Article

Pushdo botnet uses Facebook to spread malicious email attachment

Robert Westervelt, News Editor

Security researchers at M86 Security Labs are warning users of a malicious spam campaign attempting to spread the Pushdo Trojan by targeting Facebook users.

Controllers of the Pushdo botnet are sending out phony email messages warning users that their Facebook password has been reset. It tries to lure users into opening an attached file containing a malicious downloader by telling users the attachment contains the new Facebook password.

Facebook has been working to shut down spammers. Last year, the social network won a multimillion judgment against a Canadian man who

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

hacked into the profiles of its members and spammed them with sexually explicit messages. At the time, the company said it hoped the action would deter others from targeting Facebook users.

Security researchers at Websense have also analyzed the Facebook spam and traced it to command and control servers connected to the Bredolab botnet. Websense said the two servers in the Netherlands and Kazakhstan enable the controllers to have full access to a victim's PC.

While traditional email spam messages like the one controlled by the Pushdo botnet continue to be the most lucrative for spammers, some are turning to social networks to conduct more targeted campaigns. The spammers buy and using phished account credentials to use the Facebook accounts to send spam messages to the account holder's friends.

A second spam campaign, purportedly to be coming from the same cybercriminals behind Pushdo, uses the ongoing banking crisis to trick users into clicking a malicious link. The phony email tries to trick victims into believing the message comes from the Federal Deposit Insurance Corporation (FDIC). It claims that the victim's bank has been listed as a failed bank and urges recipients to visit a website, which hosts malicious executable files.

The malicious website contains both PDF and Word documents designed to trick users into downloading the ZBot executable, Gavin Neale, security researcher at M86, wrote in the company blog.

"Over the last several months Pushdo has been spreading ZBot with campaigns that have a strong social engineering component that are backed up with well designed websites and offers the user plausible reasons to run a file," Neale wrote.

According to M86's spam statistics, Pushdo represented about 29.8 of spam messages received in the vendor's spam traps. It was the second largest botnet behind Rustock, which was contained in about 38% of spam messages caught in the vendor's spam traps.

Pushdo hasn't changed much over the last several years. It follows many of the same themes associated with the Storm botnet, which uses holidays and news events to dupe people into opening infecting emails or clicking on a malicious link. Recent campaigns used Michael Jackson's death.

Most spam messages continue to peddle products rather than push out malware and phishing attacks. According to M86 statistics, spam messages touting healthcare products, such as pharmaceuticals and products, such as watches, software and stationary, made up about 85% of spam messages. Malware and phishing attacks made up 5% of spam.