Late overnight we began seeing emails that looked suspiciously like British Airways e-ticket confirmation emails. With the graphics and formatting undoubtedly stolen from actual British Airways e-tickets, they were somewhat convincing save for a few flawed details. The first of which was that the email explains that the flyer’s itinerary was delivered as an attachment named “BritishAirways-eticket.zip”, an immediate red flag. I’ve personally never flown on BA, but every other airline that I have flown on print the itinerary directly in the email ticket confirmation, and never have I been given an attachment to open, especially a .zip. If one was to go as far as to uncompress the zip file they would find that the file inside was an executable of the same name masquerading as a PDF document through the use of a double extension “BritishAirways-eticket.pdf.exe”. Once remove from the zip file the recipient would no longer be able to see the “exe” portion of the file in most cases and the file would appear to simply end in .PDF.
Another red flag is the fact that the recipient, or supposed ticket purchaser’s name doesn’t appear in the email, instead a simple greeting was used with no name whatsoever. In all samples that I’ve seen “Dear,” was the only greeting used as seen below.
In addition a random confirmation number was given for each, and aside from that it seemed to just be copied from an actual British Airways correspondence.
Once we looked at the attachment it was realized that it was another variant of ZBot, or Zeus. Zeus has been a highly popular and highly active banking trojan over the past couple of years. Once belonging to a single group, older versions began appearing on underground forums, and its distribution has become widely scattered and in the hands of the many.
This version as with most versions of Zeus begin by creating multiple instances of itself and immediately begin to inject code into running processes, specifically those of which control Windows Security settings and auto-update features. After which the malware hides itself in various places around the hard drive and places itself into startup areas. Next it begins making a few DNS calls for the sites neonmedia.pl, dorot.com, worldcom.pl, bizez.pl, and fournet.pl. After communicating with these domains, it pulls down several other pieces of malware designed to monitor keystrokes, read and the delete cookies, modify proxy and network settings, tamper with Outlook Express settings, and stop all remaining firewall and security settings. In addition to all of this, the infected PC now gets to become a part of a larger botnet and aid its controller in future cyber exploits.
Luckily AppRiver was proactively looking for variants like this one and had a block on this campaign before it had a chance.