Multiple Spam Waves – Bredolab.X (Sep 11, 2009)
SonicWALL UTM Research team has observed a strong increase in Bredolab.X spam campaigns in last 2 weeks. Bredolab.X was first spammed in early August, 2009 via UPS invoice spam campaign which was covered in Sonicalert – UPS Invoice spam – Bredolab.X Trojan .
SonicWALL has received more than 100,000 e-mail copies from these spam campaigns so far. The email messages in all these spam campains have a zip archived attachment which contains the Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:
Campaign #1 – DHL spam
Attachment: Ma8c574c3.zip (contains Ma8c574c3.exe)
Subject: DHL Tracking Number [8-digit alpha-numeric number]
Email Body:
————————
Hello!
We were not able to deliver the postal package you have sent on the 16th of June in time because the recipient?s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
DHL Delivery Services.
————————
Campaign #2 – PriceGrabber spam
Attachment: M5e786c73.zip (contains M5e786c73.exe)
Subject: Shipping confirmation for order – [Random 3-5 digit number]
Email Body:
————————
Hello!
Thank you for shopping at our internet store!
We have successfully received your payment.
Your order has been shipped to your billing address.
You have ordered Sony VAIO VGC-LT39U.
You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.
We hope you enjoy your order!
Pricegrabber.com
————————
Campaign #3 – UPS Spam
Attachment: Me8541779.zip (contains Me8541779.exe)
Subject: UPS Tracking Number [Random 7 digit alpha-numeric number]
Email Body:
————————
Dear customer!
Unfortunately we were not able to deliver postal package which was sent on the 14th of July in time because the addressee’s address is erroneous.
Please print out the invoice copy attached and collect the package at our department.
Your United Parcel Service of America
————————
Campaign #4 – Western Union Spam
Attachment: Me8541779.zip (contains Me8541779.exe)
Subject: Western Union transfer is available for withdrawl
Email Body:
————————
Hello.
The amount of money transfer: 6567 USD.
Money is available to withdrawl.
You may find the Control number and receiver’s details in document attached to this email.
Western Union.
Customer Service.
————————
SonicWALL has received more than 200 distinct Bredolab.X variants through these spam campaigns. The Trojan is also known as Bredolab.gen trojan (McAfee), W32/Bredolab!Generic [F-Prot] and TrojanDownloader:Win32/Bredolab.X [Microsoft].
SonicWALL Gateway AntiVirus provided proactive protection against above spam campaigns via GAV: Bredolab.X_3 (Trojan) signature.[19,309,161 hits recorded starting August 18, 2009]. This signature proactively detected all Bredolab.X variants.
