Christmas, Amazon and Zbot - it's that time of year again.

Filed Under: Malware, SophosLabs

"All I want for Christmas is ... a zbot.exe".

If you are too cheerfully ignorant when opening e-cards this holiday season, that's just what you'll end up with. Be especially careful when you receive messages from those close personal contacts of yours, including;

  1. "your friend"

  2. your "Online Banking Team"

The linked executable files will leave you disappointed; no e-card song-and-dance and potentially less cash in your bank account as these Mal/Zbot-O steal your online banking credentials and, subsequently, your money.

The sample linked in message #2 is notable for its use of Amazon's web services cloud infrastructure in its call-home mechanism. Whether the malicious image containing the Zbot (aka Zeus) binaries was infected intentionally or unintentionally remains unclear. What is clear is the fact the malicious URL already appears to have been disabled:

As such, malware authors obviously cannot expect the same reliability for their malicious deeds as that provided to legitimate users of the EC2 service. But nor can we reasonably expect such online services to be completely free of any malicious activity at all times (as fraudsters can initially fake their legitimacy, as seen with the case of the malicious NYTimes ad stream). In the end however, the same way Gmail terminates spammy accounts and Twitter filters URLs, it seems we can all count on abusers of Amazon's EC2 services receiving swift and decisive action.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s