A fake Verizon Wireless email with the subject “Your credit balance is over its limit” is currently making rounds.

Dear Verizon Wireless customer,

Your credit balance is over its limit. Please use the attached Verizon Wireless Balance Checker Tool to review and analyze your payments.

Yours sincerely,
Verizon Wireless Customer Services

The email contains an attachment called “balancechecker.zip” which is really Trojan Sasfis/Oficla. If executed Sasfis will run silently in the background and download and install additional malware.

http://www.virustotal.com/analisis/c98767c0a51b0ca83d1708beb89f03296394f11f4fd17fc93f3b6d6fbf1686a9-1258535039

The ongoing fake antivirus campaigns are out of control with no end in sight. This software is distributed in a variety of ways such as spam, drive by downloads, Fake Ad banners or  social engineering techniques. Some hold the files on your computer hostage by encrypting them while others harvest email addresses and credit card information.

Protecter Plus

Antivirus 2009

While the malware each domain is distributing  may change the keyword “anti” is usually static. Follow the links below to view an updated list of fake antivirus domains.

http://malc0de.com/tools/db.php?search=scan
http://malc0de.com/tools/db.php?search=anti
http://malc0de.com/tools/db.php?search=security

On October 15th Scan Safe wrote about the return of the gumblar botnet which can be found here.  The botnet was dubbed Gumblar back in May 2009 when it was first discovered. This was because the site which served the malware after a series of redirects was gumblar.cn.  Since then the Gumblar botnet has decentralized its malware distribution by using thousands of compromised legitimate websites. Once installed on the victims machine the  malware will look for FTP credentials from applications such as FileZilla.  The stolen credentials will then be used to to download files which will be modified before being uploaded back to the compromised account. In the example from the scan safe blog the malware (Trojan.Win32.Delf.phk) currently being delivered has a low detection rate.

More information can be found at the following links

http://en.wikipedia.org/wiki/Gumblar
blog.scansafe.com
wepawet
anubis

The distribution of Zbot continues, this time by a file called tax-statement.exe and domains named (irs.gov.fedas1ao.com, irs.gov.y11derd.com, irs.gov.juhh1wo.com). Its unclear what the initial vector is however given the way the domains and file name have been crafted its likely related to spam. All the domains being used so far and the dates they were first seen can be found here.

Upon execution of tax-statement.exe the following changes will be made to the registry.

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
UID = “%ComputerName%_0002DE7F”

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]

{3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
{33373039-3132-3864-6B30-303233343434} = 47 09 F2 0D

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0×00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Cookies =
History =

From a network  perspective the following GET requests are generated

http://195.93.208.18/lcc/ip.gif

http://195.93.208.18/ip.php

Threat characteristics of ZBot – banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

Glenn Fink, a research scientist at Pacific Northwest National Laboratory (PNNL) in Richland, Wash has come up with a new way to detect threats on your network. The method consists of an army of Digital ants that mirror the behavior of real ants in the sense that the “digital scent” left behind when a threat/evidence is found. This in turn will attract more digital ants which produces a swarm that marks a potential computer infection.

This summer a study was conducted where a worm was introduced to a network which consisted of 64 computers. The army of digital ants was able to successfully identify the infected hosts. Computer users need not worry that a swarm of digital ants will decide to take up residence in their machine by mistake. Digital ants cannot survive without software “sentinels” located at each machine, which in turn report to network “sergeants” monitored by humans, who supervise the colony and maintain ultimate control.

More on this interesting article can be found here