twitter facebook rss

Time’s up; Zeus is back

Posted by on June 18, 2014.

Bang on time, Zbot’s back. Admittedly, it’s Zbot rather than specifically GOZeus, but it’s pretty much the same malware.

Two weeks ago, the NCA warned:

Action taken by the NCA to combat the threat will give the UK public a unique, two-week opportunity to rid and safeguard themselves from two distinct but associated forms of malware known as GOZeuS and CryptoLocker.
Europol, FBI, NCA and others disrupt the Gameover Zeus botnet — claim a 2 week window for users to get clean

JonathanFrenchThat two weeks expired at midnight last night. And this morning, bang on time, AppRiver’s Jonathan French posted a new blog:

Early this morning a small malware campaign started up claiming to be daily customer statements from “Berkeley Futures Limited” (real company, but messages are spoofed). The payload was an attached .zip file that was password protected… Currently we are blocking this malware with over 40,000 hits so far this morning.

And, you got it, inside the zip file is a dropper that reaches out to a Russian IP that tries to download Zbot.

But it’s not a very professional implementation of the malware. First of all, the attached file claims to be a Zip file while it is in reality a Rar file – so unless the person receiving the email has a Rar unpacker, it won’t be a problem.

Secondly, the password for the ‘zip’ file is included in the email body – a pretty clear red flag. As French notes, “if the password is in the email, that sort of defeats the whole reason of being secure and having a password.”

And thirdly, the delivered Zbot (if it ever gets delivered) tries to reach out to a second Russian IP – but fails to make contact.

Purely coincidentally, you understand, just before the 2-week expiry, GCHQ yesterday announced that it would start to share its threat intelligence. At the same time, and not given any particular importance, it commented that Sir Iain Lobban would imminently “confirm GCHQ’s involvement, as one of a number of bodies, in the disruption of the GameOverZeus malware, in an operation recently announced by the National Crime Agency.”

Is the juxtaposition of these two statements purely coincidence? Is it too far a stretch of the fanciful imagination to wonder if GCHQ’s threat intelligence had become aware of the planned start of this new campaign, and consequently the NCA told everyone they had just two weeks to get their defences in order? Nice idea, but yes, probably too fanciful…

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_malware | Tags: , , , , , ,