New Bredolab spam campaigns (Updated – Feb 12, 2010)
SonicWALL UTM Research team has observed a sharp increase in Bredolab spam campaigns in last two days. Earlier Bredolab spam campaign involving Facebook and MySpace, first in year 2010 was covered in Sonicalert – Bredolab spam campaigns return in 2010 .
SonicWALL has received more than 200,000 e-mail copies from these recent spam campaigns so far. The email messages in all these spam campaigns have a zip archived attachment which contain the new variants of Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:
Campaign #1 – Microsoft Outlook spam
Attachment: officexp-KB910721-FullFile-ENU.zip (contains officexp-KB910721-FullFile-ENU.exe)
Subject: Update for Microsoft Outlook / Outlook Express (KB910721)
Email Body:
————————
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
Instructions
* Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps:
1. Run attached file officexp-KB910721-FullFile-ENU.exe
2. Restart Microsoft Outlook / Outlook Express
System Requirements
* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
* This update applies to the following product: Microsoft Outlook / Outlook Express
————————
The email message looks like:
Campaign #2 – Macbook Air spam
Attachment: winner.zip (contains winner.exe)
Subject: Congratulation !!!
Email Body:
————————
Congratulations!! You have won todays Macbook Air.
Please open attached file and see details.
————————
The email message looks like:
Campaign #3 – Greeting Card Spam
Attachment: ecard.zip (contains ecard.exe)
Subject: You Have Received a Greeting Card
Email Body:
————————
To pick up your eCard, open attached file
Your card will be aviailable for pick-up beginning for the next 30 days.
————————
The email message looks like:
Campaign #4 – Girlfriend Spam
Attachment: Me8541779.zip (contains Me8541779.exe)
Subject: Do you like to find a girlfriend like me ?
Email Body:
————————
Wish to have a boyfriend
Be able to protect me, take care of me
Intolerable lonely night and would like to have your care.
do you Willing ?
This is my photos.
————————
The email message looks like:
Campaign #5 – Facebook Account Agreement Spam
Attachment: agreement.zip (contains agreement.exe)
Subject: updated account agreement
Email Body:
————————
Dear Facebook user,
Due to Facebook policy changes, all Facebook users must submit a new,
udpated account agreement, regardless of their original account start
date.
Accounts that do not submit the updated account agreement by the
deadline will have restricted.
Please unzip the attached file and run agreement.exe by double-clicking
it.
Thanks,
The Facebook Team
————————
The email message looks like:
If the user downloads and executes these new Bredolab variants, they will further attempt to download FakeAV malware from a hard-coded IP address. SonicWALL has received more than 7 distinct Bredolab variants through these spam campaigns till now. The executable files inside the attachment looks like this:
SonicWALL Gateway AntiVirus provided proactive protection against above spam campaigns with the following signatures:
- GAV: Bredolab.CCK (Trojan) [2,622,667 hits recorded starting Feb 2, 2010]
- GAV: Bredolab.SMP_2 (Trojan) [6,004,226 hits recorded starting Feb 4, 2010]
- GAV: Bredolab.BY (Trojan) [1,143,060 hits recorded starting Feb 12, 2010]
