Jump to content


Photo

Possible Zbot


  • This topic is locked This topic is locked
9 replies to this topic

#1 Malhunter

Malhunter

    New Member

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Location:DC

Posted 05 March 2010 - 10:07 AM

We're seeing a well crafted phishing email being sent around to various government agencies with a link to
dnicenter.com/docs/report.zip

Zip file contains an executable, which when able to run and infect, makes a call to
updatekernel.com/imgpic/x18d2/d8x16/x98x10.bin

The bin file appears to be a config file for Zbot.

Currently 1/42 VT
http://www.virustota...1cee-1267797667

Report provided by Comodo
http://camas.comodo....67b14b6fa6a1cee

Fairly new user so if I did this wrong please let me know. I didn't attach the file as I am under the impression not to since I'm not an official contributor.
You can't patch stupid.

#2 sUBs

sUBs

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 8,339 posts

Posted 05 March 2010 - 10:51 AM

Please upload/attach the file.
sUBs
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 dshield

dshield

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 803 posts
  • Gender:Male
  • Location:Florida, US

Posted 05 March 2010 - 10:57 AM

Could you post a raw copy of the email or send me a copy?

TIA

Tom

#4 Voyager

Voyager

    New Member

  • Members
  • Pip
  • 9 posts

Posted 05 March 2010 - 11:02 AM

Report.exe inside Zip Detected now at Trojan.Zbot by Symantec.

#5 Malhunter

Malhunter

    New Member

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Location:DC

Posted 05 March 2010 - 11:12 AM

We never received the full email with headers from any of the users who received it, they just forwarded it on to us. And I am unable to attach the file, says I am not authorized to upload the file type of .sitx (I do my malware work on a Mac with StuffIt for zipping files).
You can't patch stupid.

#6 dshield

dshield

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 803 posts
  • Gender:Male
  • Location:Florida, US

Posted 05 March 2010 - 11:15 AM

We never received the full email with headers from any of the users who received it, they just forwarded it on to us. And I am unable to attach the file, says I am not authorized to upload the file type of .sitx (I do my malware work on a Mac with StuffIt for zipping files).


On OSX? Just Control-click on the file and OSX will zip it for you.

Tom

PS For those who want this file here is what I downloaded from the URL

Attached Files



#7 sUBs

sUBs

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 8,339 posts

Posted 05 March 2010 - 11:17 AM

And I am unable to attach the file, says I am not authorized to upload the file type of .sitx

A way to workaround this is to rename the file's extension to zip.

@Tom, thanks for the attachment.

Plenty of zbots making the rounds lately.
sUBs
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 Malhunter

Malhunter

    New Member

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Location:DC

Posted 05 March 2010 - 11:37 AM

We never received the full email with headers from any of the users who received it, they just forwarded it on to us. And I am unable to attach the file, says I am not authorized to upload the file type of .sitx (I do my malware work on a Mac with StuffIt for zipping files).


Oh bloody hell! I feel like a tard. I'm still really new to the OSX environment and asked a co-worker about how to zip on Mac's. He recommended StuffIt so I went with it. I'll remember to stick to the renaming idea in the future. Sorry for the hassle.
You can't patch stupid.

#9 dshield

dshield

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 803 posts
  • Gender:Male
  • Location:Florida, US

Posted 05 March 2010 - 11:46 AM

A way to workaround this is to rename the file's extension to zip.

@Tom, thanks for the attachment.

Plenty of zbots making the rounds lately.



Just a point of clarification, .sitx is NOT a zip file. It is a stuffit file. On OSX a file(s) can be zipped (eg put in a format that PKZIP on Windows can understand) either by using the command line:

zip /path/to/file

Or using performing a control click to bring up a menu and then select "Compress" or clicking the file once and then selecting "Compress" from the "file" menu. This will generate a .zip file.

#10 Malhunter

Malhunter

    New Member

  • Members
  • Pip
  • 4 posts
  • Gender:Male
  • Location:DC

Posted 05 March 2010 - 11:52 AM

Just a point of clarification, .sitx is NOT a zip file. It is a stuffit file. On OSX a file(s) can be zipped (eg put in a format that PKZIP on Windows can understand) either by using the command line:

zip /path/to/file

Or using performing a control click to bring up a menu and then select "Compress" or clicking the file once and then selecting "Compress" from the "file" menu. This will generate a .zip file.


Thank you for the quick tip, worked just as you said and I have no problem uploading now.

Attached Files


You can't patch stupid.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users