New Zbot Spam Campaign Unleashed

A new spam campaign has begun spreading across the net. Disguised to look like a ticket purchase email from Midwest Airlines, it is an attempt to spread the Zbot Trojan. The email thanks the recipient for using the company’s new “Buy Airline Ticket Online” feature and provides the login details of an account that was created in their name along with the receipt for a purchase of over $800 that was charged to their credit card. It goes on to tell them the ticket is in the email’s attachment.

Of course the feature, receipt, ticket, and charge are all fake and if the user opens it the Zbot Trojan is downloaded and installed.

Zbot is distributed by the Zeus botnet and is a virulent banking Trojan that has stolen millions from bank accounts around the world. Last month alone it was responsible for stealing over $1 million from customers of a bank in the United Kingdom. Once installed it monitors the system and strikes when the user visits a site on its list. These include e-commerce sites and most major banks, credit card companies, and other financial institutions. Once a site is visited a keylogger drops and records the login info, then sends it back to the command and control server. After the stolen information is used to transfer funds from the account to the criminals, a fake statement is created to hide the crime.

Investigators and researchers aren’t sure who is behind ZBot, but given that the C&C servers are located in Eastern Europe some suspect the stolen funds are being siphoned to the Russian mafia.