Zeus malware distributed through browser warning: social engineering at its finest

Zeus malware continues to plague the Internet with distributions through spam emails and embeds in compromised corners of the web – all designed to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research Analysis and Intelligence Division) recently observed the Zeus malware being distributed through an alarmingly convincing browser warning that prompts viewers to download and “restore settings.”

Figure 1 shows the browser warning which is designed to manipulate viewers so that they believe the alert is based on security preferences that he or she has previously set up. The message creates a sense of urgency and fear, warning of “unusual activity.” The path of origin for how victims encounter this browser message is still under investigation by the PhishLabs R.A.I.D.

Another observation that differentiates this malicious prompt from others is the language usage and spelling. Generally speaking, grammar and spelling are often indicators of fake or malicious requests that lead to malware but cybercriminals have caught on to this vulnerability and stepped up their game. Although it is not perfect, the warning observed in this case was much more accurate than what we usually see.
 The warning states:
"REPORTED BROWSER ONLINE DOCUMENT FILE READER WARNING”
We have detected unusual activities on your browser and the Current Online Document File Reader has been blocked base on your security preferences. It is recommended that you update to the latest version available in order to restore your settings and view Documents."

                                      Figure 1. Browser warning leading to Zeus malware download.

The fake browser warning requires the user to click the "Download and Install" button. Once clicked, the victim is redirected to a site that downloads the Zeus executable (Zbot) malware.
The R.A.I.D was able to track the malware back to the Zeus control panel, shown in Figure 2.

                                                   Figure 2. Zeus (Zbot) malware control panel.
Web users should be on the lookout for this kind of social engineering that capitalizes on fear and misleads users to believe the alert is showing up based on user-defined preferences. Zeus is a dangerous malware that continues to be distributed through sophisticated avenues. In the past, Zeus infections have led to exploitation of machines, making them part of a botnet, as well as bank account takeovers and fraud. Please stay tuned – we will post more information as our R.A.I.D. further investigates the threat.