Active Sinowal distribution

A couple of days ago I posted about some interested malicious PDFs we were seeing in high numbers. Further investigation revealed the payload of these attacks to be Sinowal (aka Mebroot).

Well, I should say predominantly Sinowal, because we have seen some of the payloads being Zbot (aka Zeus) variants as well!!!

Various components are being used on the attack sites, targeting several system vulnerabilities. Associated detections for Sophos include:

We are still seeing fairly high numbers of these detections so be sure to keep your security product updated and use effective URL filtering to block access to the multitude of sites that Sinowal is using for distribution and callhome.