Banking Trojan coming at you from all sides

Using the very effective tactic of multiple attack vectors, the makers of the Zbot banking Trojan are ensuring a high enough infection rate for them to make profit.

A recent example of this has been registered by CA. A recently received email purporting to come from Fifth Third Bank asks the users to use an embedded link to login into their online banking account and check out “new security features”:

If they follow the link, they are taken to a fake Fifth Third Bank website. When they enter their ID and password, it is automatically sent to a malware server.

The users will be then offered to create a digital certificate, and if they clicked on the offered button, an executable by the name “certificate.exe” will be downloaded – which is, of course, the password stealing Trojan:

If the users gets suspicious at the moment before “creating” the digital certificate – and I know I would definitely think there was something fishy going on after reading the “If you receive a ‘potential scripting violation’ error message, please click ‘YES’ to continue” part of the instructions! – and decide not to do it, they are still in danger of being infected since the fake page hides an obfuscated java script that contains an iframe pointing to a Web exploit toolkit, which will in the end lead to a variant of the Trojan being downloaded and executed.