Starting at 9:56 AM CST on Friday, Nov. 20th my spam traps started receiving emails that claim to be from several of my domains telling me that I need to "change the security mode on my account, from standart [sic] to secure". Here's the text of the mail with the email address masked to protect my spam trap addresses and the link deleted:
Dear owner of the [email address] mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:
[LINK DELETED]
When you click the link, you are taken to a web page that tells you that you do not have Macromedia Flash installed.
If you click on the "Get Adobe Flash Player" image, a file named "flashinstaller.exe" will be downloaded. When run, instead of Flash Player, Trojan.Zbot!gen2 is installed.
The Zbot trojan will attempt to capture your banking information, disable your firewall, take screen shots, provide a backdoor into your system, and install other malware components.
November 22, 2009 update:
List of possible subject lines:
please update your [email address] mailbox
for [email address] email service user
for [email address] owner
dear owner of the [email address] mailbox
List of possible sender addresses:
operator@[your domain]
notifications@[your domain]
alert@[your domain]
noreply@[your domain]
robot@[your domain]
customersupport@[your domain]
system@[your domain]
automailer@[your domain]
alerts@[your domain]
support@[your domain]
List of domains used in the links in the emails:
modertps.be - STILL LIVE AS OF 11/22/2009 3:06 PM CST
ftpddrs.be - STILL LIVE AS OF 11/22/2009 3:06 PM CST
dirddrf.be - STILL LIVE AS OF 11/22/2009 3:06 PM CST
dlsports.be - STILL LIVE AS OF 11/22/2009 3:06 PM CST
verzzn.co.uk - Domain suspended by registrar
verzzm.co.uk - Domain suspended by registrar
verzzm.org.uk - Domain suspended by registrar
verzzn.org.uk - Domain suspended by registrar
verzzq.me.uk - Domain suspended by registrar
verzzq.org.uk - Domain suspended by registrar
