Pushdo botnet uses Facebook to spread malicious email attachment

By Robert Westervelt, News Editor 27 Oct 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Controllers of the Pushdo botnet are sending out phony email messages warning users that their Facebook password has been reset. It tries to lure users into opening an attached file containing a malicious downloader by telling users the attachment contains the new Facebook password.

Facebook has been working to shut down spammers. Last year, the social network won a multimillion judgment against a Canadian man who hacked into the profiles of its members and spammed them with sexually explicit messages. At the time, the company said it hoped the action would deter others from targeting Facebook users.

Security researchers at Websense have also analyzed the Facebook spam and traced it to command and control servers connected to the Bredolab botnet. Websense said the two servers in the Netherlands and Kazakhstan enable the controllers to have full access to a victim's PC.

While traditional email spam messages like the one controlled by the Pushdo botnet continue to be the most lucrative for spammers, some are turning to social networks to conduct more targeted campaigns. The spammers buy and using phished account credentials to use the Facebook accounts to send spam messages to the account holder's friends.

A second spam campaign, purportedly to be coming from the same cybercriminals behind Pushdo, uses the ongoing banking crisis to trick users into clicking a malicious link. The phony email tries to trick victims into believing the message comes from the Federal Deposit Insurance Corporation (FDIC). It claims that the victim's bank has been listed as a failed bank and urges recipients to visit a website, which hosts malicious executable files.

The malicious website contains both PDF and Word documents designed to trick users into downloading the ZBot executable, Gavin Neale, security researcher at M86, wrote in the company blog.

"Over the last several months Pushdo has been spreading ZBot with campaigns that have a strong social engineering component that are backed up with well designed websites and offers the user plausible reasons to run a file," Neale wrote.

According to M86's spam statistics, Pushdo represented about 29.8 of spam messages received in the vendor's spam traps. It was the second largest botnet behind Rustock, which was contained in about 38% of spam messages caught in the vendor's spam traps.

Pushdo hasn't changed much over the last several years. It follows many of the same themes associated with the Storm botnet, which uses holidays and news events to dupe people into opening infecting emails or clicking on a malicious link. Recent campaigns used Michael Jackson's death.

Most spam messages continue to peddle products rather than push out malware and phishing attacks. According to M86 statistics, spam messages touting healthcare products, such as pharmaceuticals and products, such as watches, software and stationary, made up about 85% of spam messages. Malware and phishing attacks made up 5% of spam.

Tags: Email and Instant Messaging Security,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Instant Messaging Security Websense integrated security system aims to simplify security management Preventing phishing attacks: Enterprise best practices Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Understand role-based access control in Microsoft Exchange 2010 Yahoo login credentials at risk to hijacking attack Top spammer gets four years in jail for stock fraud scheme M86 buys Web security gateway vendor Finjan Web-based attacks skyrocket, pirating sites surge, security firms say Phishing protection begins with training, antiphishing evangelist Web Application Security CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Microsoft gives Internet Explorer a major security overhaul

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary