The path has changed since the last go-round, with two different URL patterns being used:
/globaldirectory/LoginFacebook.php
and
/global_directory/MyAccount.php
Email subjects are fairly limited to these choices:
Subject: Facebook Account Update
Subject: Facebook account update
Subject: Facebook Update Tool
Here's our actual message count for top Facebook subjects so far this morning:
784 | Facebook Password Reset Confirmation. Customer Message.
779 | Facebook Password Reset Confirmation. Support Message.
757 | Facebook Password Reset Confirmation. Customer Support.
755 | Facebook Password Reset Confirmation. Your Support.
753 | Facebook Password Reset Confirmation. Important Message
602 | Facebook account update
569 | Facebook Update Tool
550 | Facebook Account Update
All of the "Facebook Password Reset Confirmation" are emails with a '.zip' attachment intended to infect with Bredolab. These were covered in Yesterday's blog entry: Ongoing Badness: AmEx, Facebook and .CN. The Zeus / Zbot infector is in the campaign represented by the bottom three subjects on the list. With 189,301 messages received so far this early morning, that puts the Facebook Zeus at .9% of our email volume for this morning, and the Facebook Bredolab at 2% of our email volume for this morning. Let's be generous and say that 3% of all of our spam this morning is using a Facebook scam to try to infect us with malware.
For comparison, here are the top Facebook spam subjects for yesterday:
Z 2309 | Facebook Account Update
B 2292 | Facebook Password Reset Confirmation. Support Message.
Z 2261 | Facebook Update Tool
B 2256 | Facebook Password Reset Confirmation. Your Support.
B 2249 | Facebook Password Reset Confirmation. Customer Message.
B 2244 | Facebook Password Reset Confirmation. Important Message
B 2225 | Facebook Password Reset Confirmation. Customer Support.
Z 2185 | Facebook account update
Z = Zeus / Zbot; B = Bredolab
By the 24 hour clock, yesterday we received 917,872 spam email messages, so 1.2% of yesterday's entire spam volume was Bredolab infectors, and .7% of yesterday's entire spam volume was Facebook Zeus / Zbot, or roughly 2% of all spam for the day, although that's not really fair since Facebook Zeus started so late in the day.
Here's an example of the email body:
Dear Facebook user,
In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.
Before you are able to use the new login system, you will be required to update your account.
Please click on the link below to update your account online now:
http://www.facebook.com.okolls.org.uk/globaldirectory/LoginFacebook.php?ref=124125189363830136816363239612373&email=weewoo@yourmail.com
If you have any questions, reference our New User Guide.
Thanks,
The Facebook Team
There are fifty new domain names used in this attack, with 36 of the domains resolving as live at this writing (5:15 AM December 9, 2009).
www.facebook.com.gertfra.co.uk
www.facebook.com.gertfra.me.uk
www.facebook.com.gertfra.org.uk
www.facebook.com.gertfrb.co.uk
www.facebook.com.gertfrb.me.uk
www.facebook.com.gertfrb.org.uk
www.facebook.com.gertfrp.co.uk
www.facebook.com.gertfrp.me.uk
www.facebook.com.gertfrp.org.uk
www.facebook.com.gertfrr.co.uk
www.facebook.com.gertfrr.me.uk
www.facebook.com.gertfrr.org.uk
www.facebook.com.gertfrt.co.uk
www.facebook.com.gertfrt.me.uk
www.facebook.com.gertfrt.org.uk
www.facebook.com.ihyeerg.co.uk
www.facebook.com.ihyeerg.me.uk
www.facebook.com.ihyeerg.org.uk
www.facebook.com.ihyeerj.co.uk
www.facebook.com.ihyeerj.me.uk
www.facebook.com.ihyeerj.org.uk
www.facebook.com.ihyeerk.co.uk
www.facebook.com.ihyeerk.me.uk
www.facebook.com.ihyeerk.org.uk
www.facebook.com.ihyeers.co.uk
www.facebook.com.ihyeers.me.uk
www.facebook.com.ihyeers.org.uk
www.facebook.com.ihyeeru.co.uk
www.facebook.com.ihyeeru.me.uk
www.facebook.com.ihyeeru.org.uk
www.facebook.com.jjjioi.co.uk
www.facebook.com.jjjioi.me.uk
www.facebook.com.jjjioi.org.uk
www.facebook.com.jjjiok.co.uk
www.facebook.com.jjjiok.me.uk
www.facebook.com.jjjiok.org.uk
www.facebook.com.jjjiop.co.uk
www.facebook.com.jjjiop.me.uk
www.facebook.com.jjjioy.co.uk
www.facebook.com.jjjioy.me.uk
www.facebook.com.jjjioy.org.uk
www.facebook.com.okolli.co.uk
www.facebook.com.okolli.me.uk
www.facebook.com.okolli.org.uk
www.facebook.com.okolln.co.uk
www.facebook.com.okollo.co.uk
www.facebook.com.okollo.me.uk
www.facebook.com.okollo.org.uk
www.facebook.com.okolls.co.uk
www.facebook.com.okolls.me.uk
www.facebook.com.okolls.org.uk
Despite the wide popularity of this on-going scam, it also calls into question the validity of traditional anti-virus solutions. Any signature-based malware solution is going to be challenged by rapidly changing malware such as these Zbot infectors. This morning's version of the malware is currently detected by only 9 of 41 anti-virus solutions as reported by this VirusTotal report.
updatetool.exe
File size: 131584 bytes
MD5 : 959efa29b4979bcc1d664d7e0726aa74
Security suites which include website blocking fare much better, protecting their customers not by knowing this virus, but by recognizing that the website is offensive. For instance, I am using the McAfee Site Advisor plug-in for Firefox, which recognized this site as offensive. The Google SafeBrowsing list used by Firefox also knows these are offensive sites, and TrendMicro's "Smart Protection Network" performs a similar function for their customers. When selecting an anti-virus solution, make sure that they are also proactively blocking websites known to distribute malware. Even when the criminal shifts to a new virus definition, the fact that these websites are known to be bad will prevent the malware from being downloaded.
0 comments:
Post a Comment