madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Facebook password-reset spam is Bredolab botnet attack

By | October 27, 2009, 8:27am PDT

Summary: Virus hunters are raising the alarm for a large-scale spam attack that uses fake Facebook password-reset messages to trick PC users into downloading a dangerous piece of malware.

Virus hunters are raising the alarm for a large-scale spam attack that uses fake Facebook password-reset messages to trick PC users into downloading a dangerous piece of malware.

The malicious executable is linked to the Bredolab botnet, which has been linked to massive spam runs and identity-theft related attacks.

Here’s a sample of the Facebook password-reset messages hitting e-mail inboxes this morning:

According to Websense, the address of the sender is spoofed to display “support@facebook.com,” a trick commonly used to trick targets into believing it’s a legitimate e-mail from the popular social network.

The messages contain a .zip file attachment with an .exe file that connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Facebook, Spam, Attack, Virus Hunter, Cyberthreats, E-mail, Identity Theft, Security, Viruses And Worms, Online Communications, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 172 Talkback(s)

  • For haven sake ...
    Could we be a little bit more specific.

    "...password-reset messages to trick PC users into downloading a dangerous piece of malware ."

    Do "PC" means Windows? I'm guessing because I see the words " PC " and " malware" in the same sentence, oh, and your screen shot is Windows. Is that an accurate guess?

    A mention of affected platform(s) would be appreciated by your readers. Let's not just tell half the story.

    Thanks in advance for your reply

    ^o^

    ZDNet Gravatar
    n0neXn0ne
    27th Oct 2009
  • Affected platform?
    It is a trojan. All platforms are affected.
    ZDNet Gravatar
    NonZealot
    27th Oct 2009
  • re:Affected platform? Yes, Affected platform?
    "All platforms are affected".

    "The messages contain a .zip file attachment with an .exe file..."

    Are you sure about that?

    Thank for your reply

    ^o^

    ZDNet Gravatar
    n0neXn0ne
    27th Oct 2009
  • Yes, I'm sure
    All platforms are affected by trojans.
    ZDNet Gravatar
    NonZealot
    27th Oct 2009
  • I really wasn't ...
    ... looking for the definition of a trojan horse.

    The question was about this articles malware specifically.

    Thanks any way.

    ^o^

    ZDNet Gravatar
    n0neXn0ne
    27th Oct 2009
  • Ah, I didn't realize
    Yes, this particular trojan coincidentally uses the Windows API and so anyone not running Windows is probably not affected by this particular trojan in the same way that Windows users are immune from OS X and Linux trojans: http://en.wikipedia.org/wiki/Linux_malware#Trojans

    Windows is also immune to all the problems associated with WINE and Parallels as other OSs desperately try to give their users access to the Windows API. happy
    ZDNet Gravatar
    NonZealot
    27th Oct 2009
  • You're building a strawman. No thx. n/t
    .
    ZDNet Gravatar
    n0neXn0ne
    27th Oct 2009
  • And you are a troll
    And yes, I realized that from your first post. happy
    ZDNet Gravatar
    NonZealot
    27th Oct 2009
  • Says the troll.
    ZDNet Gravatar
    AzuMao
    27th Oct 2009
  • RE: Troll vs. Troll
    NZ - you never cease to amaze me.

    n0neXn0ne actually brought up a good point with his post, whether or
    not it was intended to be a trolling attempt.

    Yes, NZ, trojans do, in fact, have the ability to affect users of many
    different platforms, depending on the platform that they were written
    to attack. So, as far as that is concerned, you are correct.

    However, in the case of this blog post, it is, indeed, a bit unspecific
    about the particular platform that is affected. PC does, in fact, mean
    personal computer, regardless of actual OS or platform, or whether or
    not one company decides the brand the term PC as applying to
    Windows based machines in it's commercials or not.

    In the case of this article, I have to agree with n0neXn0ne, in that it
    would have been more appropriate to specify that the trojan in
    question does indeed affect only users of Windows based machines, if
    only for the sake of assisting with people who may not be aware of the
    differences in platforms when it comes to the actual OS and the ability
    of malware to infect varying machines.

    Granted, simply posting "PC" in general does have the added effect of
    helping those who don't have a clue about any of this become more
    conscious of ANY suspect mails that might come their way.

    As for you, NZ, I have no choice but to compliment you on your
    apparently rapidly growing ability to create a rather impressive
    trackback tree based on your intentionally inflammatory comments -
    I'm not so sure what the marketable points are of such a niche skill-set
    are, but surely, you can use that to create a career in the entertainment
    industry somewhere. Or perhaps writing for a dictator in a third world
    country. Or something. I wish you luck in your future herring
    generating endeavours, good sir.
    ZDNet Gravatar
    /A\V/
    28th Oct 2009
  • Would you care to provide evidence?
    Please be warned: Your words alone won't cut it.
    ZDNet Gravatar
    The Mentalist
    27th Oct 2009
  • Who needs evidence?
    Evidence is for jesus-hating
    anarchists/atheists/aliens!
    ZDNet Gravatar
    AzuMao
    27th Oct 2009
  • His statement is right
    All platforms are effected by Trojan's

    http://en.wikipedia.org/wiki/Linux_malware

    http://www.appleinsider.com/articles/09/01/26/two_new_trojan_horses
    _threaten_mac_software_pirates.html

    ZDNet Gravatar
    mathcreative
    27th Oct 2009
  • "His statement is right"
    All platforms are effected by Trojan's
    actually it should read
    All platforms are affected by User stupidity otherwise known as
    human error or social engineering:-) as to Trojan's
    "Special skill may be needed for tricking the user to run the (trojan)
    program in the first place."
    ZDNet Gravatar
    vilppuu@...
    29th Oct 2009
  • Incorrect
    Incorrect. Just because it's trojan doesn't mean it effects all platforms,
    and as n0neXn0ne pointed out this trojan is an exe which means it can
    only work on windows or maybe wine.
    ZDNet Gravatar
    mathcreative
    27th Oct 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here