BitDefender Warns Against Notorious Trojan Zbot Posing as FDIC Notification

BitDefender, a Web-based and internationally accredited provider of security solutions, recently issued a warning that a fake notification claiming to be from the Federal Deposit Insurance Corporation or “FDIC” was making it rounds in user inboxes. This fake email takes its recipients to fake files which are infected with malicious software. BitDefender identified the malware as the Trojan Zbot.DLO, which is another variant of the notorious Zbot.

The purported email from the “FDIC” tells recipients that their financial institutions have filed for bankruptcy protection and asks recipients to get updated about the status of their deposit insurance coverage. For this, the email provides what is thought to be a customized link for the recipients to click on. Once recipients click on the allegedly customized link they are not taken to the FDIC Web site as promised, but are instead directed to a Web page that has been registered to an .uk domain.

This Web page has been designed to look like a personal insurance on-line management portal and is replete with multiple visual identification tags of the original FDIC Web site including the logo and the overall layout. The malicious Web page also asks recipients to download and complete two documents, one in PDF and another in Word. The recipient is urged to complete the process in order to ascertain the status of their deposits in the alleged bankrupt financial institution and once a user tries to download the files, is instead infected with two executable files with a .exe format that are the vehicle for the malicious Trojan.ZBot.DLO.

The Trojan is composed of several rootkit parts that allow it to install discreetly onto infected systems, either in the Windows or Program Files directory.

ZBot then pushes malicious code into multiple processes and adds exceptions to the Microsoft (News - Alert) Windows Firewall-this allows it to have backdoor and server functionalities and the Trojan then transmits sensitive information and is capable of receiving commands from off-site attackers via any of the system’s ports.

 Zbot.DLO also tries to connect and download files from servers with domain names which look as though they are registered in the Russian Federation and this latest subtype in particular, can do away with bank related information, login dates, history of visited Web sites and other details about user inputs as well as capture screenshots of a user’s desktop. 

 Catalin Cosoi, BitDefender’s senior anti spam researcher said, “This Trojan, which recently exploited the IRS' identity, continues to wreak havoc by stealing online banking information and infecting users with spyware.”