Bredolab DHL and Facebook spam continues (Apr 9, 2010)

SonicWALL UTM Research team continued to monitor the Bredolab email spam campaigns with the theme related to popular social networking website Facebook and courier service DHL. These spam campaign related emails started appearing early morning today and were still being spammed at the time of writing this alert.

SonicWALL has already received more than 400,000 e-mail copies from these spam campaigns. The email messages in both these spam campaigns have a zip archived attachment which contain the new variant of Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 – DHL Services

Subject:

• DHL Express Services. You need to get a parcel NR.[4-digit numeric number]
• DHL Office. Please get your parcel NR.[4-digit numeric number]
• DHL services. Please get your parcel NR.[5-digit numeric number]
• DHL International. Get your parcel NR.[4-digit numeric number]
• DHL Customer Services. Please get your parcel NR.[4-digit numeric number]

Attachment: DHL_package_1737.zip (contains DHL_package_1737.exe)

Email Body:
————————
Hello!

The courier service was not able to deliver your parcel at your address.
Cause: Mistake in address.

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office..

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services
————————

The e-mail message looks like below:

Campaign #2 – Facebook Password Reset spam

Subject:

• Facebook Password Reset Confirmation NR.[4-digit numeric number]

Attachment: Facebook_password_1574.zip (contains Facebook_password_1574.exe)

Email Body:
————————
Hey [Facebook User]!

Because of the measures taken to provide safety to our clients, your password has been changed
You can find your new password in attached document.

Thanks,
The Facebook Team.
————————

The e-mail message looks like below:

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document file:

Installation

Drops DLL component files

Files Installed

• All UsersApplication DataMicrosoftWindowsmspdb44.dll – [Bredolab.CL_2 (Trojan)]
• system32lgou.rlo – [GAV: Oficla.FO_2 (Trojan)]

Registry Changes

Added Registry
• Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
  Value: LoadAppInit_DLLs
  Data: dword:00000001
• Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
  Value: RequireSignedAppInit_DLLs
  Data: dword:00000000

Modified Registry
• Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
  Value: Shell
  Original Data: “Explorer.exe
  Modified Data: “Explorer.exe rundll32.exe lgou.rlo mrtiyyb”
• Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
  Value: AppInit_DLLs
  Original Data: “”
  Modified Data: “All UsersApplication DataMicrosoftWindowsmspdb44.dll”
  

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Bredolab.CL (Trojan), GAV: Bredolab.CL_2 (Trojan) and GAV: Oficla.FO_2 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.