New social engineering tactics by Bredolab and ZBot

SonicWALL UTM Research team has observed a new social engineering tactic being used to spam new variants of Bredolab and Zbot Trojan. Facebook password reset spam campaign started on October 26, 2009 and involves a fake e-mail message pretending to arrive from Facebook team informing the user that their Facebook account password has been reset. Users can retrieve their new password from the attached document which is the new variant of Bredolab Trojan.

Myspace password reset spam campaign started on October 29, 2009 and also involves a fake e-mail message pretending to arrive from Myspace team informing the user that their Myspace account password has been reset. Users can retrieve their new password from the attached document which is the new variant of ZBot Trojan.

SonicWALL has received more than 65,000 e-mail copies involving 96 Bredolab variants and 10 Zbot variants from these spam campaigns till now. The e-mail message format looks like this:

Campaign #1 - Facebook Password Reset spam

Attachment: Facebook_Password_99176.zip (contains Facebook_Password_99176.exe)

Subject: Facebook Password Reset Confirmation! Please Attention!

Email Body:
------------------------
Hey [random name] ,

Thanks,
The Facebook Team.
------------------------

A sample e-mail message looks like:

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

Campaign #2 - Myspace Password Reset spam

Attachment: myspace_94354.zip (contains myspace_94354.exe)

Subject: Myspace Password Reset Confirmation

Email Body:
------------------------
Hello,

Thanks,
The Myspace Team
------------------------

A sample e-mail message looks like:

SonicWALL Gateway AntiVirus provided proactive protection against Facebook spam campaign via GAV: Bredolab.X_3 (Trojan) signature.[16,498,402 hits recorded in last five days] and Myspace spam campaign via GAV: Zbot.VM (Trojan) signature.[4,009,386 hits recorded in last three days].