Dec 1, 2010 13:36 GMT  ·  By

Security researchers from Trend Micro warn of spam emails posing as security alerts from Facebook, which have a version of the ZeuS banking trojan attached.

The infected emails purport to come from “Secure Facebook” and have a subject of “To Facebook user. (#FIRST_DESCR).” The last part is probably the result of a poorly configured spam template.

IThe contained message claims the recipient’s IP address was used to log onto Facebook numerous times and send spam.

It instructs users to read detailed statistics about their Facebook connections which are allegedly attached to the email, along with a firewall program developed by Facebook.

Called “FB IPsecure,” the application claims to be able to block untrusted connections and prevent spam from being sent from the user’s IP.

The spam message is signed by one Facebook Secure Advisor Garri Moor, but fortunately, it is so badly formulated that it would be hard to foul any English speaker.

The attachment is called files.zip and contains an executable, which according to Trend Micro, is a variant of the ZeuS information stealing trojan.

Given that malicious attachments are a favored way of spreading ZeuS variants, this isn’t really new. In terms of behavior, nothing separates this particular variant from others that are in the wild today,” Merianne Polintan, an anti-spam research engineer at Trend, explains.

ZeuS is one of the most popular trojans in the cyber criminal world. It is commonly used by fraudsters to steal financial information, personal details, online credentials and other sensitive data.

Unlike other malware, ZeuS is not controlled by any particular gang. Instead, it is being sold on the black market as a crimeware toolkit, which makes it available to virtually anyone looking to engage in the activities it facilitates.

Because of this, the diversity of ZeuS samples in the wild at any given time is very high. And since the trojan also functions as a botnet client, there is also a high number of command and control servers.