Pushdo botnet uses Facebook to spread malicious email attachment

By Robert Westervelt, News Editor, SearchSecurity.com 28 Oct 2009 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

Controllers of the Pushdo botnet are sending out phony email messages warning users that their Facebook password has been reset. It tries to lure users into opening an attached file containing a malicious downloader by telling users the attachment contains the new Facebook password.

Facebook has been working to shut down spammers. Last year, the social network won a multimillion judgment against a Canadian man who hacked into the profiles of its members and spammed them with sexually explicit messages. At the time, the company said it hoped the action would deter others from targeting Facebook users.

Spam, malware: Massive spam campaign hits Yahoo Groups, LiveJournal: In July, Spammers used automated CAPTCHA-breaking software to set up accounts and use free file storage for links and images.  3FN.net ISP shutdown interrupts spam campaigns: In June, the shutdown of 3FN.net disrupted the Cutwail Botnet and may have reduced global spam volumes by 15%. Video: Next generation spam: New threats and new technologies This video examines the evolution of the content security gateway as it evolves beyond just blocking spam and Web filtering.

While traditional email spam messages like the one controlled by the Pushdo botnet continue to be the most lucrative for spammers, some are turning to social networks to conduct more targeted campaigns. The spammers buy and using phished account credentials to use the Facebook accounts to send spam messages to the account holder's friends.

A second spam campaign, purportedly to be coming from the same cybercriminals behind Pushdo, uses the ongoing banking crisis to trick users into clicking a malicious link. The phony email tries to trick victims into believing the message comes from the Federal Deposit Insurance Corporation (FDIC). It claims that the victim's bank has been listed as a failed bank and urges recipients to visit a website, which hosts malicious executable files.

The malicious website contains both PDF and Word documents designed to trick users into downloading the ZBot executable, Gavin Neale, security researcher at M86, wrote in the company blog.

"Over the last several months Pushdo has been spreading ZBot with campaigns that have a strong social engineering component that are backed up with well designed websites and offers the user plausible reasons to run a file," Neale wrote.

According to M86's spam statistics, Pushdo represented about 29.8 of spam messages received in the vendor's spam traps. It was the second largest botnet behind Rustock, which was contained in about 38% of spam messages caught in the vendor's spam traps.

SearchSecurity radio:

Pushdo hasn't changed much over the last several years. It follows many of the same themes associated with the Storm botnet, which uses holidays and news events to dupe people into opening infecting emails or clicking on a malicious link. Recent campaigns used Michael Jackson's death.

Most spam messages continue to peddle products rather than push out malware and phishing attacks. According to M86 statistics, spam messages touting healthcare products, such as pharmaceuticals and products, such as watches, software and stationary, made up about 85% of spam messages. Malware and phishing attacks made up 5% of spam.

Tags: Email and instant messaging threat defenses,  Application and Web threat defenses,  Viruses, worms, spyware, and other malware,  Hacking countermeasures,  Threat Monitor,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and instant messaging threat defenses FTIL tackles Web 2.0 security threats with content filtering UTM buying essentials for India Inc. Understand role-based access control in Microsoft Exchange 2010 Hosted email security frees ACPL's bandwidth New Bahama botnet evades search engines, fuels click fraud Next generation spam: New threats and new technologies How to prevent brute force webmail attacks Chained Exploits: How to prevent phishing attacks from corporate spies Economy fuels malware, spam How can 419 scam emails and backscatter spam be stopped? Application and Web threat defenses Noted cryptographer on SSL, encryption and cloud computing Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Viruses, worms, spyware, and other malware Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look Configuring a Windows network infrastructure: Wired, wireless security A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage Two factor authentication thwarts identity theft at Bank of India Microsoft issues advisory on Internet Explorer zero-day

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary active man-in-the-middle attack  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary