Zbot Mailings on the Increase

Zbot is the kind of malware you really don’t want to see on anyone’s computer, stealing banking passwords and financial information.

We’ve been seeing more reports and ThreatFire preventions of the malware delivered along with a somewhat common email-based social engineering scheme. The Zbot variant is attached to an official sounding warning from the worldwide delivery group UPS. The file currently in circulation has a name somewhat like “Exl6512721.ZIP”, and the contents of the email looks something like this text:

“Sorry, we were not able to deliver postal package you sent on November the 25th in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS Support Team “

The Zbot variant attempts to steal banking information and passwords from unsuspecting users, and this one sends the information off to a waiting server in russia. Fortunately, at this time, the servers are down.
You can see here that ThreatExpert now decodes the config files delivered with this nastiness. The post includes a list of financial institutions commonly being targeted.

As always, exercise caution when opening unusual emails and especially when opening attachments.

This entry was posted in Online Fraud, The Law. Bookmark the permalink.

3 Responses to Zbot Mailings on the Increase

  1. Ryan Meray says:

    Gotta love that comment spam.

    This Zbot thing sounds nasty as all heck, but I haven’t seen it in the wild yet on any client systems. Is the removal on it any more difficult than Vundo variants?

  2. ThreatFire Blogger says:


    Removal of these variants really is not all that difficult. Vundo was painful because it would inject itself into some sensitive system processes and kill off AV solutions. Zbot hasn’t been doing quite the same thing, although I have started to see it killing off more AV solutions once it is installed on the system.

    Keeping it off of users’ systems in the first place is our goal and ThreatFire does a great job at that.

    Yeah, I am tiring of the spamvertizing. They are gone now. :)


  3. Ryan Meray says:

    No worries, spamverts are going to be a given running a blog with any level of visibility.

    I’ve started rolling out Threatfire to some of my higher-risk clients, the ones who have seen at least two separate infections within a few months. I’m looking forward to seeing how it works for them.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>