Sophos Cloud Optix
The Bredo and Zeus/Zbot malware families are both vying to infect your PC. If these bots are not busy spamming themselves out from an infected endpoint, with either bogus delivery invoices or forged IRS statements, they are scouring the local machine for personal information to steal, bank transactions to manipulate, among a host of other possible nefarious deeds.
But who wants to share? We have seen bots go toe-to-toe with one another before; embedding logic into their armory to block or disable other malware. As such, it comes as no surprise to have seen a recent Bredo sample with additional code to disable installed Zbots. The sample loops through the list of known Zbot executable names…
… and moves any files found to an alternate location, and thus disabling Zbot’s path-based auto-start mechanism for subsequent reboots. And to combat its own paranoia, the malware sets up a thread to perform this check (along with its own installation logic) forever.
Though disabling Zbots may seem helpful, Bredo malware does far more harm than good. As prevention is often better than the cure, be diligent in your efforts to avoid infection altogether; read e-mail with extra caution and follow safe-computing best-practices.