Malicious Facebook Password Spam

Malicious Facebook Password Spam

quote:

The From: address on the messages is spoofed using support(at)facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside. The .exe file currently has a detection rate of about 30 percent on VirusTotal.

virus total link : http://www.virustotal.com/analisis/963f2e1769790ae402809e8f77275a219c67de414a7fbc13d687aa8070d5f10c-1256597978 avast doesn’t detect it.

more : http://securitylabs.websense.com/content/Alerts/3496.aspx

(milos, michal?)

nmb

Yep, I just got what looks to be a fake ‘account confirmation’ asking me to confirm my account…from 2007 !!
Add to that the fact that I have never registered for facebook…

The thing that worries me, Is that it looks SO genuine…exactly the same as the invites I get from friends…someone else may not realise…

Hi,
send us (virus@avast.com) the sample in password protected attachement. This samples differ from one another.

Thank you,
Milos

scott do you have the copy of spam mail in your spam folder?. you can forward it to alwil. coz I didnt get the spam.

nmb

just found out that the malicious executable is linked to the Bredolab botnet.

more here : http://threatpost.com/en_us/blogs/facebook-password-reset-spam-botnet-attack-102709

hope it helps.

I think bredolab botnet detection is added to avast database but this might be a different variant. don’t you have gens for bots? or under what group have you put bot gens?

nmb

Hi Milos,

There was no attachment on the email I received, just a ‘facebook’ style formatted email…that looks SO convincing…
The weird from address gave it away.

Do you still want the email?
I can forward it if you want… (if a picture is not enough…)

I think this is slightly different than the one reported here…

Also, one of the reasons I don’t have a facebook, and probably wont ever…

-Scott-

yes scott this is completely different one. i thought you got the same one which is in the link I have given.

nmb

There was one of these sent to me this morning, and my ISP caught and quarantined it. They used to have separate quarantines for infected (or probably infected) stuff and for “ordinary” junk mail, but now they put everything in one pile.

In the case of a virus like the topic one, they remove the original content and replace it with info about the virus.