SOURCE: BitDefender

January 14, 2010 08:59 ET

Thirteen Percent of Systems in US Infected by Flammable ZBot Malware Cocktail

Infections Skyrocket by Targeting Microsoft® Office® Outlook Web Access Users

BUCHAREST, ROMANIA--(Marketwire - January 14, 2010) - BitDefender®, an award-winning provider of innovative anti-malware security solutions, today warned of the rapid spread of malware intended for users of Microsoft Office Outlook Web Access.

The unsolicited message directs users to "apply a new set of settings" to their mailboxes to update several "security upgrades" that have been applied. The link in the e-mail leads towards a Web page with Microsoft® Office® logos and instructs users to download and launch an executable file that will supposedly update their e-mail settings.

Instead, they receive a potent malware cocktail, including the Trojan.SWF.Dropper.E, a generic detection name for a family of Trojans sharing a similar behavior -- they're Flash files, which usually do not display any relevant images/animations, but drop and execute various malware files (by exploiting Adobe Shockwave Flash vulnerability). The dropped files may be subject to change and different variants can drop and execute different malware programs.

Statistics showed a significant increase in the number of files infected with Trojan.SWF.Dropper.E. The total number of the infected files increased by nearly 60 percent when comparing the first half of January to the first half of December.

The most affected countries by Trojan.SWF.Dropper.E between January 1st and January 13th were:

Country              % total infected systems
United States                    13
Spain                            11
France                            9
Romania                           9
Canada                            5
United Kingdom                    3
Australia                         3
Germany                           3
Thailand                          3
Turkey                            2

The attack also included other prolific malware, including:

1) One of the longest-lasting Trojan breeds -- Trojan.Spy.ZBot.EKF, which was also intensively used in a H1N1-related malware distribution campaign.

ZBot injects code into several processes and adds exceptions to the Microsoft® Windows® Firewall, providing backdoor and server capabilities. It also sends sensitive information and listens on several ports for possible commands from the remote attackers. The latest variants are also able to steal bank-related information, login data, history of the visited Web sites and other details the user inputs, while also capturing screenshots of the compromised machine's desktop.

2) Exploit.HTML.Agent.AM uses flash-object vulnerabilities that allow arbitrary code execution by loading a specially crafted flash object into a Web page. Once an infected Web page is opened, the Trojan creates a specially crafted SWF object which allows the execution of a payload into the heap (at the time this article was created, the downloaded file was detected as Trojan.Spy.ZBot.EKG; however, this may be subject to change).

Data provided by BitDefender's Real-Time Virus Reporting System give an idea about the spreading of this malware: in the United States, the number of infected files increased in the first half of January by 10 percent, while Spain saw an increase of more than 400 percent compared to the last half of December.

3) Exploit.PDF-JS.Gen is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine, in order to execute malicious code on user's computer.

BitDefender datasets also indicate a growing trend of Exploit.PDF-JS.Gen. The first two weeks of January showed that the most affected systems pertain to the United States, Spain and Canada.

In order to stay safe, BitDefender recommends that consumers never follow links inserted in messages from unknown contacts in addition to installing and updating a complete antimalware software solution. Users that are concerned their current antimalware solution isn't effective can check for viruses on their computer for free with BitDefender's online scanner.

About BitDefender®

BitDefender is the creator of one of the industry's fastest and most effective lines of internationally certified security software. Since its inception in 2001, BitDefender has continued to raise the bar and set new standards in proactive threat prevention, emerging as the industry's anti-malware innovator. Every day, BitDefender protects tens of millions of home and corporate users across the globe -- giving them the peace of mind of knowing that their digital experiences will be secure. BitDefender solutions are distributed by a global network of value-added distribution and reseller partners in more than 100 countries worldwide. More information about BitDefender and its products are available at the company's security solutions press room. Additionally, BitDefender's www.malwarecity.com provides background and the latest updates on security threats helping users stay informed in the everyday battle against malware.

Contact Information