Bredolab DHL and Facebook spam continues

April 9, 2010

SonicWALL UTM Research team continued to monitor the Bredolab email spam campaigns with the theme related to popular social networking website Facebook and courier service DHL. These spam campaign related emails started appearing early morning today and were still being spammed at the time of writing this alert.

SonicWALL has already received more than 400,000 e-mail copies from these spam campaigns. The email messages in both these spam campaigns have a zip archived attachment which contain the new variant of Bredolab Trojan executable. The sample e-mail format from each spam campaign is shown below:

Campaign #1 - DHL Services

Subject:

  • DHL Express Services. You need to get a parcel NR.[4-digit numeric number]
  • DHL Office. Please get your parcel NR.[4-digit numeric number]
  • DHL services. Please get your parcel NR.[5-digit numeric number]
  • DHL International. Get your parcel NR.[4-digit numeric number]
  • DHL Customer Services. Please get your parcel NR.[4-digit numeric number]

Attachment: DHL_package_1737.zip (contains DHL_package_1737.exe)

Email Body:
------------------------
Hello!

The courier service was not able to deliver your parcel at your address.
Cause: Mistake in address.

You may pickup the parcel at our post office personally.

The delivery advice is attached to this e-mail.
Print this label to get this package at our post office..

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Services
------------------------

The e-mail message looks like below:

screenshot

Campaign #2 - Facebook Password Reset spam

Subject:

  • Facebook Password Reset Confirmation NR.[4-digit numeric number]

Attachment: Facebook_password_1574.zip (contains Facebook_password_1574.exe)

Email Body:
------------------------
Hey [Facebook User]!

Because of the measures taken to provide safety to our clients, your password has been changed
You can find your new password in attached document.

Thanks,
The Facebook Team.
------------------------

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Word document file:

screenshot

Installation

    Drops DLL component files

Files Installed

  • All UsersApplication DataMicrosoftWindowsmspdb44.dll - [Bredolab.CL_2 (Trojan)]
  • system32lgou.rlo - [GAV: Oficla.FO_2 (Trojan)]

Registry Changes

    Added Registry

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: LoadAppInit_DLLs
    Data: dword:00000001

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: RequireSignedAppInit_DLLs
    Data: dword:00000000

    Modified Registry

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Original Data: "Explorer.exe
    Modified Data: "Explorer.exe rundll32.exe lgou.rlo mrtiyyb"
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows
    Value: AppInit_DLLs
    Original Data: ""
    Modified Data: "All UsersApplication DataMicrosoftWindowsmspdb44.dll"

SonicWALL Gateway AntiVirus provides protection against this Trojan via GAV: Bredolab.CL (Trojan), GAV: Bredolab.CL_2 (Trojan) and GAV: Oficla.FO_2 (Trojan)

screenshot