Spyware poses as Microsoft
Speculating the “Downadup/Conficker
lesson” that reminded (please read taught) people to continuously
update their systems with the latest patches and fixes, the current malware
exploits people’s fears and behavioral stereotypes when dealing with computer
Microsoft never sends (individual) e-mails announcing the
availability of a new fix, but uses its OS integrated automatic update systems
- namely Windows Update or Microsoft Update. The current unsolicited message wave
bears several characteristics pertaining to the Richmond-based company security
bulletins, such as the general content and formatting, which could definitely
trick the inexperienced user to follow the supposed update link.
However, upon clicking the link the user is not directed to
Microsoft portal, but to a phony Web page that loads from a domain registered
If the user clicks the download link of that alleged 80 KB Outlook/Outlook
Express update, one triggers, in effect, the download of a horrific piece of
spyware – Trojan.Spy.ZBot.UO.
The newest member of the renowned ZBot family it is
disguising under the innocent appearance of a .CHM (on-line help) file. Upon
launching, it injects code within the winlogon.exe
process in order to gain access to the main services, run stealthily on the
compromised machine and freely connect to Internet.
For its spyware purposes, it creates a hidden directory within
the WidnowsSystem32 folder, which it populates with three encrypted files. Here
it stores the sensitive data it steals from the infected computer, such as log
in credentials, including, but not limited to e-banking and e-mail
authentication details and content, as well as on-line history. The encrypted
files also hold further configuration instructions, remote control and spamming
The high rate of spreading reveals that social engineering
techniques do pay back, especially during crisis, and that users’ gullibility
could lead to another malware pandemic.