
original FDIC Web site (namely the logo and the general formatting elements).

The page also provides a purported PDF and Word document
that the user should download and fill in. However, upon downloading the fake
files, the user does not receive the insurance e-form, but two executables
carrying a malicious payload, currently detected by BitDefender as
Trojan.Zbot.DLO, which is, in effect, another version of the infamous ZBot.

This long-lasting Trojan is still very prolific, as proven
by the last weeks’ malware dissemination campaigns that exploited
IRS’ identity. This breed also has rootkit components that facilitate its
hidden installation onto the compromised machines, either in the Windows or
Program Files directory. ZBot injects code into several processes and adds
exceptions to the Microsoft