Multiple Spam Waves – Bredolab.X (Sep 11, 2009)


SonicWALL UTM Research team has observed a strong increase in Bredolab.X spam campaigns in last 2 weeks. Bredolab.X was first spammed in early August, 2009 via UPS invoice spam campaign which was covered in Sonicalert – UPS Invoice spam – Bredolab.X Trojan .

SonicWALL has received more than 100,000 e-mail copies from these spam campaigns so far. The email messages in all these spam campains have a zip archived attachment which contains the Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – DHL spam

Attachment: (contains Ma8c574c3.exe)

Subject: DHL Tracking Number [8-digit alpha-numeric number]

Email Body:

We were not able to deliver the postal package you have sent on the 16th of June in time because the recipient?s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

DHL Delivery Services.

Campaign #2 – PriceGrabber spam

Attachment: (contains M5e786c73.exe)

Subject: Shipping confirmation for order – [Random 3-5 digit number]

Email Body:

Thank you for shopping at our internet store!
We have successfully received your payment.

Your order has been shipped to your billing address.
You have ordered Sony VAIO VGC-LT39U.

You can find your tracking number in attached to the e-mail document.
Please print the label to get your package.

We hope you enjoy your order!

Campaign #3 – UPS Spam

Attachment: (contains Me8541779.exe)

Subject: UPS Tracking Number [Random 7 digit alpha-numeric number]

Email Body:
Dear customer!

Unfortunately we were not able to deliver postal package which was sent on the 14th of July in time because the addressee’s address is erroneous.
Please print out the invoice copy attached and collect the package at our department.

Your United Parcel Service of America

Campaign #4 – Western Union Spam

Attachment: (contains Me8541779.exe)

Subject: Western Union transfer is available for withdrawl

Email Body:

The amount of money transfer: 6567 USD.
Money is available to withdrawl.

You may find the Control number and receiver’s details in document attached to this email.

Western Union.
Customer Service.

SonicWALL has received more than 200 distinct Bredolab.X variants through these spam campaigns. The Trojan is also known as Bredolab.gen trojan (McAfee), W32/Bredolab!Generic [F-Prot] and TrojanDownloader:Win32/Bredolab.X [Microsoft].

SonicWALL Gateway AntiVirus provided proactive protection against above spam campaigns via GAV: Bredolab.X_3 (Trojan) signature.[19,309,161 hits recorded starting August 18, 2009]. This signature proactively detected all Bredolab.X variants.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.