2 min read

Scanned Documents Spreading ZBot

Loredana BOTEZATU

February 10, 2011

Scanned Documents Spreading ZBot

 

You know printers. I know you do and you use them regularly if not daily. They sit in a corner of your office and spit pages whenever you make them. Some of these printers can also send scanned documents via e-mail, and I’ll bet that not all of you know something about this feature let alone use it. Well, cyber criminals do know about this and they even found a way to use it for their ill-intended actions.

And here’s how: the malware writers took the e-mail template proprietary to office printers and scanners and used it to distribute…well…spam. More to the point, they “distribute” e-mails disguised as scanned documents sent by a Xerox® WorkCentre Pro scanner and containing a “malicious” attachment in the form of a harmless PDF file.

The e-mail looks like this:

Zbot Mail

And the attachment is a wolf in a sheep’s fur. The claimed Xerox WorkCentre Pro scanned document is in fact a malformed PDF file that exploits a bunch (more precisely 4) of Adobe® Acrobat Reader® vulnerabilities such as Collab.collectEmailInfo (CVE-2007-5659), Utilprintf (CVE-2008-2992), Collab.getIcon  (CVE-2009-0927), mediaNewplayer (CVE-2009-4324) which are by now old – mostly related to remote code execution.

This malformed PDF file is on a new mission these days: to spread the Zbot.

Short reminder of ZBot operation style: Also known as Zeus, ZeusBot or WSNPoem, is a Trojan designed to steal sensitive information. It messes with certain processes and adds exceptions to the Microsoft® Windows® Firewall so as it is provided with both backdoor and server capabilities. On the one hand, ZBot ships out critical data gathered from the compromised computer, and on the other hand it waits at the gates of some “ports” further commands from remote attackers.

The latest variants are also able to steal bank-related information, login data, history of the visited Web sites and other details the user inputs, while also capturing screenshots of the compromised machine's desktop.

Those who are not protected by a BitDefender product can use our free ZBot Removal Tool that checks users’ computers, detects and eliminates most of the ZBot variants spotted in the wild. It is available for download and use free of charges in the Removal Tools sectionof hotforsecurity.com.

This article is based on the technical information provided courtesy of Răzvan Benchea, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

 

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read