Watch Out for Trojans Circulating in PDFs

Websense Security Labs warns of Zbot campaign; an information stealing trojan

That PDF File You Are Storing Can be Dangerous

New Zbot campaign comes in a PDF

Websense Security Labs has received several reports of a Zbot trojan campaign spreading via email that connects your PC to a malicious remote server in China. They have seen over 2,200 messages so far.

Zbot (also known as Zeus) is an information stealing trojan (infostealer) collecting confidential data from each infected computer. The main vector for spreading Zbot is a spam campaign where recipients are tricked into opening infected attachments on their computer.

This new variant uses a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks to save a PDF file called Royal_Mail_Delivery_Notice.pdf. The user assumes that the file is just a PDF, and therefore safe to store on the local computer. The file, however, is really a Windows executable. The malicious PDF launches the dropped file, taking control of the computer. At the time of writing, this file has a 20 perecnt anti-virus detection rate (SHA1 : f1ff07104b7c6a08e06bededd57789e776098b1f).

Location of the Zbot:

The Zbot trojan creates a subdirectory under %SYSTEM32% with the name “lowsec” and drops the “local.ds” and “user.ds” files. The “local.ds” and “user.ds”  are configuration files for the threat. It also drops an executable “sdra64.exe” and modifies the registry entry “%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory. This Zbot variant connects to malicious remote sever in China using an IP address of 59.44.[removed].[removed]:6010.
This is yet another hacking attempt pointing to China, which is kinda alarming and makes one wonder if China is quietly planning to go big on this. Make sure you’ve updated your anti-virus suites with latest definitions in order to keep your PC from malicious data. Also, avoid downloading any PDF from unknown senders.

Google to stop censoring China search results

Violation of the commitment it had made, says Beijing

Washington DC/Beijing: Google Inc. on Monday evening announced that it would stop censoring the results of its search engine in China. The move follows Google’s allegations of cyber-attacks by China in January — which the Chinese government denied — and subsequent testimonies on the matter by Google, to the United States Congress.

Since Google stopped censoring its results, users visiting Google.cn were being redirected to Google.com.hk, the company said, where uncensored search in simplified Chinese was on offer. “This website was specifically designed for users in mainland China and delivered via our servers in Hong Kong,” said Google.

A search for “Tiananmen Square protests of 1989” on Google.com.hk returned extensive search results for Internet users on China. However, the users were unable to open many of these websites and according to reports searches in Chinese returned no results but only the message, “The connection was reset.”

In a statement Google said evidence it uncovered during its investigation into cyber attacks suggested Google E-mail accounts of “dozens of human rights activists connected with China were being routinely accessed by third parties.”

The announcement said Google was unwilling to tolerate these attacks and attempts to further limit free speech on the web in China — including the blocking of social media websites such as Facebook, Twitter, YouTube and Blogger — and that it would therefore not continue censoring results on Google.cn.

Chinese officials attacked the Internet giant for violating the commitment it had made, when it first launched Google.cn in 2006. “Google has violated its written promise it made when entering the Chinese market by stopping filtering its searching service and blaming China in insinuation for alleged hacker attacks,” said an unnamed official at the Internet governing authority at the State Council Information Office told State-run Xinhua news agency. However, Google’s decision was welcomed by bloggers and rights activists in China, who said the move would help bring more awareness to Chinese Internet users about the government’s censorship policies.

“Chinese people want a free Internet, but many are not even aware of what information is being restricted by the government. The fact that they will now be exposed to more information, even if they cannot accessit, is a big change in of itself,” well-known Chinese blogger Michael Anti told The Hindu.

In the statement, Google confirmed that it would continue research and development work in China and maintain its sales presence.