It’s been a couple of weeks since Facebook fans have been under a strong shower of spam messages bundled with the same bait. The story goes like this: Facebook users receive in their inbox an e-mail in which they are explained that their passwords have been changed by the Facebook support team.
Fig.1 The spam e-mail carries an executable attachment. Of course it is infected.
If you’re paying attention to details, you probably noticed the small there (FaceBook spelled with a capital B), which should be enough of a hint that something is fishy. Moreover the inconsistency in the e-mail text translated in the use of both Facebook and FaceBook is yet another clue of the social engineering scheme put into play here.
As shown in the picture above, the spam message comes bundled with an attachment in the form of a .zip file called New_Password. This archive contains a what appears to be a Microsoft® Word® document (judging by its icon), but instead it is a bogus .exe file rigged with a document icon. This is definitely another good hint at the malicious intent of the whole deal.
Fig. 2 Bogus Word document with an executable extension
Back into the internals of the scam, the compiled binary reveals a couple of resources which claim that the file comes from TDL Softwin® and is described as MJ BitDefender® TDL, some bogus details compiled by the attacker into the file to although this binary definitely does not come from our labs. And this is not news for us, as no sooner than last week, we’ve seen another targeted attack against Bitdefender, let alone the plethora of rogue antiviruses that use our nameto trick users into installing them. Always remember that BitDefender genuine products are digitally signed to confirm their integrity and authenticity.
Fig. 3 Fake info information window of the bogus “Word document”
This is in fact, as you may have already figured, a piece of malware – more precisely a backdor (identified by BitDefender as Trojan.Generic.KDV.194478) that spreads through spam messages, and downloading further malware in order to run it on the user's system.
I have to admit that the disguise is pretty good: in order to avoid suspicion, the backdoor also downloads a.doc file that contains a fake Facebook password as shown below after it has successfully infected the system. This type of behavior is likely to look more legit to the user than a file that is suddenly melting away after it has been executed.
Fig 4. Fake Facebook password in a downloaded .doc
Apart from this .doc file, the backdoor will also pave the way for further malware downloaded from various URLs. The downloaded malware is able to steal sensitive data such as FTP passwords, Yahoo! ® Messenger accounts, as well as usernames and passwords associated with other email service providers.
This newest stunt only proves one thing: cybercriminals are always searching for new ways to spread malware and attack vulnerable PC users. One cannot be too cautious. Always try to be on the safe side of the Internet surfing.
This article is based on the technical information provided courtesy of Tiberius Axinte, BitDefender Virus Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.