On TV.com: Why Is Everyone in TV High School SO OLD
BNET Business Network:
BNET
TechRepublic
ZDNet

October 27th, 2009

Facebook password-reset spam is Bredolab botnet attack

Posted by Ryan Naraine @ 8:27 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Data theft, Denial of Service (DoS), Facebook, Locally Running Web Servers, Malware, Microsoft, Passwords, Phishing, Social Networking Applications, Spam and Phishing, Spyware and Adware, Viruses and Worms

Tags: Facebook, Spam, Attack, Virus Hunter, Cyberthreats, E-mail, Identity Theft, Security, Viruses And Worms, Online Communications

Virus hunters are raising the alarm for a large-scale spam attack that uses fake Facebook password-reset messages to trick PC users into downloading a dangerous piece of malware.

The malicious executable is linked to the Bredolab botnet, which has been linked to massive spam runs and identity-theft related attacks.

Here’s a sample of the Facebook password-reset messages hitting e-mail inboxes this morning:

According to Websense, the address of the sender is spoofed to display “support@facebook.com,” a trick commonly used to trick targets into believing it’s a legitimate e-mail from the popular social network.

The messages contain a .zip file attachment with an .exe file that connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 171 Talkback(s)
RE: Facebook password-reset spam is Bredolab botnet attack
Sometime back, I am not sure how long I received such a message and was immediately distrustful of it. The message I received also had a zip file attached to it as well and referred to executing the ... (Read the rest)
Posted by: Computer_User_1024 Posted on: 11/17/09 You are currently: a Guest | | Terms of Use
For haven sake ...  n0neXn0ne | 10/27/09
Affected platform?  NonZealot | 10/27/09
re:Affected platform? Yes, Affected platform?  n0neXn0ne | 10/27/09
Yes, I'm sure  NonZealot | 10/27/09
I really wasn't ...  n0neXn0ne | 10/27/09
Ah, I didn't realize  NonZealot | 10/27/09
You're building a strawman. No thx. n/t  n0neXn0ne | 10/27/09
And you are a troll  NonZealot | 10/27/09
Says the troll.  AzuMao | 10/27/09
RE: Troll vs. Troll  /A\V/ | 10/28/09
Would you care to provide evidence?  The Mentalist | 10/27/09
Who needs evidence?  AzuMao | 10/27/09
His statement is right  mathcreative | 10/27/09
"His statement is right"  vilppuu@... | 10/29/09
Incorrect  mathcreative | 10/27/09
All platforms? With a ".exe" file carrying the payload?  The Mentalist | 10/27/09
Name a PC OS that is immune to trojans  NonZealot | 10/27/09
re: Name a PC OS that is immune to trojans  n0neXn0ne | 10/27/09
Why does it need to be a cross-platform trojan?  NonZealot | 10/27/09
Please report specific cases where it occurred  The Mentalist | 10/27/09
Sure, that's easy  NonZealot | 10/27/09
I'm asking for occurrences in the wild not proofs of concept  The Mentalist | 10/27/09
Hehe, epic fail on your part  NonZealot | 10/27/09
What "hole"?  AzuMao | 10/27/09
Ah, I didn't realize that I was corresponding with an idiot  NonZealot | 10/27/09
Oh the strength of your arguments...  The Mentalist | 10/27/09
Well, you were. Every single time you talked to yourself.  AzuMao | 10/27/09
Well said NZ, completely agree  Mew-shew | 10/27/09
Don't try to change the subject everytime somebody makes you eat your words  AzuMao | 10/27/09
Safe OS  Dave@... | 10/28/09
It's a .exe file you retarded troll. Only Windows is affected.  AzuMao | 10/27/09
Revelation: Windows can run Windows programs  NonZealot | 10/27/09
You really should try reading before replying.  AzuMao | 10/27/09
I'm starting to fear for you man.  The Mentalist | 10/27/09
That goes without saying... writing "windows malware" would be a pleonasm  The Mentalist | 10/27/09
Correction for you  bobiroc | 10/27/09
Malware writers feel worth writing malware for...  The Mentalist | 10/27/09
Windows and OS X  NonZealot | 10/27/09
