By Andrew Brandt
The Zbot keylogger campaign-of-the-month targets users of AOL Instant Messenger (AIM) with a message that claims to be an update notification for users of the instant messaging client application. Users unfortunate enough to click through the link in the email message to download what they think is something called “aimupdate_22.214.171.1245.exe” will be in for a rude awakening.
The malicious page delivers its payload whether or not a victim clicks the link to get executable file: It opens an iframe to a site that attempts to use vulnerable versions of Adobe Reader to push the Zbot keylogger down to the victim’s computer, then execute it, within a few moments of the page loading.
The address of the iframed page resides in a particularly sketchy corner of the net. The network the IP address is part of, known as AS50369, goes by the name VISHCLUB-as Kanyovskiy Andriy Yuriyovich. Sure sounds a lot like someone’s name for their phishing gang. The same network has been in use for the past week delivering payloads on well-worn Outlook Web Access and HMRC Zbot download pages.
Seriously, though: Vishclub? Is that the best the Russian hackers can come up with? It sounds like what you’d call a fisherman’s smoking lounge on the Baltic coast, where thick clouds of cheap tobacco is the only thing that can overpower the putrid stench of rotting seafood.
The fake page has the outward appearance of a page hosted by AOL, but it clearly isn’t the real deal. Once you take a closer look, the site and its social engineering tricks begin to smell a bit like day-old fishwrap, as well.