Spam from an anti-virus company claiming to be a security patch? It's Zbot/Zeus malware...

Filed Under: Botnet, Featured, Malware, Spam

Julie Yeates of SophosLabs (thanks Julie!) alerted us earlier today to a spam campaign that seemed to originate from a whole raft of different security and anti-virus companies.

The messages have a variety of subject lines, such as:

Windows Defender: Important System Update - 
  requires immediate action

AVG Anti-Virus Free Edition: Important System Update - 
  requires immediate action

AVG Internet Security 2012: Important System Update - 
  requires immediate action

Kaspersky Anti-Virus: Important System Update - 
  requires immediate action

Microsoft Security Essentials: Important System Update - 
  requires immediate action

The emails are all very similar, claiming to include an important security update to deal with "the new malware circulating over the net".

The parts shown in pink above vary from email to email, but the bulk of the content stays the same:

Important System Update - requires immediate action

It's highly important to install this security update due to the new malware circulating over the net. To complete the action please double click on the system patch KB923029 in the attachment. The installation will run in the silent mode. Please pay attention to this matter and inform us in case there is a problem.

The email doesn't explicitly mention the CryptoLocker ransomware that locks your files and tries to sell them back you.

But there is little doubt that many recipients, having heard of the ongoing saga of CryptoLocker, will be more inclined than usual to read on.

It's all a pack of lies, of course.

There is no "system patch KB923029," and even if there were, neither Microsoft nor any other reputable company would send out security updates as email attachments.

Also, if you are a native speaker of English, you should spot a number of niggling errors of usage and grammar in the text of the email.

→ The fact that an email is grammatically flawless, in English or any other language, is not an indicator of legitimacy. But language blunders in English, in an email purporting to come from the New York office of a legitimate software company, are a strong indicator of bogosity. If the crooks can't even be both to trying rite and spel decent, you may as well use their linguistic sloppiness against them.

The ZIP file contains an EXE (a program file); that program file is one of the many variants of the Zbot malware, also known as Zeus, that we see on a regular basis.

You're expected to open the ZIP and run the program inside, which has a name like this:

HOTFIX_patch_KB_00000...many digits...56925.exe

There's nothing wrong with having an EXE inside a ZIP file.

But a ZIP that contains only an EXE, and that was delivered by email, is just as suspicious as a plain EXE that arrives as an attachment.

If you do run it, the EXE installs itself into:

C:\Documents and Settings\%USER%\Application Data\

with a random filename, and adds itself to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
   CurrentVersion\Run

so that it gets launched every time you reboot or logon.

We shouldn't need to remind you, but we'll do so in case you want to remind someone else:

  • Don't open email attachments you weren't expecting.

  • Don't believe emails that claim to be sending you a security patch - by email.
  • Don't ignore clues such as poor grammar or spelling in emails that claim to be official.
  • Don't neglect to keep your software patches up to date - but never by email.

Note. Sophos Anti-Virus on Windows detects this malware proactively (and very likely a high percentage of related variants still to appear) as HPMal/Zbot-C. Sophos on non-Windows platforms, including gateway products, detects the malware's various components as Troj/Agent-AEWF and Troj/Agent-AEWG. Sophos web and email filters proactively quarantine attacks of this sort by identifying the ZIP file as suspicious.

, , , , ,

You might like

7 Responses to Spam from an anti-virus company claiming to be a security patch? It's Zbot/Zeus malware...

  1. I've had several of these in the last 24 hours. I use a Linux machine normally so they probably wouldn't affect me but I still never open attachments I am not expecting as a general rule and always impress this on friends and relatives. I amazes me the lengths to which malware writes will go to spread their wares and, judging by the reports I've read, the amount of people who still open unexpected attachments.

  2. Anti virus-scammers · 332 days ago

    Also:
    ESET NOD32 Antivirus: Important System Update - requires immediate action
    appearing to come from "ESET NOD32 Antivirus (redacted@example.com)

  3. Spryte · 331 days ago

    As a use of both AVG and MSE I have also seen these letters. Since I do not subscribe to both, I new one was spam and suspect the other.

    Just in case, I opened MSE (on this box) and did an update and made a mental note to use the Update Now option on the box with AVG.

    Really the only way to update.
    I have never known ether to send an update by email (or even a notification). It is all done through their respective interfaces.

  4. Kevin · 331 days ago

    To be clear, is this threat only transmitted by e-mail messages?
    Is there any indication whatsoever that legitimate companies like AVG are anything other than scapegoats in this particular SPAM scheme?
    The reason I bring this up is that I see repeated GUI pop-up reminders (on XP Pro SP3 / IE8) to upgrade my AVG AntiVirus Free Edition 2013.0.3426 or ZoneAlarm Free Firewall version: 10.1.079.000
    products.
    The Sophos Labs newsletter blurb on this article caught my eye as the AVG / ZA reminders I am seeing are becoming increasingly intrusive.
    (I am suspect of the frequency of major AVG core s/w updates and don't want ZA's paid products or product suites.)
    Has malware ever been distributed by piggybacking on the type of updating routines built in to such security s/w?

    • Paul Ducklin · 331 days ago

      This issue is a spam campaign by cybercrooks. I did not suggest, nor is there the slightest chance, that any of the legitimate companies listed are anything but scapegoats.

      The popup messages, annoying or not, from any software you have installed are something completely different (and unrelated).

  5. On this matter, there is the legitimate hotfix request email with a URL pointing to hotfixv4.microsoft.com. I wonder if attackers ever target those.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog