When the Zeus (or “Zbot”) source code was made public back in 2011, we began seeing variations of the malware pop up across the internet.
With the ability to easily adjust and alter the program to remain undetected for longer and longer periods of time, cyber criminal groups are able to continue teaching this old dog nasty new tricks.
The latest of these tricks is a combining of Zeus with another Trojan called Carberp, to form what is known as the “Zberp Trojan”. And it is currently targeting banks, financial institutions and businesses all over.
How it gets to you.
Zberp includes or links to .ZIP file that contains an executable .PIF file which is sent to you in an email. These .PIF files may have the appearance of a possible .PDF, but they are designed to hide the file extension, so you might not see anything except a file name or a url link from a seemingly reputable domain.
What it looks like.
This new breed of malicious email scam has the look and feel of a legitimate email. They generally do not have spelling errors, have official looking graphics, and for the most part appear to come from a reputable sender. They also feature email subject lines that people tend to open, including “Payment Confirmation,” “Failed delivery notice,” or “Pending consumer complaint.” The later will have a link or .ZIP file that you are assuming will show you the “complaint”, but instead is the .PIF file.
What it does.
The Zberp Trojan is able to remain undetected on a computer using a variety of evasion techniques and code that allows it to disguise itself. It even deletes itself from your computers registry when you turn on your computer, making it appear as if it is not there. It then adds itself back to the registry on shut down so it will run again next time you turn on your computer. Infected computers will securely send the attacker information about the computer and even screen shots. It steals data that has been entered into HTTP website forms (as opposed to HTTPS), user SSL certs and even FTP credentials.
What you can do.
Be careful of what you click on in, or attached to, an email. Do not open .ZIP files that were sent from a source that you do not know or did not request a file from, and do not attempt to open files contained within them. It goes without saying that opening files in an email regarding an “eFax message” should not be opened or clicked on if you typically do not accept efaxes and were not expecting to be sent one. Depending on the type of email program you are using, one way that sometimes helps identify a suspicious link or file is to scroll over it. If the text in the link or file has “.pdf” or “.html”, but the file name displayed on scroll over shows a different name that includes “.zip”, you may want to take a second look at it before clicking.
It’s not only the malicious software that is evolving, but the delivery methods as well. Attackers are getting better at disguising the way malware and trojans are launched, so continue being cautious throughout any online activities.
Editors note: This article is meant only to provide information and awareness about potential online threats, and should not be used as a technical resource.
For assistance identifying and protecting yourself from malware, trojans or other malicious software, please consult an IT professional or online security expert.