lolled @ iBotnet. NT  AzuMao | 10/27/09
Right  bobiroc | 10/27/09
Not even 10-12%  NonZealot | 10/27/09
re:Not even 10-12%  n0neXn0ne | 10/27/09
Thanks for asking,  NonZealot | 10/27/09
Haha. Do you actually think this is a prime example of Windows' insecurity?  AzuMao | 10/27/09
"as if I'm supposed to be afraid of emails with zipped EXEs that require...  ghall@... | 10/28/09
re: Right  n0neXn0ne | 10/27/09
The conclusion following your simple concept is that;  AzuMao | 10/27/09
Maybe so  bobiroc | 10/27/09
The thing is, that's not it.  AzuMao | 10/27/09
That makes sense.  AzuMao | 10/27/09
Linux on vast majority of servers?  bobiroc | 10/27/09
Fail  AzuMao | 10/27/09
Is it me or is that article primarily about web servers?  bobiroc | 10/27/09
Okay.. so how do you propose polling for all types of servers?  AzuMao | 10/27/09
Trolls on vast majority of blogs  compudog | 10/28/09
So proclaims  athynz | 10/28/09
Wow, what a complete newbie!  NonZealot | 10/27/09
Hint: I was being sarcastic. wink  AzuMao | 10/27/09
re n0neXn0ne  j-mccurdy@... | 10/28/09
Let loose...  seal@... | 10/29/09
Get it right  phil.hawkins@... | 11/11/09
RE: Facebook password-reset spam is Bredolab botnet attack  bjs_z | 10/27/09
Thanks very much for your insight. {nt}  n0neXn0ne | 10/27/09
Just checked my email logs  bobiroc | 10/27/09
1500 already???  The Mentalist | 10/27/09
Spreading?  bobiroc | 10/27/09
And where did those attacks come from?  The Mentalist | 10/27/09
They could be coming from the OS X botnet  NonZealot | 10/27/09
Even stupidity has it's limits man...  The Mentalist | 10/27/09
You believe Linux servers can't serve Windows malware?  NonZealot | 10/27/09
Linux server could foeward windows malware not replicate it but even...  The Mentalist | 10/27/09
Linux can replicate Linux malware  NonZealot | 10/27/09
You could as well remove your Linux hard drive and send it to...  The Mentalist | 10/27/09
Possibly.  AzuMao | 10/27/09
So you don't know  NonZealot | 10/27/09
NZ, at least try to read before replying. That's not what I said at all.  AzuMao | 10/27/09
@AzuMao  athynz | 10/28/09
Probably not as many  athynz | 10/28/09
re:1500 already???  n0neXn0ne | 10/27/09
Answer this one troll  NonZealot | 10/27/09
Why do those so called trojans die the moment of release them in the wild?  The Mentalist | 10/27/09
So many lines of defense?  NonZealot | 10/27/09
Will you ever get it...  The Mentalist | 10/27/09
re:Answer this one troll  n0neXn0ne | 10/27/09
No, I specifically chose an old one  NonZealot | 10/27/09
Strawman n/t  n0neXn0ne | 10/27/09
It's not in the wild anymore, and I doubt anyone even has a sample of it.  AzuMao | 10/27/09
RTFA! "but you must of course save the binary, then set it executable, and  AzuMao | 10/27/09
Defensive aren't we?  bobiroc | 10/27/09
If you say so..  AzuMao | 10/27/09
I did notice that  athynz | 10/28/09
You know nothing!  NonZealot | 10/27/09
You refuse to read your own source, and didn't read my message either..  AzuMao | 10/27/09
Of course you could as well remove your Linux hard drive and send it to...  The Mentalist | 10/27/09
That sounds complicated  NonZealot | 10/27/09
A minor problem  The Mentalist | 10/27/09
@NZ  AzuMao | 10/27/09
Are you really that stupid?  NonZealot | 10/27/09
Those emails come from somewhere...  The Mentalist | 10/27/09
It depends on how many Windows 7 users gave this admin privs  NonZealot | 10/27/09
In Windows 7, you don't even need to give permission.  AzuMao | 10/27/09
Links please!  NonZealot | 10/27/09
It was in the first result. Here you go.  AzuMao | 10/27/09
Can't you read?  AzuMao | 10/27/09
re: Just checked my email logs  n0neXn0ne | 10/27/09
At this organization, it wouldn't even matter  NonZealot | 10/27/09
re:At this organization, it wouldn't even matter  n0neXn0ne | 10/27/09
Unless it, like most users of Windows, left the settings on default.  AzuMao | 10/27/09
