Pushdo is once again using a blended email and web attack to try and infect PCs with the Zeus (Zbot) Trojan Horse. This time the attack starts with a spam email claiming that your email settings have been changed and that to apply the new settings you must click on the link. The email and link are customized to the recipients email domain. We have seen Emails with the following subjects:

A new settings file for the <EMAIL> mailbox
For the owner of the <EMAIL> mailbox
The settings for the <EMAIL> were changed

 

The link in the email looks as if it goes to a location on the recipients domain but in fact it points to a web server on one of over 200 different domains hosting the page below. The recipient’s domain is included as a sub-domain in the actual URL. For example RECIPIENT_DOMAIN.com.host.com.

 

This page is designed to look like a legitimate Outlook Web Access page and it is customized for the recipient.

The link ‘USER-settings-file.exe’ in the center of the page begins with the user name portion of the recipients email address and links to the file settings-file.exe. As with many past Pushdo campaigns, this file is the Zeus Trojan Horse.

Invisible to the user is an IFrame pointing to an IP address hosting the ‘FSPACK’ Exploit kit. Once this IFrame is loaded the exploit kit delivers a malicious PDF that exploits three vulnerabilities in Adobe PDF products, and a Flash exploit. These exploits download the Zeus file onto the victims’ PC. On this server we also found exploits targeting Internet Explorer, however these were not sent to our Firefox browser.

This attack is particularly crafty because of the personalised nature of both the email and the website, also many users will be used to using Outlook Web Access and may think that this settings update is a legitimate function.