by David Michmerhuizen & Luis Chapetti – Security Researchers
Our spam monitoring systems at Barracuda Labs are following a very large spam campaign carrying Trojan.Zeus. The spam amounts are approaching many hundreds of thousands a day and although they are being delivered to a wide cross-section of Internet users, the content of the spams is aimed at users of online banking services.
When spam delivers malware, one of the most common strains it carries is the password-stealing Zeus Trojan. Zeus specifically targets banking passwords, and the gangs that distribute variants of this malware are especially interested in banking credentials belonging to small businesses and government agencies. Compared to the average consumer, these entities often have more money in their accounts and set higher limits on wire transfers. One thing small organizations don’t always realize is that they do not enjoy the same protections against fraudulent transactions that consumers do.
The spams use graphics hosted by the Federal Reserve and pose as notices of a failed wire transfer:
Much like last weeks Chase Paymentech spam campaign, these notices are of particular interest to financial professionals. Unlike the more sophisticated Chase emails, these are a simple affair with poorly constructed text and no attempt at hiding the executable nature of the linked payload.
Still, there’s the possibility that a busy executive might just skim the spam and click on the attachment, resulting in a Windows security warning:
While the spammers try to hide behind a double extension of .pdf.exe, this is no PDF. This is an executable program, and the Federal Reserve is not going to send you any vital information coded into a program. Don’t run it.
If you do, you’ve installed Zeus:
It will run quietly in the background, intercepting browser traffic, watching for credentials and sending any it finds off to its command and control server.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails, while customers using Barracuda Web Filters or Barracuda Web Security Flex are protected from the payload.