Zbot Desperately Seeking AIM Users

The Zbot keylogger campaign-of-the-month targets users of AOL Instant Messenger (AIM) with a message that claims to be an update notification for users of the instant messaging client application. Users unfortunate enough to click through the link in the email message to download what they think is something called “aimupdate_7.1.6.475.exe” will be in for a rude awakening.

The malicious page delivers its payload whether or not a victim clicks the link to get executable file: It opens an iframe to a site that attempts to use vulnerable versions of Adobe Reader to push the Zbot keylogger down to the victim’s computer, then execute it, within a few moments of the page loading.

20100120_aimzbot_fakepage

The address of the iframed page resides in a particularly sketchy corner of the net. The network the IP address is part of, known as AS50369, goes by the name VISHCLUB-as Kanyovskiy Andriy Yuriyovich. Sure sounds a lot like someone’s name for their phishing gang. The same network has been in use for the past week delivering payloads on well-worn Outlook Web Access and HMRC Zbot download pages.

Seriously, though: Vishclub? Is that the best the Russian hackers can come up with? It sounds like what you’d call a fisherman’s smoking lounge on the Baltic coast, where thick clouds of cheap tobacco is the only thing that can overpower the putrid stench of rotting seafood.

The fake page has the outward appearance of a page hosted by AOL, but it clearly isn’t the real deal. Once you take a closer look, the site and its social engineering tricks begin to smell a bit like day-old fishwrap, as well.

To begin with, AOL doesn’t release update “patch” applications for AIM. When they have a new release, you download the whole application’s installer. The current version sizes up at about 7MB; The Trojan is only around 130KB. In addition, the true AIM installer carries a digital signature from AOL LLC, the parent company. This one has no such signature.

20100120_aimzbot_digisig

The link to the download uses a URL that begins with “update.aol.com” but is followed by the malicious domain name, which is a six- to seven-random-character word followed by .com.pl (which indicates the domain was registered as a business in Poland, but isn’t necessarily hosted there). There are dozens of URLs in use that lead to identical looking pages, and each one points to at least 15 IP addresses at different Web hosting firms.

Like many of the previous Zbot campaigns (such as those targeting the IRS, CDC, Visa, and other organizations, as well as software programs like Microsoft Outlook, or Web sites such as Facebook), the URL contains the email address to which the original message was sent; That email address appears near the top of the browser window. That’s social engineering trick number one, and you can easily see that it’s possible to manipulate this data simply by putting a different email address in the URL string.

20100120_aimzbot_email_markup

Regular users of AOL Instant Messenger might know that the current, real version (as I write this) is 7.1.6.4, but the version number in this bogus message is 7.1.6.475.

The fake page contains the following text:

AOL has released an update for AOL Instant Messenger (AIM) which fixes several major bugs. This update is critical and provides you with the latest version of the AIM and offers the highest levels of stability and security.

Quick Details
• File Name: aimupdate_7.1.6.475.exe
• File Size: 131 KB

System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista

aimupdate_7.1.6.475.exe

By clicking the download button below you agree to the terms of the AIM Software End User Agreement, Privacy Policy, and Terms of Service.

Once downloaded, this “aimupdate” file carries a generic program icon, and is only around 125KB to 135KB in size (the size varies because Zbot Trojans are padded with variable amounts of random junk data so they’re harder to identify).

The exploits the page employs are pretty complex. It opens, in an iframe, a page hosted on the IP address in the “Vishclub” network, which in turn loads a fairly large (15628 byte) blob of obfuscated javascript.

20100120_aimzbot_objava

The script invokes the browser to load Adobe Reader, then pushes a file called “pdf.pdf” down to the Reader. That file is built to attack the Collab overflow exploit (CVE-2007-5659), the util.printf overflow exploit (CVE-2008-2992), and the getIcon exploit (CVE-2009-0927) in order to force the operating system to download and execute files.

As we’ve recommended before, unless you have an absolute and explicit need to use it, turn off Adobe Reader’s embedded Javascript. (Click Edit -> Preferences, then select JavaScript in the left pane, and deselect “Enable Acrobat JavaScript”.)

20100120_aimzbot_acrojavaoff

And, when in doubt about a software update, go to the software maker’s Web site yourself; Don’t follow fishy, phishy update links you receive via email, or elsewhere.

Andrew Brandt researches malware for Webroot Software, and contributes to the Webroot Threat Blog. As a member of the Threat Research team, he and his colleagues help identify malicious software trends and improve the Webroot Antivirus with Antispyware product. Andrew joined the team in 2006. Prior to coming to Webroot, he worked for PC World magazine as a Senior Associate Editor, covering computer security and privacy issues for nearly a decade. In that role, he also wrote the Privacy Watch column. He lives in Boulder, Colorado.

Our latest thought leaders