Pushdo botnet uses Facebook to spread malicious email attachment

By Robert Westervelt, News Editor 27 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Controllers of the Pushdo botnet are sending out phony email messages warning users that their Facebook password has been reset. It tries to lure users into opening an attached file containing a malicious downloader by telling users the attachment contains the new Facebook password.

Facebook has been working to shut down spammers. Last year, the social network won a multimillion judgment against a Canadian man who hacked into the profiles of its members and spammed them with sexually explicit messages. At the time, the company said it hoped the action would deter others from targeting Facebook users.

Spam, malware: Massive spam campaign hits Yahoo Groups, LiveJournal: In July, Spammers used automated CAPTCHA-breaking software to set up accounts and use free file storage for links and images.  3FN.net ISP shutdown interrupts spam campaigns: In June, the shutdown of 3FN.net disrupted the Cutwail Botnet and may have reduced global spam volumes by 15%. Video: Next generation spam: New threats and new technologies This video examines the evolution of the content security gateway as it evolves beyond just blocking spam and Web filtering.

Security researchers at Websense have also analyzed the Facebook spam and traced it to command and control servers connected to the Bredolab botnet. Websense said the two servers in the Netherlands and Kazakhstan enable the controllers to have full access to a victim's PC.

While traditional email spam messages like the one controlled by the Pushdo botnet continue to be the most lucrative for spammers, some are turning to social networks to conduct more targeted campaigns. The spammers buy and using phished account credentials to use the Facebook accounts to send spam messages to the account holder's friends.

A second spam campaign, purportedly to be coming from the same cybercriminals behind Pushdo, uses the ongoing banking crisis to trick users into clicking a malicious link. The phony email tries to trick victims into believing the message comes from the Federal Deposit Insurance Corporation (FDIC). It claims that the victim's bank has been listed as a failed bank and urges recipients to visit a website, which hosts malicious executable files.

The malicious website contains both PDF and Word documents designed to trick users into downloading the ZBot executable, Gavin Neale, security researcher at M86, wrote in the company blog.

"Over the last several months Pushdo has been spreading ZBot with campaigns that have a strong social engineering component that are backed up with well designed websites and offers the user plausible reasons to run a file," Neale wrote.

According to M86's spam statistics, Pushdo represented about 29.8 of spam messages received in the vendor's spam traps. It was the second largest botnet behind Rustock, which was contained in about 38% of spam messages caught in the vendor's spam traps.

SearchSecurity radio:

Pushdo hasn't changed much over the last several years. It follows many of the same themes associated with the Storm botnet, which uses holidays and news events to dupe people into opening infecting emails or clicking on a malicious link. Recent campaigns used Michael Jackson's death.

Most spam messages continue to peddle products rather than push out malware and phishing attacks. According to M86 statistics, spam messages touting healthcare products, such as pharmaceuticals and products, such as watches, software and stationary, made up about 85% of spam messages. Malware and phishing attacks made up 5% of spam.

Tags: Email and Messaging Threats (spam, phishing, instant messaging),  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Phishing websites, rogue antivirus skyrocket in 2009 Email and Messaging Threats (spam, phishing, instant messaging) Research Web Application and Web 2.0 Threats New Facebook worm propagates using sexy model Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) crimeware  (SearchSecurity.com) Operation Phish Phry  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Register of Known Spam Operations  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Sender Policy Framework  (SearchSecurity.com) spam cocktail  (SearchSecurity.com) spear phishing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary