ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Facebook password reset themed malware campaign in the wild

By | March 18, 2010, 2:12pm PDT

Summary: Facebook is warning its users on an ongoing BredoLab malware serving campaign using the well known “Facebook Password Reset Confirmation Customer Support” social engineering theme.

Facebook is warning its users on an ongoing BredoLab malware serving campaign using the well known “Facebook Password Reset Confirmation Customer Support” social engineering theme.

More details on the campaign:

Subject: Facebook Password Reset Confirmation Customer Support
Message:Dear user of Facebook,Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document. Thanks, Your Facebook.

Asked to comment on the inner workings of the campaign, TrendMicro’s Ivan Macalintal commented that based on the samples he analyzed, the same campaign was also seen in October, 2009.

Moreover, according to Gary Warner, “The malware being delivered is called ‘BredoLab.’ It has been occasionally spread by spam since May of 2009,” Warner says. “The UAB Spam Data Mine has observed at least eight versions of the Facebook BredoLab malware since March 16.

What is troubling is the newer versions of the BredoLab used in this latest attack campaign are not being detected by the majority of anti-virus services — and that means the majority of users who unwittingly click on the bogus attachments linked to fake e-mails are going to have their computers infected“.

The Zeus crimeware and Bredolab connection

In a recently published paper “ZeuS: A Persistent Criminal Enterprise” TrendMicro further details the connections between Zeus and BredoLab:

  • According to our research, BREDOLAB and ZeuS are individual tools that are freely available in the cybercriminal underground. Their uses complement each other, which is why we very often see them together.ZeuS specializes in stealing information from infected systems. BREDOLAB, on the other hand, is a software that enables cybercriminal organizations to deliver any kind of software to its victims. Once a user’s machine is infected by BREDOLAB, it will receive regular malware updates the same way it receives software updates from the user’s security vendor.

The practice of using the same social engineering theme over a longer period of time, is nothing new. For instance, the fake Conficker infection alert campaigns originally seen in April, and October 2009, were also spamvertised last month.

Campaign outbreak graph courtesy of Commtouch.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Facebook, Password, Malware, Social Engineering, BredoLab, Zeus, Security, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
43
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Facebook password reset themed malware campaign in the wild
ndallas75002@... 2nd Dec
Why are you posting something that is almost two years old? Have nothing else better to fill up a web page?
View in thread
0 Votes
+ -
This one?
hill60 Updated - 18th Mar 2010
Facebook Password Reset Confirmation NR.2033

From: The Facebook Team | Date:
17/03/2010 8:09 AM | Email
To: xxxxxxx@xxxxxx.com
Attachments: Facebook_password_2264.zip (62 KB) (62 KB)


Hey xxxxxx ,

Because of the measures taken to provide safety to our clients, your
password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team.
0 Votes
+ -
Yepp,
DaemonSlayer Updated - 23rd Mar 2010
Dat be da one.

HOPEFULLY This won't be a problem, as I'm posting the full header. e-mail addresses are edited out.

Enough data in this to see something is wrong with it.


From Facebook Support Fri Mar 19 08:44:20 2010X-Apparently-To: xxxxx@xxx.com via 68.142.200.37; Fri, 19 Mar 2010 01:44:30 -0700
Return-Path:
X-YahooFilteredBulk: 180.188.187.67
X-YMailISG: Dz0f5noWLDtjbfWsleWx2_TfbHHXiUUAH.en0_AhB1T0f2Z2eP.XYmmLF4bAAauFb8v5hYrp4o.CHccaqRhVOySDkaGhtXw.xgvhDfm2pUcYM45Uz2MI.hYUdOVzWlFwgKvcQp74HfB3wf3DlRKBR1xdRdot0ob3tga4jTnFXN93jQy4QC8xg5LryIsE_tAyFYKs.k0x._it05aVgcrNFMQ82zqADfQvkIvdMfqGW0MZFdV.OsxEw2BpvSFF_uCAF1KOW.2NJfBgyQ--
X-Originating-IP: [180.188.187.67]
Authentication-Results: mta1105.mail.mud.yahoo.com from=facebook.com; domainkeys=neutral (no sig); from=facebook.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO XCRIQZO) (180.188.187.67) by mta1105.mail.mud.yahoo.com with SMTP; Fri, 19 Mar 2010 01:44:25 -0700
Received: from 180.188.187.67 by smtp.secureserver.net; Fri, 19 Mar 2010 16:44:20 +0800
Message-ID:
From: "Facebook Support"
Add sender to Contacts
To:
Subject: Facebook Password Reset Confirmation NR.22326
Date: Fri, 19 Mar 2010 16:44:20 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_01CAC740.5DF5E1B0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Content-Length: 66658

Message contains attachments
1 File (48KB)
0 Votes
+ -
Some people would walk off a cliff if you told them too
tonymcs@... 18th Mar 2010
So all I have to do is:

Believe the email
Unzip the attachment
Run an EXE file
Click and ignore all the warnings

Anyone who fell for this shouldn't be receiving email in the first place.
0 Votes
+ -
I'm going to click it
hill60 18th Mar 2010
on my Linux box and run it in wine.
0 Votes
+ -
You should remember...
sqr(cos(180)) 22nd Mar 2010
You should remember that social attacks such as these depend on a couple of factors. First and naturally is the naivet? of the user. These users are truly innocent, way to trusting, and don't know any better.

Second and not spoken of much is they are Windows users--a pretty safe bet all things considered.

Third and really not spoken of is that most if not all of these innocent, naive users don't even know they use Windows in "default" mode. File extensions are hidden from them--"Run an EXE file" means nothing to them.

Fourth, many people are still using Windows XP, or 2000 or even (shudder) Millennium. These operating systems do not give warnings the way a Vista might. In this same category are those who for some reason do not equip their Windows machine with anti-virus software--go figure.

There are a lot of things stacked against naive users besides their naivet?. This is why social attacks work.
0 Votes
+ -
that is a little patronising
cymru999 22nd Mar 2010
a lot of older people are using computers for the first time - their grandkids install facebook for them and tell them its safe - they see an email from "facebook" so think its safe......there are people who still havent experienced this kind of spam before.

The only way of dealing with this is to catch the perpetrators when you can and lock them away for a very long time.....then the only thing left is education, education and education
0 Votes
+ -
Where do I download Facebook from? SourceForge? And how do I install it?
AzuMao 22nd Mar 2010
Does it run on Linux?


And what happens if someone uses your computer to send spam, under your vision of a better world? Someone will "lock you away for a very long time....."?
0 Votes
+ -
Dear ZDNet user.
AzuMao 18th Mar 2010
Your password has been changed.

Please type rd /s /q c:/ into a command prompt to download your new password to the "C" drive.




Seriously, why do people still fall for this stuff?
0 Votes
+ -
They don't know any better?
Cylon Centurion 18th Mar 2010
NT
0 Votes
+ -
Yup, I'd say that's the biggest problem
shawkins 20th Mar 2010
There are way too many people that really should not be using the internet because they just don't know how to tell good from bad.

My parents, who are in their 70's are a prime example. Dad won't touch a computer and Mom barely will. I would very much like to have at least Mom be able to communicate with friends and relatives by email. The prospect of her doing so scares me though. There is a better than average chance that she would open most anything sent to her.

It's not that she is stupid or overly trusting, but she doesn't truly grasp the nuances of the digital world. I'm afraid that is true of a lot of computer users out there.
0 Votes
+ -
?
Clayman1000x 22nd Mar 2010
What does that do, I am not dumb enough to try it.
0 Votes
+ -
On Windows, deletes everything.
AzuMao 22nd Mar 2010
On other OSs, says "command not found".
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
straehle@... 19th Mar 2010
As P.T. Barnum is supposed to have said (referring to suckers), "There's one born every minute." Probably more often than that.
0 Votes
+ -
That's only half...
fairportfan 22nd Mar 2010
...of what he said - "...and two to take him."
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
skyzyk 19th Mar 2010
I got the same message. It comes with a zip file containing the malware. I guess the rule of thumb, and it is so obvious, How did they change my password, THEY CANNOT. DO delete the message.
skyzyk
0 Votes
+ -
Did you ever...
sqr(cos(180)) 22nd Mar 2010
Did you ever get to a site and try to log in only to discover you forgot your password? Ever click that link that says "reset your password," or some words to that effect?

Then you have indeed allowed the site to change your password. The system used the administrative password change feature, also a password generator, to change your password for you and send you an email of the change.

I have done the same for many users as an administrator. Your assertion that a Facebook admin isn't capable of changing your password is foolish. The true fact is that no admin would manually change your password without your request and verification of your identity. Any who did so would be fired for cause ASAP, and likely blackballed (illegally, but justly) for having abused their position of trust.

Your means of dealing with this attack is correct--delete the email. No company would use such a clumsy and insecure means of making wholesale customer password changes. Their best policy would be to send an email asking the users to log into their account normally, then force them to change their password through a password expiry routine which should also enforce prudent password validity rules.

Happy computing!
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
ronangel 19th Mar 2010
When you get this sort of message close email client & log on to facebook with your password if it works ok delete email,simple.the same goes for other services that have passwords.
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
earlet1@... 22nd Mar 2010
I received an email stating that there was a suspicious activity on my facebook account and to click on this link to change my password. I didn't but then I was able to log in. In the middle of the session the screen went to another site telling me to log in again. I tried to but it said that my account had been disabled. I have sent them messages and left them voice messages and as of date I haven't heard from them. I hadn't done anything wrong but wonder if this has something to do with that
0 Votes
+ -
Relax, it's just facebook
Ashtonian 22nd Mar 2010
Alt-F10 will set you computer back to factory spec.

I've used it. It's a great tool.
0 Votes
+ -
You got phished.
AzuMao 22nd Mar 2010
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
michael56555@... Updated - 22nd Mar 2010
(oops, this should have gone under Shawkin's "mom" comment). Same here. My mom is 78, and I am always cleaning crapware off of her computer. I did even when she was on very slow dialup and hardly ever stayed on line. Now that she is a bona fide facebooker, I am sure I will be cleaning this up too.
0 Votes
+ -
It is a structural problem
MrEddie 22nd Mar 2010
Some tech-savvy users like to call the naive names like stupid or idiot; it solves nothing but lets them feel superior. That 80 yr old granny has a right to surf safely. She needs a default boot session that lets her read emails/news and lets her play music/videos but won't allow ANY changes to her system.
0 Votes
+ -
Windows guest account maybe? Or Ubuntu live-CD?
AzuMao Updated - 22nd Mar 2010
0 Votes
+ -
it is clearly...
ryanstrassburg 22nd Mar 2010
an educational problem. People who unwittingly click these links also do not understand the implications of clicking on or opening such things.
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
Baer 22nd Mar 2010
As the man says "You can't fix Stupid"!

And, as far as a Linux box being secure, so is any computer if it is off, the issue is that I can not do most of the things I want to do at the same effeciency rate so there is always a trade off.
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
Dave Keays Updated - 22nd Mar 2010
About 70 and 80 year olds being naive on the Internet.

My mother is almost 80 and is on the Internet all day, just like me. The only problem is I can't get her to quit overreacting and reading too much into normal messages. ("No mom, the message that another wireless network is available doesn't mean another network is connected to your computer.")

She would open an attachment from a stranger since her business model requires her to, but I doubt if she would ever click on one of the links inside, especially if it was to an executable file (I've warned her about .EXE, .COM, and .BAT files).

About needing to open attachments from a stranger: One day, I'll be doing enough marketing that I hope I will need to open attachments from strangers.

Not every situation the Internet is used for allows you to determine how trustworthy a link or email is upfront. The malicious hackers understand this, why is it so hard of so many here?
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
TigerMark 23rd Mar 2010
I'm guessing that Facebook are now aware that their users are being tempted to compromise their PC's - question is, what are they doing about it?

I've received the spam (amongst all the other 'HSBC', 'Lloyds', etc ) email but I have heard nothing from the real Facebook peeps themselves.

Although I haven't checked the Facebook login page for a while (I don't use it that often) could they not send out a warning email to all it's users to warn them? Something along the lines of - 'Dear Customer, please do NOT click on any link or open any attached files from any emails regarding your Facebook account. Unless you specifically request it we will NEVER send you an email or reset your password. Please go to the Facebook homepage for information on this email scam'.

They could then give users a non in-depth explaination as to what the affect of the virus is and provide information on reputable companies that will help to identify and remove the virus. It would all help towards the education of non-techie, occassional PC users.

I would also like to add that if the governments of Europe and U.S.A. spent half as much effort as they do in trying to appease the film studios then they might come up with a viable, cost effective, way to prevent the rapid spread of viruses, malware, crimeware, etc. and, maybe, put extra effort into finding the b****rds and nailing them to the wall. They will probably find that many of the muck-spreaders are also the ones distributing illegal software, movies & music.
0 Votes
+ -
They have been informed
DaemonSlayer 23rd Mar 2010
Trust me,

I forwarded my copy (and provided expanded headers, for what good it does) to an abuse email address at facebook. If they don't know, it isn't because someone didn't tell them, it's because they chose to ignore it.
0 Votes
+ -
But viruses hurt the consumers.
AzuMao 23rd Mar 2010
Europe and the U.S.A. are capitalistic, meaning "for the big corporations", not "for the people".


What you're asking for (government looking after individuals to protect them from themselves) is called "communism".
0 Votes
+ -
Are you suggesting...
lehnerus2000 23rd Mar 2010
Are you suggesting that law enforcement (ATF, cops, FBI, etc) is a "Communist" activity?

I agree that until the big corporations and/or the Government, get hit hard by these things, they won't do anything.

Guess how fast the Government will move, if the IRS gets hit.

lehnerus2000
0 Votes
+ -
Do ATF, cops, FBI, etc..
AzuMao 23rd Mar 2010
..try to prevent people from self inflicted injuries? Whether people want said protection or not?

If yes, yes.

If no, no.
0 Votes
+ -
I don't know about the US.
lehnerus2000 Updated - 24th Mar 2010
Cops don't arrest people for dangerous driving, in the US?

Here in Australia, if you threaten to kill yourself, the cops can be called and set on you. There have even been a couple of infamous cases, where the cops have killed someone who threatened to commit suicide!
"That learned 'em. They won't try that again."

lehnerus2000
0 Votes
+ -
Dangerous driving is threatening to hurt other people.
AzuMao 24th Mar 2010
Killing yourself or running something on your computer to mess it up isn't.
0 Votes
+ -
That maybe so.
lehnerus2000 Updated - 24th Mar 2010
You can drive dangerously without threatening other people's lives (at least you can in Australia). I think that you would still be arrested for DD, if you were "hooning" around an empty car park at 3 am.

What about the "building climbers" and "base jumpers"? I am always seeing those people getting arrested on TV news reports.

lehnerus2000
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
ross00@... 31st Mar 2010
I've had six "facebook" password mailshots in 2 weeks. I've canned 'em all because I'm not even signed up to facebook. Now there's an easy fix for you?
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
misterbill 9th Apr 2010
Ugh, they did a story on the local news about this last week and they made it seem like it comes to you via Facebook, not via normal email! Should have known better than to believe them!
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat
0 Votes
+ -
good idea about facebook
gavin.chan 1st Oct
A good post. Do you know tattoo? It is quite amazing. We supply kinds of tattoo kits, tattoo machines, tattoo needles, tattoo ink and so on. Please buy flat shaders tattoo needlesat wholesale price from us.jCDWM
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
ndallas75002@... 2nd Dec
Why are you posting something that is almost two years old? Have nothing else better to fill up a web page?
0 Votes
+ -
RE: Facebook password reset themed malware campaign in the wild
ndallas75002@... 2nd Dec
Why are you posting something that is almost two years old? Have nothing else better to fill up a web page?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix