Video Screencast Help
Symantec Intelligence

Bredolab trojan now using a popular social networking brand to spread

Created: 27 Oct 2009
Daren Lewis's picture
+1 1 Vote
Login to vote

This post is made on behalf of my colleague Mathew Nisbet, Malware Data Analyst

The Bredolab Trojan has been seen “in the wild” for a long time, but the people behind it constantly change the subjects and format of the e-mails to try and fool people. The most recent change has been to use the a popular social networking brand name to try and trick people into opening and running an attachment by telling them their password has been reset, and that their new password is contained in the attachement. Running the attachment will install the Bredolab trojan on their machine and give the people behind the attack full control to do almost anything they want.

The first few occurrences of the new style were seen between 7pm and 8pm on 26th October and there has been a steady stream of them since, reaching almost 30% of all malware seen between 2am and 3am on the 27th October.

2009_10_27_Nisbet_Bredolab_table_02.gif

The subject currently being used is “Password Reset Confirmation”, where the from addresse has been spoofed to look as though it was sent by “The <popular social networking site> Team". It is not a very sophisticated email, it uses no logos, and is in plain text.

2009_10_27_Nisbet_Bredolab_ex03.gif

The attachment is in the form of a zip file (which is an attempt to get past most standard e-mail filters) which contains an exe file. The filenames are so far all of the same format, “nnnnnnnn_password_” followed by a random number and the file extension.

The source of this latest Bredolab run is the same as almost all the previous variations we have seen. It comes from the Cutwail (aka. Pandex) botnet, which is one of the largest mass mailing botnets in existence, with over one million ‘zombie’ machines under its control.

Blog Entry Filed Under: