Christmas, Amazon and Zbot – it’s that time of year again.

Image (1) zbot-hlmrk-msg.png for post 24835

“All I want for Christmas is … a zbot.exe”.

If you are too cheerfully ignorant when opening e-cards this holiday season, that’s just what you’ll end up with. Be especially careful when you receive messages from those close personal contacts of yours, including;

  1. “your friend”

  2. your “Online Banking Team”

The linked executable files will leave you disappointed; no e-card song-and-dance and potentially less cash in your bank account as these Mal/Zbot-O steal your online banking credentials and, subsequently, your money.

The sample linked in message #2 is notable for its use of Amazon’s web services cloud infrastructure in its call-home mechanism. Whether the malicious image containing the Zbot (aka Zeus) binaries was infected intentionally or unintentionally remains unclear. What is clear is the fact the malicious URL already appears to have been disabled:

As such, malware authors obviously cannot expect the same reliability for their malicious deeds as that provided to legitimate users of the EC2 service. But nor can we reasonably expect such online services to be completely free of any malicious activity at all times (as fraudsters can initially fake their legitimacy, as seen with the case of the malicious NYTimes ad stream). In the end however, the same way Gmail terminates spammy accounts and Twitter filters URLs, it seems we can all count on abusers of Amazon’s EC2 services receiving swift and decisive action.