Bredolab masked as Facebook Password Reset Confirmation
October 27, 2009 19 Comments
MX Lab detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation”. The From address in the email is shown as “The Facebook Team <email@example.com>” but the real SMTP from address is spoofed.
The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. the part between _ and .zip at the end is choosen randomly and contains letters and numbers.
The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total.
The body of the email:
Hey vguysville ,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
The Facebook Team
Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).
This Bredolab variant will create the files:
It will also create the process isqsys32.exe and svchost.exe. The dll %Windir%\dsqstm6.dll is being loaded into the address space of Internet Explorer combined with several Windows registry edits.
It will attempt to connect with the remote hosts on port 80: 22.214.171.124 0, 126.96.36.199 and 188.8.131.52.
The data identified by the following URL was then requested from the remote web server:
Virus Total permlink and MD5: e3edffb53e463bc6e3f498c8aaa1e447.
[Update – 02/11/2009 5:30 PM local Belgian time]
New subject is being used:
Facebook Password Reset Confirmation. Help Centre.
Virus Total permlink and MD5: f69849928111bf764e3b1a0b39b684b7.