USAA phishing emails

I am seeing a new phase of USAA spam hitting us. The ones I am seeing hit our servers the most claim to be deposit notifications that, of course, include an attachment they want you to open. The scary thing is that I am seeing more and more phishing emails that look really good. I’m actually kind of impressed by them. I can easily see a lot of people, maybe even some in my office, opening this email and downloading the attachment. Of course for me, the dead giveaway is the fact that there’s an attachment at all – let alone a zip file that includes an exe file. Luckily our spam filter doesn’t let exe files through, even if it doesn’t detect it as a virus.

Being the curious person that I am I downloaded the attachment to see what was in it. I found an exe file, Deposit_Posted_Details_USAA_122012.exe. I scanned the exe with our corporate version of Malwarebytes and it was detected as Trojan.Zbot.CBCGen. I scanned it with GFI’s Vipre anti-virus, but it was not detected.  I then uploaded it to virustotal to see what other scanners were detecting it. As of this post, only 3 scanners are seeing it, one of which was added while I was putting this post together – ByteHero, Kaspersky, and McAfee. You can see the report here.

My next step is do some research based on the names the scanners that detect it have given it to see what kind of infection this is. Hopefully if any of you have it Malwarebytes will just take care of it for you.

Update: It now looks like 6 scanners are able to find this virus. I did some looking around online and from what I see it sounds pretty nasty.

It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.

From the report Symantec put together and the report I received from submitting this to GFI’s sandbox I can see that it creates a file to dump all your login information into and tries to phone home to suck those passwords off your computer. Symantec lists this as a low threat, but if there is any sign of this being on your computer you need to change all your passwords. That is not something I would want to risk. At least it appears to use the same names to create the files and keys over and over, which would hopefully mean that it wouldn’t be terribly difficult for the anti-virus scanners to find and remove – once they update their definitions to get this newest variation.

Also, this virus can possibly inject forms into your web browser that make it look like your banking site, or whatever site your logging into, is asking extra security questions to confirm who you are. But if the it’s something beyond the basic “what’s your mother’s maiden name?” be careful. I saw on another forum somewhere that when someone tried to log into their banking site it asked them the basic questions, but then asked him what his debit card number is – why would your banking site be asking that?

Here are the DNS requests from the report that GFI sent me after submitting it to their sandbox.

In response to Mosey’s question about whether Filezilla’s credentials would be at risk: it doesn’t sound like they would be based off the the Symantec report and a couple others things I found about it (see the two links I added below). It sounds like it is only monitoring what you type into your web browser. I have not seen anything yet that tells me otherwise. But I did find another blog that describes how Filezilla stores your credentials in a plain text file that is very easy to find. This trojan is also known as Zeus, there are a lot of variations – so I suppose someone out there creating their version of the Zeus trojan could target the Filezilla files that hold your credentials.



  1. #1 by Anonymous on December 26, 2011 - 4:37 PM

    Outstanding post. Nice work putting this together.

  2. #2 by Dave Piehl (@dpiehl) on December 23, 2011 - 12:58 PM

    Thanks. Your post has been very helpful!

  3. #3 by mosey on December 23, 2011 - 9:40 AM

    Forgot to mention it also disabled the AntiVirus too. McAfee fell victim.

  4. #4 by mosey on December 23, 2011 - 9:35 AM

    I got this on my laptop two days ago whilst watching a video via videoizer. Infected webpage popped up and bam, screen went to desktop bg, cursor worked, video continued to run as I could hear the audio, and taskbar manager had been disabled. All j could do was a hard reset and after rebooting, it tried to load a website pretending to be the metropolitan police.

    I have managed to use the instructions on Majorgeeks to get rid of it using Malwarebyte’s anti malware. Am relieved now.

    Re: ftp details … does that apply to e.g. FileZilla?

    File saves itself in the Temp directory and is called kna0.#############.exe where # is a digit or number and was removed on reboot. It also infected the registry using PUN.Hijack.TaskManager to disable the TM.

    • #5 by jen3ral on December 23, 2011 - 6:11 PM

      Thanks for the info. I’m glad you were able to get rid of it before it wreaked too much havoc. I added another paragraph and a couple more links answering your question about Filezilla. I hope that helps.

  5. #6 by Julien on December 20, 2011 - 1:49 PM

    Were you able to do any analysis on where the executable calls out to once run on the victim computer?

    • #7 by jen3ral on December 20, 2011 - 2:08 PM

      It looks like it’s trying to phone home to servers in Ukraine, China, Germany, and one here in the US. I’ll edit my post again and add what the report from GFI says.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: