Your FaceBook password has been changed

... Or hasn't it ?

A recent spam campaign is spreading claming your Facebook password has been changed, and you need to open the document attached to view your new password.

You might think: "Why attach a document with the password in ? Why not just put it in the email ?"

The truth is of course is that your Facebook password hasn't been changed at all, it is the latest spam campaign trying to infect your computer.

I received the following email with subject:

Your facebook password has been changed. ID9049

Your Facebook password has been changed

Attached is a ZIP file called Facebook_Document_Id0573.zip. Included is the following file:

Facebook_Document.exe, seemingly a Word document

Does this look like a Word document ? Yes

Is it a Word document ? No

How can you tell ? By the .exe extension

Facebook_Document.exe

Result: 35/43 (81.4%)

MD5: e354e01caea7c9e8171a0e839d5016b6

VirusTotal

ThreatExpert Report

Anubis Report

Additionally, the file tries to connect to:

hxxp://interviewbuy.ru
Domain Hash: 0d251df39c785768e0b9af27880fcc0f
Result: 6/18 (33 %)
URLVoid


Conclusion

If you receive emails like this, you should already be alerted:

"Why would Facebook send me an email my password is changed ?"

They don't. Whether you have Facebook or not, instantly delete the email. In this case, the file was zipped but there was no password.

If your email provider doesn't stop it, your Antivirus should. Keep everything up-to-date people !

I would like to add the blogpost Dancho Danchev made, it is the same spam campaign but with another subject and another malicious executable:

Spamvertised "Your password has been stolen!" Malware Campaign Circulating

Twitter worm spreading virally

Since today there's a Twitter worm spreading virally with the name "m28sx" . People and bots tweeting links that end with m28sx.html or have only an URL in their tweet are common today on the social network platform.

At time of writing this threat still persists, although Google has already disabled a lot of URLs. (URLs used in this attack are mainly t.co and goo.gl)

After different redirects starting at:

to

and eventually landing on

Presents you with a nice message that you are infected:

Immediately you receive the well known fake scan page:

Infected search terms on Twitter also include:

50th anniversary of JFK's inauguration
John F. Kennedy inaugural address
Love the new homepage

Check out these search results for m28sx (be careful with the links on these pages, some of them might still be active ! ) on Twitter:
https://twitter.com/#!/search/links/m28sx.html or
https://search.twitter.com/search?q=m28sx.html

Dropped files:

pack.exe

Result: 3/43 (7.0 %)

MD5: bae499fc5844d814f942e870900c9d57

VirusTotal

ThreatExpert

pack(2).exe

Result: 3/43 (7.0 %)
MD5: 921b903e2ff6ae23833301aa2961be95

VirusTotal
ThreatExpert

They payload is a rogueware called 'Security Shield'.

When executing either of the dropped files:

A warning that Security Shield was installed successfully.

Security Shield rogueware finding (non-existant) infections.

Conclusion

Pretty straightforward: do not click on any of the links ! ( You also might want to use a 3d party application to browse on Twitter, like Echofon or Twhirl. )

Always be careful when clicking on a URL that you do not recognize or is shortened so you cannot see the real URL.

If you do happen to land on one of these rogueware pages presenting you a fake scan of your disks, open Task Manager and end your browser's process.

Hotfile used to spread malware

You might remember my previous post where I stated that Rapidshare is used to spread rogueware .

Exactly the same tactic is applied with Hotfile, another file hosting service.


UPDATE 13/01/2011: Spreading malware through Hotfile is still common, so to speak. I've seen a TDSS variant spreading on it with the filename "surprise.exe" VirusTotal results can be found here . RapidShare seems to be faster in cleaning up infected files.


I received an email from one of my contacts with no subject. It contained the following link:

Link from hotfile which downloads a trojan horse. Link edited for your safety.

exe.exe

Result: 11/41 (26.8%)

MD5: 4169dc3f5e44067435016d79336c4e1a
VirusTotal
Anubis Report
ThreatExpert Report

After executing the file it connects to remote hosts which can download other malware.



Conclusion

The conclusion is actually the same as in my previous post, but I will state it once again:

You should never trust an email which has:

- only a URL included in the message
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, simply delete it and don't look back ;) .

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

RapidShare used to spread rogueware

Besides the usual spam this morning, in the likes of "very good news . now you can buy new iphone 4 from this site! ",

I had also received an email from someone I know. It was sent to all of his contacts, including me. The message only contained the following URL:


Link to Rapidshare to download a file called "surprise.exe" I have obfuscated the URL for your safety.

It comes to no surprise that actually this file is rogueware with the name Security Shield. Below you can find an example screenshot of this rogue:


Security Shield rogueware

surprise.exe

Result: 11/42 (26.2%)

MD5: a6af97e7a5fd59c82b4c08a568eae882
VirusTotal
Anubis Report
ThreatExpert Report

When executing the downloaded file ( surprise.exe ):



Conclusion


Besides coming from a trusted person, this rogueware program is also using Rapidshare as a 'mirror' for spreading. Also, the file has the name "surprise.exe" which may convince you even further that your friend has just sent you a message with a nice surprise e-card or similar. After all, you know the person who sent it, why would it hurt ?

The above pictures proove why. I doubt you'd want some rogueware sitting on your computer. The trick is you should never trust an email which has:

- only a URL included in the message
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Peace out.

new rogue: PCoptimizer 2010

As already stated in my previous post, there are two new rogues (rogue security software, rogueware) lurking around:

PrivacyGuard 2010 and PCoptimizer 2010

You can be presented with either of these GUIs:


PrivacyGuard 2010 (picture: BleepingComputer)



PCoptimizer 2010


If you execute any program, you can be presented with the following pop-up:


PCoptimizer 2010 pop-up


I also made a small video on how you can disable this rogue and access your programs again. In this video I targeted PCoptimizer 2010, but you can also apply these steps on PrivacyGuard 2010.