Blog Archive

Monday, 26 July 2010

Imageshack spam leads to Zbot infection

Over the weekend, spam started appearing in mailboxes that claimed to be Imageshack registration notification.

fake imageshack mail

That’s great, but I hadn’t registered - and certainly not with that username / password combination. A quick Google for the Forsight domain (pre compromise) reveals it to be an art gallery, so it is unfortunate that either by accident or design the bottom of the spam mail says the following:

spam mail

Visiting the link in the mail would bring end-users to the following fake “install to continue” message:

please update...
Click to Enlarge

Installing the file would land the unsuspecting victim with a Zbot infection, not the best way to spend your weekend. Detections for this particular file are good (39/42 on VirusTotal) – the site owners have apparently removed the executable, but there’s still some iframe activity taking place so it’s probably best to avoid the URL for the time being.

One final thing to note – the “Please update your flash player” graphic the attackers are using? They’re serving up an image from the Coca Cola website.

update your player image
Click to Enlarge

The text in the box seems to match the overall stylings of the Coca Cola website – it’s unlikely they’ve been compromised and had this graphic placed there, but we’ve reached out for clarification anyway and will update should we hear anything back.

We detect this file as Trojan.Win32.Generic!BT. While coverage is good for that particular file across most AV products, there’s a good chance we’ll see updated “Imageshack” mails going out with fresh links, files and exploits so please: if you don’t remember signing up to something, don’t let curiosity get the better of you and simply delete the email.

Christopher Boyd

No comments:

Post a Comment