Wednesday, January 26, 2011

Spamvertised "Your password has been stolen!" Malware Campaign Circulating

A currently ongoing spamvertised campaign, attempts to impersonate the most popular social networking site, Facebook.

Using a well proven "Your password has been stolen!" theme, the campaign entices the end user into downloading and executing the malware. Social engineering-driven campaigns targeting Facebook, remain among the popular malware campaign spreading techniques due to the ease of execution.

Subject: Facebook Support. Your password has been stolen! ID50888
Message: Good afternoon.

A Spam is sent from your FaceBook account.

Your password has been changed for safety. Information regarding your account and a new password is attached to the letter.Read this information thoroughly and change the password to complicated one. Please do not reply to this email, it's automatic mail notification! Thank you for your attention. Your Facebook!


Spamvertised filedname: Facebook_details_ID76803.zip (32,458 bytes)

Detecrion rate:
Facebook_details.exe - Trojan-Downloader:W32/Koobface.HV - 12/ 43 (27.9%)
MD5   : f0e7a8c264fe14562ca8ac98abb35840
SHA1  : f68d15e66590c69ac75c46a09ae495be8bbf231f
SHA256: 3ca757bfdecbee20ec10d5af770700041f4bc1b17ee3123f4d85acfd19e1bb74

Upon execution, the sample phones back to:
Phones back to:
interviewbuy.ru /forum/document.doc
interviewbuy.ru /forum/load.php?file=0
interviewbuy.ru /forum/load.php?file=1
interviewbuy.ru /forum/load.php?file=2
interviewbuy.ru /forum/load.php?file=3
interviewbuy.ru /forum/load.php?file=4
interviewbuy.ru /forum/load.php?file=5
interviewbuy.ru /forum/load.php?file=6
interviewbuy.ru /forum/load.php?file=7
interviewbuy.ru /forum/load.php?file=8
interviewbuy.ru /forum/load.php?file=9
interviewbuy.ru /forum/load.php?file=ftpgrabber
interviewbuy.ru /forum/load.php?file=pokergrabber


interviewbuy.ru - 91.204.48.96 (AS24965); 124.217.248.229 (AS45839) Email: servman1976@yandex.ru

ZeuS crimeware activity at AS24965 (SPOINT-AS S.Point LTD) as well as SpyEye malicious activity is also observed.

This post has been reproduced from Dancho Danchev's blog.

No comments:

Post a Comment