Archive for October, 2009

« Older Entries

Who Fell for the Facebook Password Reset Scam Yesterday?

Wednesday, October 28th, 2009

Unfortunately, a lot of people didn’t realize that the email and attachment we posted yesterday was not really from “The Facebook Team”. ThreatFire users were protected from the Bredolab downloader and its Zbot payload, and it’s a good thing too. Here is some information on who fell for it by country:

Facebook_pass

The bulk of the protected systems were in the U.S., where the number of Facebook users are higher than anywhere else. Below is a non-exhaustive list of banks that the group has targeted with Zbot payloads from the ip address that the Bredolab downloaders pulled from. Surprisingly, the cybercrime group decided to mess with U.S. military members at usaa.com:

https://businessonline.huntington .com
https://business-eb.ibanking-services .com
https://securentrycorp.nbarizona .com
https://treas-mgt.frostbank .com
https://www8.comerica .com
https://cashmgt.firsttennessee .biz
https://www.usaa .com
https://*netspend .com
https://www.mybank.alliance-leicester.co .uk

Posted in Bredolab, Crimeware, Social Engineering, ZBot | No Comments »

Facebook Password Reset Confirmation Spam — Bredolab, Zbot, Adware

Tuesday, October 27th, 2009

Another cybercriminal group is abusing the face of Facebook in another malware spam blast, fooling users to install banking password stealing malware and adware on their systems.

The message of the email claims to arrive from “The Facebook Team”, but in fact, the spam is spoofed and not from the team at all:

“Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team”

The real Facebook Team maintains threat-related information, “what-to-do-if” information, and security related stuff here.

The emails maintain an attachment that may have various names. Here are a some of the attachment names that when unzipped and run, ThreatFire has protected its community against in the past day:

Facebook_Password_e9081.zip
FACEBOOK_PASSWORD_52132.ZIP
Facebook_Password_6dd19.zip
Facebook_Password_4cf91.zip
FACEBOOK_PASSWORD_50573-1.ZIP
Facebook_Password_c92dd.zip
FACEBOOK_PASSWORD_7A343.zip

So what is being sent out? Unfortunately, the AV vendors that are starting to detect this variant do not always identify what they are detecting accurately (lucky that they are detecting it at all!). But in the end, the zipped attachment contains an armored downloader. Some of the spammed downloader executables drop multiple variants of multiple families. Adware, spyware, spambots, why not all of them? They are all money makers for this malware distribution group.

The malware package, in some cases, includes the highly active and highly malicious Zbot family. It seems that the Bredolab protector and dropper/downloader in active development has proven to be effective enough against AV scanner detections, so the crimeware groups are re-wrapping their zbot malware with it. Also interesting is that these two families of malware have recently been distributed by groups that implement methods to remove the other bot from victim systems. It’s been described as another “War of the Bots” with Bredolab v. Zbot. Clearly, this active cybercrime group is a separate one with different aims and no internal wars.

Koobface, Bredolab, and Zbot-distributing cybercrime groups all spoof Facebook and other highly popular social networking sites to deliver their malware to victim systems. Avoid the confusion and install a behavioral based layer of protection like ThreatFire that reliably and effectively prevents Bredolab, Zbot, and other highly dangerous malware families. Surf where you want, PC Tools Facebook group here.

Posted in Bredolab, ZBot | 4 Comments »

Malware Attacks on Windows 7

Thursday, October 22nd, 2009

Yesterday’s release of Windows 7 brings with it a different playground for malware.


If reviewer predictions are realized, the platform will overtake Windows XP as the Windows OS of choice in high volume. Which provides a whole new platform of interest and attention from money making malware writers. It is inevitable that they will shift their attention to the newest defenses implemented in the most widely deployed platform.


The most common single piece of malware run on Windows 7 Rtm systems, as observed in the ThreatFire Community to-date, has been Protection System FakeAv variants and its droppers. The dropper is usually a part of a crack or keygen distributed at crack sites and over P2P. It drops out multiple other unwanted components, including the FakeAv. It is a common thing to have seen in the past on other platforms. What is different here, is that User Account Control, a feature introduced in Windows Vista, has been reviewed and modified, newly delivered with 7.

At runtime, the Windows 7 related scareware files are dropped to disk and the dropper creates some porn-related shortcuts on the desktop. The offending dropper makes registry key creations to ensure persistence across reboots without a peep from UAC in its default settings, even when logged in as a Standard User. Another executable responsible for many of the popups is copied to the profile directory. A phony scan is kicked off (thousands of pieces of malware were stored on the system and all were not detected), and two hard coded detections are displayed. And no, there isn’t a legitimate vendor that maintains malware family names as variants of “GayCodec”:


Multiple pop-ups appear for phony malware detections and payment/activation. All without a peep from Windows 7 UAC. At reboot, the malware persists, restarts, and performs its worthless rescan again, this time spoofing messages from the Windows firewall with a randomized list of malware that are not running on the system:


It’s reported to attempt uninstall on other security products, which was not observed on lab machines.

All in all, the release seems to be a hit. As volume picks up, most likely so will Windows 7-targeting malware. Users should be aware of scams like this one and always purchase software from legitimate vendors. And install a behavioral layer of protection over and above UAC on your system like ThreatFire, which runs well on Windows 7 and keeps your system protected.

Posted in FakeAlert, Rogueware, Social Engineering | 6 Comments »

« Older Entries