I am seeing a new phase of USAA spam hitting us. The ones I am seeing hit our servers the most claim to be deposit notifications that, of course, include an attachment they want you to open. The scary thing is that I am seeing more and more phishing emails that look really good. I’m actually kind of impressed by them. I can easily see a lot of people, maybe even some in my office, opening this email and downloading the attachment. Of course for me, the dead giveaway is the fact that there’s an attachment at all – let alone a zip file that includes an exe file. Luckily our spam filter doesn’t let exe files through, even if it doesn’t detect it as a virus.
Being the curious person that I am I downloaded the attachment to see what was in it. I found an exe file,
Deposit_Posted_Details_USAA_122012.exe. I scanned the exe with our corporate version of Malwarebytes and it was detected as
Trojan.Zbot.CBCGen. I scanned it with GFI’s Vipre anti-virus, but it was not detected. I then uploaded it to virustotal to see what other scanners were detecting it. As of this post, only 3 scanners are seeing it, one of which was added while I was putting this post together – ByteHero, Kaspersky, and McAfee. You can see the report here.
My next step is do some research based on the names the scanners that detect it have given it to see what kind of infection this is. Hopefully if any of you have it Malwarebytes will just take care of it for you.
Update: It now looks like 6 scanners are able to find this virus. I did some looking around online and from what I see it sounds pretty nasty.
It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.
From the report Symantec put together and the report I received from submitting this to GFI’s sandbox I can see that it creates a file to dump all your login information into and tries to phone home to suck those passwords off your computer. Symantec lists this as a low threat, but if there is any sign of this being on your computer you need to change all your passwords. That is not something I would want to risk. At least it appears to use the same names to create the files and keys over and over, which would hopefully mean that it wouldn’t be terribly difficult for the anti-virus scanners to find and remove – once they update their definitions to get this newest variation.
Also, this virus can possibly inject forms into your web browser that make it look like your banking site, or whatever site your logging into, is asking extra security questions to confirm who you are. But if the it’s something beyond the basic “what’s your mother’s maiden name?” be careful. I saw on another forum somewhere that when someone tried to log into their banking site it asked them the basic questions, but then asked him what his debit card number is – why would your banking site be asking that?
Here are the DNS requests from the report that GFI sent me after submitting it to their sandbox.
In response to Mosey’s question about whether Filezilla’s credentials would be at risk: it doesn’t sound like they would be based off the the Symantec report and a couple others things I found about it (see the two links I added below). It sounds like it is only monitoring what you type into your web browser. I have not seen anything yet that tells me otherwise. But I did find another blog that describes how Filezilla stores your credentials in a plain text file that is very easy to find. This trojan is also known as Zeus, there are a lot of variations – so I suppose someone out there creating their version of the Zeus trojan could target the Filezilla files that hold your credentials.