ZBot variant masked as settings file for MS Outlook


MX Lab has been tipped regarding a new 0-day email related virus by Alan Dougherty from the company Synergistix. Thanks for sharing this with us. MX Lab intercepted only one sample of the email so we had the possibility to investigate this.

The email comes from suport@****.com where **** stands for the domain that is being used in the recipient email address. This will make that the receiver thinks it is from the support department of his own company. Now, if you don’t have a support department it should be clear that this is spoofed and that the email must be handled as being suspicious. If you have a support department don’t accept the fact that they will give you instructions on how to install and run executables.

Possible subjects are :

A new settings file for the andre@****.com mailbox
The settings for the andre@****.com mailbox

The body of the email:

Dear user of the beweb.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (andre@b****.com) settings were changed. In order to apply the new set of settings click on the following link:

hxxp://b****.com/owa/service_directory/settings.php?email=andre@b****.com=b****.com=andre

Best regards, beweb.com Technical Support.

The malware is not attached at the email but the inluded link will take you to a web site where you need to download the .exe file and apply the new settings. The malware listens to the names Trojan-Spy.Win32.Zbot.gen (F-Secure), Mal/Zbot-R (Sophos) or PWS:Win32/Zbot.gen!R (Microsoft). The file itself is about 92 kB big and has the name settings-file.exe.

Regarding ZBot: it is a trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The trojan will create a file %System%\sdra64.exe and the hidden files %System%\lowsec\local.ds and %System%\lowsec\user.ds in combination with a hidden directory %System%\lowsec. There were new memory pages created in the address space of the system process(es): services.exe, lsass.exe, alg.exe, iexplore.exe and svchost.exe.

Several registry settings are modified and the trojan could make connection to a remote host on the IP 195.93.208.106 on port 80. Data requested is: hxxp://195.93.208.106/livs/rec.php, hxxp://195.93.208.106/lcc/ip1.gif and hxxp://195.93.208.106/ip.php.

In the sample from Alan Dougherty was the domain oikkkkuy.co.uk in use and ur sample contained bertdffm.co.uk. These domains are registered by the same licensee today and already offline. These are so called fast-flux domains.

With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux domains use a large number of servers and a fast-changing domain A record to turn shutdown attempts into a game.

Domain name:
         bertdffm.co.uk

     Registrant:
         Evelyn Wilson

     Registrant type:
         Non-UK Individual

     Registrant's address:
         805 E. Stocker
         paris
         68554
         Belgium

     Registrar:
         Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
         URL: http://www.123-reg.co.uk

     Relevant dates:
         Registered on: 14-Oct-2009
         Renewal date:  14-Oct-2011
         Last updated:  14-Oct-2009

     Registration status:
         Registration request being processed.

     Name servers:
         No name servers listed.

     WHOIS lookup made at 16:46:50 14-Oct-2009

At the time of writing, Virus Total gives us the fact that only 6 of the 41 AV engines detect the new ZBot variant. Virus Total permlink and MD5: 06085157775a67575c8a40ba934af2d2.

[Update – 20/10/2009 –  4:25 PM Local Belgian time] Following domains are being used to host the malware:

bertdffm.co.uk
ffffexdl.co.uk
photo.net
polikkp.eu
nerrasssb.eu
nerassssp.co.uk
nerasssspt.co.uk
nerrasssx.eu
nerrasssy.eu
oikkkkuy.co.uk
opopio.co.uk
til1tlli.com
ttl1lll.com
ttl1lii.com
vvverfq.co.uk
vvverkp.co.uk

This will not be a full list of all malicious URLs.

For the domain nerrasssx.eu we have the following list of A records:

nerrasssx.eu.		1800	IN	A	91.141.19.106
nerrasssx.eu.		1800	IN	A	83.55.90.230
nerrasssx.eu.		1800	IN	A	77.105.4.79
nerrasssx.eu.		1800	IN	A	190.82.168.179
nerrasssx.eu.		1800	IN	A	85.65.48.188
nerrasssx.eu.		1800	IN	A	92.85.230.178
nerrasssx.eu.		1800	IN	A	190.16.45.45
nerrasssx.eu.		1800	IN	A	201.62.140.63
nerrasssx.eu.		1800	IN	A	190.245.16.36
nerrasssx.eu.		1800	IN	A	95.133.54.191
nerrasssx.eu.		1800	IN	A	89.173.151.200
nerrasssx.eu.		1800	IN	A	218.209.20.19
nerrasssx.eu.		1800	IN	A	78.30.202.143
nerrasssx.eu.		1800	IN	A	190.245.42.164
nerrasssx.eu.		1800	IN	A	95.209.138.179

For the domain nerrasssb.eu we have the following list of A records:

nerrasssb.eu.		1800	IN	A	95.133.54.191
nerrasssb.eu.		1800	IN	A	190.245.42.164
nerrasssb.eu.		1800	IN	A	201.62.140.63
nerrasssb.eu.		1800	IN	A	89.173.151.200
nerrasssb.eu.		1800	IN	A	190.16.45.45
nerrasssb.eu.		1800	IN	A	95.209.138.179
nerrasssb.eu.		1800	IN	A	83.55.90.230
nerrasssb.eu.		1800	IN	A	77.105.4.79
nerrasssb.eu.		1800	IN	A	92.85.230.178
nerrasssb.eu.		1800	IN	A	190.82.168.179
nerrasssb.eu.		1800	IN	A	91.141.19.106
nerrasssb.eu.		1800	IN	A	78.30.202.143
nerrasssb.eu.		1800	IN	A	85.65.48.188
nerrasssb.eu.		1800	IN	A	218.209.20.19
nerrasssb.eu.		1800	IN	A	190.245.16.36

15 thoughts on “ZBot variant masked as settings file for MS Outlook

    • Yes, I can confirm this too. It appears that multiple domains are being used in a fast-flux set up. Domains will be used for a brief period. This is to make sure that systems based on Intent Analysis can’t catch up fast enough. When a domain is blocked they already use a new domain and can continue trying to infect new computers.

  1. Hello,

    Our server has been flooded with these e-mail for especially today.
    I am interested to know how is everyone blocking this on the server side.
    Using SPAM filters such as SpamAssassin

    • If you use SpamAssassin and these emails are passing your system, then your SpamAssassing ceonfiguration should be changed in order to detect and block the messages. As you know, SpamAssassin isn’t a real time anti spam solution and in some cases you will need to modify the config of SpamAssassin by adding rules that could lead to detection of those messages to start blocking them from entering your mail server.

      You could also block the domains that are used in the emails and create a rule to block the messages if they contain any of those URLs that are being used. Our research showed that these domains are being used for a brief period so it very likely you will need to update your rules more.

      Hope this will help you.

  2. We have also been getting a huge amount of these today, with the domains/addresses changing per mail. I’ve instructed staff to be careful and also included this information. Thanks for the info!

    • “Also how are they finding my users username? trial and error ?”

      Yes, trial and error is one of the techniques. Harvesting techniques is also popular. In this case they will create email addresses randomly, send out spam and if the spammer receives an NDR or Non Delivery Report from the mail server they know the address is not valid. If they receive nothing there is a chance that the message will be accepted.

      But there is another very effective method that we don’t think of. We all have an address book and we all send out emails to each other.

      This means that my email address, and yours to, is present on many different computers in address books, contact lists, emails,….

      In most cases these emails will be gathered and submitted to spammers/hackers/malware writers when one of these computers get infected with a trojan or virus. In that case the email addresses can be used for sending out spam, being used as a from address to spoof the spam senders origin, to send viruses to or other things that we don’t like.

  3. […] This blog reports on a variant of the ZBot trojan that’s making its way through the tubes of the internet. It’s a classic scam, where the bad guys pose as, in our case, lmi.net tech support. They send you a link via email. The link is obfuscated to make it look like it points to an lmi.net server, but the actual link is to a server off-site. The server has several IP addresses, so that if one is shut down, you may still have a hope of infecting your system. The link leads to a page that tells you to download an executable called YOURNAME-settings.exe. […]

  4. If its a link in the mail, then why would it matter if you use outlook or not, as far as the damage is concerned, it will affect windows systems on the whole. you might as well have clicked the link from another mail client just being confident that you’re not using outlook and infected yourself.

  5. What’s interesting to me is that most domain tools don’t show the domain as existing. If I do a lookup on nerrasssx.eu using network-tools.com (or others) the dns record doesn’t show up. How do they hide the record from tools like this?

  6. We, and almost all of our hosted clients, have recived loads of these today. However, some of the links have not even been obfuscated and point to the domain which the email relates to, but to a directory (/owa/) which does not exist. DOH! Even spammers are getting it wrong!

Comments are closed.