ZeuS/ZBOT: Most Distributed Malware by Spam in August
In our 2Q Security Roundup, we noted the resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today.
For the month of August, 23% of spam with malicious attachments were found carrying ZeuS/ZBOT variants, while 19% served FAREIT variants.
ZeuS/ZBOT variants also had the distinction of being the most distributed malware by IPs related to spam botnets. It is also associated with various worm families that can spread itself or other malware families via email. A system infected with ZeuS/ZBOT may be infected about five other worm variants like WORM_MYDOOM, WORM_VB, and WORM_BAGLE.
Figure 1. Malware families spread by spam
Compared to others, the majority of spam carrying either ZeuS/ZBOT or FAREIT looked more like legitimate messages, and were likely to supposedly come from well-known brands or companies.
Figures 2. Sample FAREIT spam
Figures 3. Sample ZeuS/ZBOT spam
Once installed, Zeus/ZBOT variants are known to monitor users’ browsing behavior pertaining to visits to specific online banking sites. If users visit these sites and tries to login using their credentials, the malware inject additional field for users to fill out and then steal these information. Cybercriminals can then use these stolen data to either initiate unauthorized transactions or sell in the underground market.
FAREIT is another data-stealing malware that gathers emails and FTP login credentials. This malware can also download other malware variants, including Zeus/ZBOT. Previously, we saw a UK tax-themed spam that delivers a FAREIT variant, which also downloads a ZBOT malware.
Trend Micro blocks the spammed messages and detects the malware cited in this blog post. It is important for end users to know how to tell apart legitimate email from spam, particularly those that use well-known brands as a social engineering lures. Best computing practices, such as being wary of attachments from unverified email, can come a long way when it comes to protecting your system and information.