Zbot is a password-stealing software, logs financial data and sends them to the botnet. Last year more than 100M US fraud was linked with Zeus malware variants. It was also held responsible for the “destruction” of 100.000 infected computers by deleting registry key data, making them inoperable. Zeus botnet is estimated to consist of millions of infected computers around the world.

The last Zbot executable is spreading through spam mails like a Christmas e-card mail faking users to download and run a file “xmas2.exe” (63,488 bytes) ,or through drive-by downloads . When executed the malware injects code into system processes (like svchost.exe) and begins to communicate with the C&C server, located in EC2 cloud,  for configuration . An example of the infected machine’s browser connection shown below:

The hackers did not hack the Amazon’s infrastructure directly. They exploited a web site which was hosted in the infrastructure and installed the Zeus C&C server software. This was done either by just stealing site’s administrator password or taking advantage of a vulnerability of the site’s software. Don DeBolt, director of threat research with HCL Technologies, stated that it was the first time Amazon’s EC2 was used for that type of illegal activities/actions. He also said that the server software was identified and removed from Amazon EC2.

The E-mail security company AppRiver detected a large amount of  fake CDC e-mails which were sent at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone, according to the company’s blog post.

The e-mails claim users to register for a new state vaccination programm by creating a personal H1N1 vaccination profile at a fraudulent web page of CDC. However, anyone who clicks on the link, his computer is infected with malware, an executable copy of ZBot trojan horse. This trojan, also known as Zeus, powers one of the most active botnets which steal data of compromised machines.

According to the security company Sunbelt Software’s report,  ZBot is listed as the second most prevalent malware threat.

Malware propagation can be succesful in a situation where social engineering is dominatinated by technology due to the public awareness and fear.

The researchers were able to hijack the botnet according to The Register by exploiting weaknesses in the way it updates the master control channels used to send individual machines new instructions. So-called domain flux techniques periodically generate a large list of domain names infected machines are to report to. Typically, the botnet operators use only one address, and all the others are ignored.

The primary goal of Torpig is to steal financial information like credit card numbers and bank logins. In just ten days, Torpig apparently obtained credentials of 8,310 accounts at 410 financial institutions. The researchers noted, too, that nearly 40 percent of the credentials stolen by Torpig were from browser password managers, and not actual login sessions.

The report also documented an epidemic of lax password policy. Almost 28 percent of victims reused their passwords, it found. More than 40 percent of passwords could be guessed in 75 minutes or less using the popular John the Ripper password cracking program.

For more on the botnet hijack, check out UC Santa Barbara’s Torpig project page.

The author of the malware downloaded the original/trial versions of each program and introduced a copy of the malicious binary into the packages. Users who then downloaded and installed the applications from the torrent download would become infected. It is estimated that so far thousands of people have downloaded the malicious torrent files.

So, Mac users be aware of which files you download and according to Symantec “Users are advised to install Norton Internet Security for Macintosh” !!

Sources: ZDNet, The Register