Security researchers have discovered that the Zbot Trojan is undetectable by most anti-virus programs because it is continually morphing. Zbot is one of the most widespread banking Trojans on the net and has been around since 2006. It uses a rootkit to penetrate deep within operating systems. A recent study of Zbot infected computers revealed that only 14% had outdated or no anti-virus software. The rest were running fully updated software

Over the summer Zbot showed up in spam that was made to look like a critical update to Microsoft Outlook. Once downloaded, it unleashed a keylogger that captured log in credentials when the computer visited a banking or credit card website. The Trojan also scans infected computers for financial information and is programmed with a long list of sites to steal log ins from including Facebook, Bank of America, Paypal, Amazon.com, and eBay.

Most recently it is being delivered in a new campaign featuring fake IRS and shipping spam. The IRS spam attempts to scare the recipient by telling them they were discovered as having underreported their income and are now under investigation for fraud. An included link claims to direct them to the IRS site where they can review their tax return. Instead it downloads Zbot. The shipping spam involves a fake shipping confirmation and label from UPS. The label is supposedly located in the attached Excel file but that file is really a hidden executable that downloads Zbot.