Toni ran into an interesting ZBot sample yesterday. During his analysis, he was surprised to discover a big bunch of poker sites among the configuration file's targets.
Targeting gaming sites is new behavior for the ZBot gang.
Why online poker? Because the sites payout real money, and often lots of it. Additionally, if you have access to a compromised poker account, you can use it to fix games and/or to launder funds. Funds such as those stolen from bank accounts…
Doing a quick search on other ZBots variants seen in the last few days yielded the encrypted configuration files from a number of C&C servers. There were 22 of them online. Decrypting the files led to some additional discoveries.
Spanish banks are being widely targeted for some reason.
Even more surprising is that there are also many Russian (.ru) sites among the targets. Taking into consideration that ZBot is a Russian trojan and many of the attackers are probably from Russia, this is a bit unusual to see. Typically skilled individuals tend not to operate in their own countries, in order to make prosecution against them more difficult.
After seeing this list, it isn't too difficult to imagine how much in damages these guys might be responsible for annually.