We have recently tracked an attack with phony bill payments emails from E.On Energy (eonenergy.com).
The attachment is a Zbot Trojan that targets the customers of eonenergy.com to “energize its malicious operation”. Eonenergy.com is one of the UK’s leading power and gas companies. While Zbot can be used for a wide range of malicious tasks, it is usually used to steal online banking information using background key logging and screen capture. This Zbot is part of the GameOver variant that is currently the most prevalent.
The attachment file “Eonenergy-Bill-29052014.zip” contains an executable file “Eonenergy-Bill-29052014.scr” that pretends to be a PDF file – this is the icon that is displayed. CYREN AntiVirus detects this as W32/Zbot.BXN. This variant of Zbot also uses a P2P command-and-control (C&C) network so that infected systems are able to transfer the commands (download config file, updates malware or download other malware) between each other (without needing the bot controller) – a sign of the GameOver variant. The malware also uses pseudo-random domain names and attempts connections with each of these to download configuration files as shown below.
All of the above pseudo-random domain names are now redirected to the IP address 18.104.22.168 which is a DNS Reply Sinkhole hosted by the FBI.
Kudos to the US Department of Justice, the FBI, Europol and the UK’s National Crime Agency, who have managed to disrupt the GameOver Zeus botnet. They have built a sinkhole that redirects the infected computers to the substitute servers under the control of the government as opposed to the Zbot servers.
Keeping your antivirus definitions up to date and avoiding suspicious attachments, even if they are from someone you trust, will protect you from malware such as this.
Want to read more about our Embedded Antivirus offering? Visit our website for more information.