ZBot infections skyrocket fraudulently using Microsoft® Office® Outlook Web Access name

A recent malware dissemination campaign uses Microsoft Office Outlook Web Access name as coverage.

The unsolicited message requires the credulous users to "apply a new set of settings" to their mailboxes, because several alleged "security upgrades" were applied. The link from the e-mail leads towards a Web page that abusively displays the logos of Microsoft® and Microsoft® Office®, from which the gullible users are supposed to download and launch the supposed file with e-mail settings.

Instead, they receive more malware:

1) One of the most prolific and long-lasting Trojan breeds - Trojan.Spy.ZBot.EKF, which was also intensively used into AH1N1-related malware distribution campaign.

ZBot injects code into several processes and adds exceptions to the Microsoft® Windows® Firewall, providing backdoor and server capabilities. It also sends sensitive information and listens on several ports for possible commands from the remote attackers. The latest variants are also able to steal bank-related information, login data, history of the visited Web sites and other details the user inputs, while also capturing screenshots of the compromised machine's desktop.

2) Trojan.SWF.Dropper.E, which is a generic detection name for a family of Trojans sharing a similar behavior: they are Flash files, which usually don't display any relevant images/animations, but drop and execute various malware files (by exploiting Adobe Shockwave Flash vulnerability). The dropped files may be subject to change (different variants can drop and execute different malware programs).

3) Exploit.HTML.Agent.AM uses flash-object vulnerabilities that allow arbitrary code execution by loading a specially crafted flash object into a Web page. Once an infected Web page is opened, the Trojan creates a specially crafted SWF object which allows the execution of a payload into the heap (by the time this article was created, the downloaded file was detected as Trojan.Spy.ZBot.EKG; however, this may be subject to changes).

4) Exploit.PDF-JS.Gen is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine, in order to execute malicious code on user's computer.

In order to stay safe, BitDefender recommends you to never follow links inserted in messages from unknown contacts as well as to install and update a complete antimalware software solution.

Information in this article is available courtesy of BitDefender virus researchers Dana Stanut and Andrei Vlad Lutas.