NoSpace for another banking Trojan

Today saw the beginning of a new spam run from the ZeuS or Zbot family of malware. Victims will receive an email similar to the one below prompting them to “update” their MySpace account, very similar to the Facebook spam run from last week.
Spam email from Zeus bot
Spam email from Zeus bot




The link in the mail leads to a standard fake MySpace login page, so of course your account details are stolen. Once you have “logged in” though, the supposed “MySpace Update Tool” is waiting to trick the unwary into installing their very own variant of the ZeuS agent. We detect this as TSPY_ZBOT.SMP, the Smart Protection Network also blocks the email spam and web addresses associated with this campaign.

Download page for the ZeuS agent

Download page for the ZeuS agent

What’s the big deal with ZeuS? Well here’s an extract from the readme (apologies for the English, I think it’s written for an Eastern European audience…)
Does not create suspicion on the presence if you it do not want. Here is available in view of that like to do many authors spyware: an unloading firewalls, antiviruses, an interdiction for their updating, blocking Ctrl+Alt+Del etc.Separate file of a configuration that allows to protect itself from loss botnet in cases of inaccessibility of the preferred server. Plus additional (reserve) files of a configuration to which the bot will address when the basic file of a configuration will not be accessible. This system guarantees a survival of yours botnet in 90 % cases.

Interception of POST-data + interception of the pressed keys (including inserted data from a clipboard).

Transparent URL-redirect (on fake-sites etc.) with the task of the elementary conditions of a redirect (for example: only at GET or POST inquiry, at presence or absence of certain data in POST-inquiry).

Transparent HTTP (S) contents substitution (the Web-inject which allows to substitute not only HTML pages, but also any other type of data). Substitution is set by means of instructions of masks of substitution.

Adjusted TAN-grabber for any countries.

The IDEAL DECISION FOR VIRTUAL KEYBOARDS: After calling on necessary URL, there is a reception of a screenshot in the field of the screen where the left button of the mouse has been pressed.

Reception of certificates from storehouse “MY” (certificates with a mark “not exported” are not exported correctly) and its clearing. After it any imported certificate will be saved on a server.

Interception of a login/password of reports POP3 and FTP in independence of port and its record to logs only at successful authorisation.

Change local DNS, removal/addition of file recording %system32 %\drivers\etc\hosts, i.e. comparison of the specified domain with specified IP for WinSocket.

Reception of a screenshot from the computer of a victim in real time, the computer should is out of NAT.

Reception of commands from a server part and report sending back about successful performance. (Now start of a local/removed file, immediate updating of a file of a configuration, OS destruction).


HTTP (S) a PROXY-server.

My favourite part of this particular readme though has to be this:

Record just visited pages at the first start on the computer. It is useful at installation through sploits if you buy loadings from suspicious service, it is possible to learn that is loaded more in parallel.


Basically as a budding cybercriminal it’s tough to find partners you can trust. So if the person you paid to load your bot up on their boobytrapped web page decides they will send their own little package to your victims as well, you’ll know about it.


This particular vendor is offering a fully installed, configured and supported ZeuS installation; control panel, agent builder and injection scripts  for just $320 (USD).

3 thoughts on “NoSpace for another banking Trojan

  1. Tim

    Of course, the problem is that a huge majority of users would simply download and install the software, especially if they have kids who use the computer.

    We simply cannot expect home users to be savy enough to know what they can and cannot install, and because of the cost of AV, I find increasing numbers of home users with no protection on their machines at all (not even free versions) as they simply do not understand the threat, the message isn’t getting out there!

    In recent months, I’ve moved most of these people over to Linux Mint with very few complaints, they don’t play games so don’t need the big ‘W’, and whereas still not completely safe, it’s a lot better than expecting the user to know when not to install something.

    The new Windows ‘Are you sure’ boxes just mean people have to press ‘yes’ more often!

    Shame only security people read security pages …

  2. Pingback: NoSpace for another banking Trojan » Countermeasures « Jared Rimer’s Technology blog and podcast

  3. Pingback: Tweets that mention NoSpace for another banking Trojan » Countermeasures --

Leave a Reply

Your email address will not be published. Required fields are marked *