Just like Linux!  NonZealot | 10/27/09
Just because another OS has some problems in the same category..  AzuMao | 10/27/09
Nope  bobiroc | 10/27/09
I'll tell you one thing  AzuMao | 10/27/09
Windows' crappiness aside..  AzuMao | 10/27/09
RE: Facebook password-reset spam is Bredolab botnet attack  andre3k | 10/27/09
A talkbacker already reported 1500 cases of blocked infected emails...  The Mentalist | 10/27/09
ha  andre3k | 10/27/09
But where did they (infected emails) come from...  The Mentalist | 10/27/09
Why is it a pertinent question?  NonZealot | 10/27/09
Windows is so special that it will run them with admin privs even if  AzuMao | 10/27/09
No it won't  NonZealot | 10/27/09
Don't try to project your own attributes onto others.  AzuMao | 10/27/09
Fair enough, vulnerabilities do exist  NonZealot | 10/27/09
Definitely not perfect. All the major OSs/kernels have problems.  AzuMao | 10/27/09
RE: Facebook password-reset spam is Bredolab botnet attack  Loverock Davidson | 10/27/09
How useful is that...  The Mentalist | 10/27/09
It is very useful.  andre3k | 10/27/09
A machine which disregards your needs and impose its own limitations on you  The Mentalist | 10/27/09
*sigh*  andre3k | 10/27/09
Right  AzuMao | 10/27/09
Yep  bobiroc | 10/27/09
According to the zealots, just being attacked means you are vulnerable  NonZealot | 10/27/09
ohemgee  andre3k | 10/27/09
I can't make up this type of stupidity  NonZealot | 10/27/09
Too bad you're getting frustrated by yourself...  The Mentalist | 10/27/09
Might want to practice your reading comprehension skills wink  AzuMao | 10/27/09
Which even you admitted your lack of knowledge  NonZealot | 10/27/09
Nope. I don't have to agree with him to understand what he meant.  AzuMao | 10/27/09
Or yours?  Oreamnos_americanus | 10/28/09
Deep packet inspection is all fine and dandy for..  AzuMao | 10/27/09
Too bad most Windows users are so jaded to frivolous warnings they ignore  AzuMao | 10/27/09
Wrong  Loverock Davidson | 10/27/09
Let's see how TRULY secure Linux users are  NonZealot | 10/27/09
Nope.  AzuMao | 10/27/09
So you are saying  bobiroc | 10/27/09
No  AzuMao | 10/27/09
So will you admit  bobiroc | 10/27/09
I'm not sure about if you use some third party program to compensate for  AzuMao | 10/27/09
Security in general  bobiroc | 10/27/09
Even with root privileges  Michael Kelly | 10/27/09
Not that there'd be reason to anyways.  AzuMao | 10/27/09
It's funny how ...  n0neXn0ne | 10/27/09
RE: Facebook password-reset spam is Bredolab botnet attack  TF_kj | 10/27/09
we need to be technically be educated bbc did it way back about botnets  samzbest@... | 10/27/09
RE: Facebook password-reset spam is Bredolab botnet attack  lthorn@... | 10/28/09
RE: Facebook password-reset spam is Bredolab botnet attack  sflorg | 10/28/09
Anyway..The only way you're not affected is..  WNCSnoopy24 | 10/28/09
RE: Facebook password-reset spam is Bredolab botnet attack  redsreboot | 10/28/09
Yes, that's wrong  trefire | 10/28/09
Only Windows is affected  terjeb@... | 10/29/09
Netherlands: why is Police not arresting those guys  wimkapteyn | 10/29/09
A learning curve problem or simple stupidity  Steve*1* | 10/29/09
If a user is stupid enough...  smtp4me@... | 10/29/09
And the consequences...  Steve*1* | 10/29/09
Hmmm.... this is interesting...  SteveInKS | 10/29/09
RE: Facebook password-reset spam is Bredolab botnet attack  vilppuu@... | 10/29/09
ZDNet, your email showed up RIGHT NEXT to that spam!  Garrett Williams | 10/29/09
Anyone know what this one is?  JCitizen | 10/30/09
A solution?  kmashraf | 11/02/09
Anyone who bit on that one needs a brain transplant  niallfromdublin@... | 11/03/09
RE: Facebook password-reset spam is Bredolab botnet attack  cocococo013 | 11/16/09
RE: Facebook password-reset spam is Bredolab botnet attack  Computer_User_1024 | 11/17/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here