New Zbot attacks through PDFs
Websense Security Labs has received several reports identifying a new Zeus bot (Zbot) trojan campaign spreading through PDF attachments to emails. Zbot is a privacy hacking trojan which collects confidential data from each of the infected computers.
This new Zbot spreads through an innocently named ‘Royal_Mail_Delivey_Notice.pdf’ yet malicious PDF file with an embedded executable. When the recipient clicks on this PDF, it prompts the user to save the PDF locally and then launches the embedded executable, taking control of the computer.
This Zbot creates a subdirectory named “lowsec” under %SYSTEM32% and it saves the “local.ds” and “user.ds” files. These are configuration files for the threat. It also copies itself into %SYSTEM32% as “sdra64.exe” and modifies the registry entry “%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory. This Zbot connects to a malicious remote sever in China which uses an IP address of 59.44.x.x:6010.
Websense Security Labs has confirmed that its customers who are using Websense Messaging or Websense Web Security are protected against this new threat.
The press release and the screenshots of this Zbot can be referred at http://securitylabs.websense.com/content/Alerts/3593.aspx?cmpid=slalert