Bredolab spam campaigns return in 2010 (Jan 8, 2010)

SonicWALL UTM Research Team observed first Bredolab spam campaign of year 2010 starting Thursday morning of January 7, 2010 which involved MySpace password reset spam. It continued till early morning today when they switched to Facebook password reset spam which is still active at the time of writing this sonicalert.

Similar social engineering tactics involving Facebook and MySpace to spam new variants of Bredolab were seen in the year 2009 as well. SonicWALL has seen more than 40,000 e-mail copies from these spam campaigns till now.

Both spam campaigns use a similar theme which involves a fake e-mail message that informs the users about their account password being reset by the respective company. It instructs the users to download the attached document in order to retrieve their new password. The e-mail attachment is the new variant of Bredolab Trojan. SonicWALL has received more than 17 unique payloads of the Bredolab Trojan from these spam campaigns since yesterday.

Campaign #1 – MySpace Password Reset spam

Subject:

• MySpace Password Reset Confirmation! Order NR.[4-digit numeric number]
• MySpace Password Reset Confirmation!

Attachment:

• MySpace_document_53459.zip (contains MySpace_document_53459.exe)
• MySpace_document_32722.zip (contains MySpace_document_32722.exe)

Email Body:
————————
Hey [random name],

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your MySpace.
————————

The e-mail message looks like below:

Campaign #2 – Facebook Password Reset spam

Subject:

• Facebook Password Reset Confirmation! Support Message
• Facebook Password Reset Confirmation! Your Support
• Facebook Password Reset Confirmation! Important Message
• Facebook Password Reset Confirmation! Customer Support

Attachment: Facebook_password_92335.zip (contains Facebook_password_92335.exe)

Email Body:
————————
Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed
You can find your new password in attached document.

Thank,
Your facebook.
————————

The e-mail message looks like below:

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

The Trojan when executed performs the following host level activity:

• Drops a copy of itself as (Windows System Folder)Startuprarype32.exe (~36KB)
• Deletes the original file
• Attempts to connect to dollardream.ru domain on TCP port 4455 and downloads an encrypted configuration file.

The Trojan is also known as TROJ_BREDLAB.SMP [Trend] and Win32:Bredolab-BL [Trj] [Avast].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Bredolab.BMP (Trojan) signature. [716,342 hits recorded in last 24 hours].

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.