• Watch Out for Trojans Circulating in PDFs

    Watch Out for Trojans Circulating in PDFs

    Techtree News Staff, Apr 16, 2010 1351 hrs IST

    Websense Security Labs warns of Zbot campaign; an information stealing trojan

    mail share


Websense Security Labs has received several reports of a Zbot trojan campaign spreading via email that connects your PC to a malicious remote server in China. They have seen over 2,200 messages so far.

Zbot (also known as Zeus) is an information stealing trojan (infostealer) collecting confidential data from each infected computer. The main vector for spreading Zbot is a spam campaign where recipients are tricked into opening infected attachments on their computer.

This new variant uses a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks to save a PDF file called Royal_Mail_Delivery_Notice.pdf. The user assumes that the file is just a PDF, and therefore safe to store on the local computer. The file, however, is really a Windows executable. The malicious PDF launches the dropped file, taking control of the computer. At the time of writing, this file has a 20 perecnt anti-virus detection rate (SHA1 : f1ff07104b7c6a08e06bededd57789e776098b1f).

Location of the Zbot:

The Zbot trojan creates a subdirectory under %SYSTEM32% with the name "lowsec" and drops the "local.ds" and "user.ds" files. The "local.ds" and "user.ds"  are configuration files for the threat. It also drops an executable "sdra64.exe" and modifies the registry entry "%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory. This Zbot variant connects to malicious remote sever in China using an IP address of 59.44.[removed].[removed]:6010.


This is yet another hacking attempt pointing to China, which is kinda alarming and makes one wonder if China is quietly planning to go big on this. Make sure you've updated your anti-virus suites with latest definitions in order to keep your PC from malicious data. Also, avoid downloading any PDF from unknown senders.

Follow Techtree on Twitter

Related Links
Tata Indicom Plug 2 Surf
Protect Your Smartphone with F-Secure
Yahoo!, Symantec in Security Tie
Tag keywords
Trojans anti virus security internet Zbot Zeus Websense Security Labs



Discussion Board
(8) Comments
bond2299
,pune, on Aug 06, 2010 08:43 PM
what?
Report abuse
Anirudh
,Guwahati, on Apr 17, 2010 08:12 PM
check thid
Report abuse
sanjeevani
,bhopal, on Apr 17, 2010 06:04 PM
nice
Report abuse
Anil
,Khopoli, on Apr 17, 2010 01:06 PM
Its should be "circulating AS PDF" and NOT "circulating IN PDF". Sorry, I am little precise using words.
Report abuse
Sharad
,Kolkata, on Apr 17, 2010 03:24 PM
The phrase is correct. The pdf file itself is not a trojan, but it contains (embedded) one. So the Trojan is 'circulating n PDF' is correct.
Report abuse
Shivaji
,Mathura, on Apr 17, 2010 10:25 AM
Everybody should read this. The cyber crime capital has shifted from Pakistan to China.
Report abuse
prakash
,gingee, on Apr 16, 2010 07:06 PM
read this
Report abuse
Anonymous
, , on Apr 16, 2010 03:42 PM
Report abuse

Opinion Poll