Zeus malware distributed through browser warning: social engineering at its finest

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Zeus malware distributed through browser warning: social engineering at
its finest

Dec 5, 2014

Zeus malware continues to plague the Internet with distributions through
spam emails and embeds in compromised corners of the web – all designed
to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research
Analysis and Intelligence Division) recently observed the Zeus malware
being distributed through an alarmingly convincing browser warning that
prompts viewers to download and “restore settings.”

Figure 1 (below) shows the browser warning which is designed to
manipulate viewers so that they believe the alert is based on security
preferences that he or she has previously set up. The message creates a
sense of urgency and fear, warning of “unusual activity.” The path of
origin for how victims encounter this browser message is still under
investigation by the PhishLabs R.A.I.D.

   "The path of origin for how victim's encounter this browser
    message is still under investigation..."

    What a load of bullshit.  Just look at the garbage pile of
    outgoing servers that you browser is being asked to contact
    during a typical browsing session and it's no wonder that
    hackers can hijack the DNS entries or even the servers  
    for those ad-servers, beacons and click-trackers and cause
    these spurious warnings to scare people into clicking
    what the hackers want them to click.

    What exactly is being done by the various anti-junk programs
    to completely eliminate this garbage content from a user's
    browsing experience?  I'll tell you -> nothing.  Because
    of the vested interest the industry has in making sure
    your browser keeps accessing all those junky hosts so
    that you are properly identified, tracked, and monetized.

    Bottom line:  

    It's called a HOSTS file people.  Use it.

Another observation that differentiates this malicious prompt from
others is the language usage and spelling. Generally speaking, grammar
and spelling are often indicators of fake or malicious requests that
lead to malware but cybercriminals have caught on to this vulnerability
and stepped up their game. Although it is not perfect, the warning
observed in this case was much more accurate than what we usually see.

The warning states:

We have detected unusual activities on your browser and the Current
Online Document File Reader has been blocked base on your security
preferences. It is recommended that you update to the latest version
available in order to restore your settings and view Documents."


Figure 1. Browser warning leading to Zeus malware download.

The fake browser warning requires the user to click the "Download and
Install" button. Once clicked, the victim is redirected to a site that
downloads the Zeus executable (Zbot) malware.

The R.A.I.D was able to track the malware back to the Zeus control
panel, shown in Figure 2.


Figure 2. Zeus (Zbot) malware control panel.

Web users should be on the lookout for this kind of social engineering
that capitalizes on fear and misleads users to believe the alert is
showing up based on user-defined preferences. Zeus is a dangerous
malware that continues to be distributed through sophisticated avenues.
In the past, Zeus infections have led to exploitation of machines,
making them part of a botnet, as well as bank account takeovers and
fraud. Please stay tuned – we will post more information as our R.A.I.D.
further investigates the threat.


Site Timeline