New Bredolab spam campaign (August 6, 2010)

SonicWALL UTM Research team discovered a wave of YouSendIt spam campaign involving newer variant of Bredolab Trojan in the last 24 hours. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable.

The e-mail pretends to be arriving from YouSendIt which is an online file sharing service. YouSendIt lets users send, receive and track files on-demand. This is the first time SonicWALL has observed YouSendIt storage service provider being used to spoof emails by Bredolab authors while spamming the newer variant of the Trojan.

Attachment: YouSendIt_reader.zip (contains YouSendIt_reader.exe)

Subject: You have received a file from [removed]@[removed].com via YouSendIt. (The subject varies based on the from email address)

Email Body:
————————

Katelyn Goodman has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy
1919 S. Bascom Ave., Campbell, CA 95008
————————

A sample email message looks like:

The executable files inside the attachment looks like this:

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

• Network Activity:
  • It downloads a file from 188.65.74.161 and renames it to _ex-68.exe

  

  • It sends a request to 77.78.249.2

  

  • It send a SYN to 85.234.191.111:80 which is acknowledged by an ACK possibly reporting infected IP
• It creates the following files
  • C:WINDOWSTemp_ex-08.exe – Detected as GAV: Bredolab.SI (Trojan)
  • C:WINDOWSTemp_ex-68.exe – Detected as GAV: FakeAlert.P (Trojan)

  

• It creates the following process in memory
  • C:WINDOWSTemp_ex-08.exe
  • C:WINDOWSTemp_ex-68.exe

  (The process name is a randomized number in memory)

• It creates following registry keys to ensure infection on every system restart under the name “sniffer” :
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun: C:WINDOWSTemp_ex-08.exe
• As part of the infection process it downloads and launches the file _ex-68.exe which is a fake AntiVirus product
  • It launches and displays fake infections

  

  • When the user attempts to remove infections an activation screen is displayed

    

  • When the user clicks “Activate Security Tool” a screen is displayed asking for credit card and personal information

    

SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.SI (Trojan) signature. [2,759,497 hits recorded in last 24 hours]

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.