SophosLabs blog

A couple of days ago I posted about some interested malicious PDFs we were seeing in high numbers. Further investigation revealed the payload of these attacks to be Sinowal (aka Mebroot).

Well, I should say predominantly Sinowal, because we have seen some of the payloads being Zbot (aka Zeus) variants as well!!!

Various components are being used on the attack sites, targeting several system vulnerabilities. Associated detections for Sophos include:

• Troj/PDFJs-ER (as discussed previously)
• Mal/ObfJS-CM
• Troj/ClsLdr-K
• Troj/ClsLdr-M
• Mal/Sinowa-A

We are still seeing fairly high numbers of these detections so be sure to keep your security product updated and use effective URL filtering to block access to the multitude of sites that Sinowal is using for distribution and callhome.

Posted on December 11th, 2009 by Fraser Howard, SophosLabs UK
Filed under: Malware, Web

                                         

Free virus scan - Download the Threat Detection Test

Related posts

• Surge in Sinowal distribution
• Continued Sinowal activity
• Sinowal delivery: date-driven redirection scripts
• Infected, compromised? What’s the difference?
• Zbot (aka Prg) banking Trojan distribution