New Bredolab spam campaign

August 6, 2010

SonicWALL UTM Research team discovered a wave of YouSendIt spam campaign involving newer variant of Bredolab Trojan in the last 24 hours. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable.

The e-mail pretends to be arriving from YouSendIt which is an online file sharing service. YouSendIt lets users send, receive and track files on-demand. This is the first time SonicWALL has observed YouSendIt storage service provider being used to spoof emails by Bredolab authors while spamming the newer variant of the Trojan.

Attachment: YouSendIt_reader.zip (contains YouSendIt_reader.exe)

Subject: You have received a file from [removed]@[removed].com via YouSendIt. (The subject varies based on the from email address)

Email Body:
------------------------

Katelyn Goodman has sent you the following via YouSendIt

File attached to this letter.

YouSendIt, Inc. | Privacy Policy
1919 S. Bascom Ave., Campbell, CA 95008
------------------------

A sample email message looks like:

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim's machine:

  • Network Activity:
    • It downloads a file from 188.65.74.161 and renames it to _ex-68.exe

      • screenshot

    • It sends a request to 77.78.249.2

      • screenshot

    • It send a SYN to 85.234.191.111:80 which is acknowledged by an ACK possibly reporting infected IP
  • It creates the following files
    • C:WINDOWSTemp_ex-08.exe - Detected as GAV: Bredolab.SI (Trojan)
    • C:WINDOWSTemp_ex-68.exe - Detected as GAV: FakeAlert.P (Trojan)

      • screenshot

  • It creates the following process in memory
    • C:WINDOWSTemp_ex-08.exe
    • C:WINDOWSTemp_ex-68.exe

      • (The process name is a randomized number in memory)

  • It creates following registry keys to ensure infection on every system restart under the name "sniffer" :
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun: C:WINDOWSTemp_ex-08.exe
  • As part of the infection process it downloads and launches the file _ex-68.exe which is a fake AntiVirus product
    • It launches and displays fake infections

      • screenshot

    • When the user attempts to remove infections an activation screen is displayed

      screenshot

    • When the user clicks "Activate Security Tool" a screen is displayed asking for credit card and personal information

      screenshot

SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.SI (Trojan) signature. [2,759,497 hits recorded in last 24 hours]

screenshot