Federal Reserve Spam Message Carries Zeus Payload

Thursday, June 30, 2011



Security researchers are reporting a wave of spam emails designed to infect users' computers with the Zeus banking trojan.

The latest wave of unsolicited emails are designed to appear to be messages from the Federal Reserve concerning a failed funds transfer.

In typical fashion, the emails contain a faux PDF (.pdf) file that is actually executable software (.exe) that will install the Zeus trojan upon opening of the document.

All Spammed Up reports that "the attack appears [to] focus on users of online banking services, especially small businesses and corporations. The messages are not well done. They are badly written and don’t really attempt to hide the fact that the attached file has the double extension .pdf.exe rather than the more legitimate .pdf."

One can not always rely on poor grammar or lack of link-destination and file-type obfuscations to spot the new wave of spam being employed for Zeus distribution, as the report explains:

"A similar campaign hit the net last week, pretending to be an invitation to sign up for a payment processing service. Those messages were very sophisticated and realistic looking, but like the rather sloppy Fed Reserve spam, they carried the Zeus Trojan as their payload. This time the delivery method was a fake Word document with a malicious Adobe Flash control embedded in it. All the recipient had to do to get infected was to open the document."

Researchers indicate that the massive campaign may be designed to repopulate an established botnet with new zombie devices, or may be an effort to quickly create a new network of enslaved machines.

The Zeus Trojan is widely hailed as one of the most dangerous pieces of malware to ever surface in the wild, and numerous variants of the malicious code continue to propagate.

The Zeus Trojan can lay dormant for long periods until the user of the infected machine accesses accounts such as those used for online banking. Zeus harvests passwords and authentication codes and then sends them to the attackers remotely.

Early in May, security researches noted the release of source code for the Zeus Trojan. The code began to appear in underground discussion forums most often used by criminal hackers.

With the Zeus source code now widely available, there is a high likelihood that new variants of the malware will begin showing up in the wild, along with an increase in attack campaigns.

Security firm Trusteer reported earlier this year that an increasing number of websites are now known to host Zeus variants, and the report also shows that a growing number of networks are hosting command and control operations for Zeus-based botnets.

In April, researchers at security solutions provider Avira have identified a Zeus Trojan variant accompanied by a signed digital certificate. On several occasions, Zeus variants have been detected with forged Kaspersky and Avira digital signatures.

Researchers at Trend Micro also recently revealed that a Zeus Trojan designed specifically to run on the Blackberry operating system has been detected.

Possibly Related Articles:
Viruses & Malware
Email SPAM Trojans malware Crimeware Zeus Malicious Code Federal Reserve
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.