Beware! Facebook Reset-Password email is an attack!

Indications have emerged that the emails purpotedly sent by Facebook to members to reset their passwords following identified threats on their accounts is in fact an attack.
According to Anti-Virus industry experts, the malicious executable is linked to the Bredolab botnet, which has been linked to massive spam runs and identity-theft related attacks.

The email uses fake Facebook password-reset messages to trick PC users into downloading a dangerous piece of malware. These dangerous malware allows the attackers have full control of your PC, such as steal customer information, send spam emails and practically do as they please.

 Websense,  an industry player says the address of the sender is spoofed to display “[email protected],” a trick commonly used to trick recipients into believing that the email is a legitimate email from the network.

The alert says,
“Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using [email protected] to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside (SHA1:d01c02b331f47481a9ffd5e8ec28c96b7c67a8c6). The .exe file currently has a detection rate of about 30 percent on VirusTotal. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today”.

It continues,

“The malicious .exe file connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan”.

A Screenshot of the fake alert is shown below.

Fake Facebook reset password alert

Fake Facebook reset password alert

All facebook account holders are hereby encouraged to disregard this email and take as much precaution as possible before downloading attachments that come with similar emails in the future if they are unsure or suspicious of the source.

The virus has a 30% detection rate on Virustotal. Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.

As at the time of writing this report, the  Anti-virus programs that detected the malware are:

Antivirus Version Name
AVG 8.5.0.423 Win32/Heur
BitDefender 7.2 Trojan.Downloader.Bredolab.AZ
eSafe 7.0.17.0 Suspicious File
F-Secure 9.0.15370.0 Trojan.Downloader.Bredolab.AZ
GData 19 Trojan.Downloader.Bredolab.AZ
Kaspersky 7.0.0.125 Packed.Win32.Krap.w
Microsoft 1.5202 TrojanDownloader:Win32/Bredolab.X
Norman 6.03.02 W32/Obfuscated.D2!genr
Sophos 4.46.0 Mal/Bredo-A
Sunbelt 3.2.1858.2 Trojan.Win32.Bredolab.Gen.1 (v)
TrendMicro 8.950.0.1094 TROJ_BREDLAB.SMF
Comodo 2743 Heur.Packed.Unknown
     

 The following did not detect it according to the Virustotal analysis;

Antivirus

Version

a-squared 4.5.0.41
AhnLab-V3 5.0.0.2
AntiVir 7.9.1.44
Antiy-AVL 2.0.3.7
Authentium 5.1.2.4
Avast 4.8.1351.0
CAT-QuickHeal 10.00
ClamAV 0.94.1
DrWeb 5.0.0.12182
eTrust-Vet 35.1.7084
F-Prot 4.5.1.85
Fortinet 3.120.0.0
Ikarus T3.1.1.72.0
Jiangmin 11.0.800
K7AntiVirus 7.10.879
McAfee 5783
McAfee+Artemis 5783
McAfee-GW-Edition 6.8.5
NOD32 4545
nProtect 2009.1.8.0
Panda 10.0.2.2
PCTools 4.4.2.0
Prevx 3.0
Rising 21.53.04.00
Symantec 1.4.4.12
TheHacker 6.5.0.2.054
VBA32 3.12.10.11
ViRobot 2009.10.26.2005
VirusBuster 4.6.5.0

Please don’t join the bredolab botnet and help in spam reduction.

Be sure your Anti-virus program is up-to-date.

Post to Twitter Tweet This Post

Tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *