Two new spam campaigns sent by the Pushdo botnet may trick users into installing malware on their PCs.
The first of these poses as an email from Facebook and contains a zip attachment. The email has the subject line 'Facebook Password Reset Confirmation' and states that your Facebook password has been changed and that your new password is in the attachment.
Inside the attached zip file is an executable file that if run will install Bredolab, a malicious downloader. One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails.
The second new campaign pretends to come from the Federal Deposit Insurance Corporation (FDIC), and claims that the bank you have an account with has been listed as a failed bank. This may not seem to far fetched to some, especially when considering the number of banks that have been listed as failed by the FDIC in the past year.
We have seen the following subject lines:
FDIC alert: check your Bank Deposit Insurance Coverage
FDIC has officially named your bank a failed bank
you need to check your Bank Deposit Insurance Coverage
The fake FDIC email asks you to visit their website, by clicking on a link, to check your deposit insurance coverage. This link is not to the FDIC website but one of many fraudulent web sites set up to host this campaign.
The web site instructs the user to download their personal insurance file and also mentions that the files are self extracting, which may trick some users once they see that these documents are actually .exe files!
The links to both the PDF and Word document are both links to a ZBot executable. Over the last several months Pushdo has been spreading ZBot with campaigns that have a strong social engineering component that are backed up with well designed websites and offers the user plausible reasons to run a file. Some of these previous campaigns are the Michael Jackson campaign, the IRS scam seen over the last month and the server update scam seen a couple of weeks ago.
