14 DAY TRIAL // Security researchers from Avira warn that fake Facebook password change emails are trying to trick users into opening a malicious attachment that installs a version of the Bredolab trojan.
The rogue emails carry a subject of "Facebook password has been changed. ID####," where # stands for a random digit, and purport to come from a @facebook.com address.
The contained message reads: "Dear user of FaceBook! Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document."
The attached file is called Facebook_Document_Id####.zip and contains an executable file with a Microsoft Word document icon. The .exe installs the trojan, but also downloads a legit .doc file from the Internet and opens it.
This is probably done in order to avoid raising suspicion, however, giving that the text in the document is in Russian and the email is in English, it manages to look shady enough.
Avira researchers warn that once executed, this version of Bredolab proceeds to download and install a fake antivirus program that mimics the appearance of Microsoft Security Essentials.
Bredolab is a family of trojans primarily used as a malware distribution platform for scareware and other malicious applications.
Back in October, Dutch authorities delivered a severe blow to the main Bredolab botnet after shutting down 143 of its command and control servers.
At the same time, Armenian authorities arrested a man suspected to the Bredolab author at the Yerevan airport, as he was trying to flee the country.
Despite these developments, other Bredolab-based botnets remain operational, especially in Russia. Researchers believe that at some point, the source code for the malware was either leaked or sold on the underground market.
Security vendor Trend Micro named Bredolab as the sixth most interesting malware threat in 2010, after Stuxnet, Operation Aurora, ZeuS, SpyEye and Koobface.