Facebook says time to reset password? Facebook users better think twice before they open a “Password Reset Confirmation” email from Facebook. There’s a new trojan variant of Bredolab on the loose that uses fake “Facebook Password Reset Confirmation” emails to spread itself. The fake “Facebook Password Reset Confirmation” email comes with an attached .exe, which according to the email message, contains the new password but instead the recipient is tricked into downloading the Bredolab-ridden file.

The trojan variant, with botnet capabilities, is known as Bredolab.gen.a, Trojan.Downloader.Bredolab.AZ (BitDefender), or W32/Obfuscated.D2!genr (Norman). Bredolab downloads from the Web and executes malicious files on an infected computer. Bredolab includes code that after it finishes encrypting user data files, it can quit the botnet after reboot or if an external program attempts to analyze its activities. With the Bredolab botnet, attackers can gain complete control of the PC and collect data; for example, steal personal information and send spam emails to the user’s list of email addresses.

The ‘From’ address in the email shows as “The Facebook Team ” but, in reality, the SMTP ‘From’ address is bogus. The message includes a .zip file attachment with an .exe file labeled Facebook_Password_4tf52.exe. The section between “_” and “.zip” is chosen randomly and comprises of letters and numbers. The malicious “Facebook_Password” .exe file connects to two servers, one server in the Netherlands and the other one in Kazakhstan, in order to download additional malicious files.

The fake “Facebook Password Reset Confirmation” email message reads:

Hey [Facebook User],
Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.
Thanks,
The Facebook Team

Trojan.Downloader.Bredolab.AZ will create the files %AppData%\wiaservg.log and %Programs%\Startup\isqsys32.exe. In order to bypass firewalls, Bredolab adds its own code into the real processes svchost.exe and explorer.exe. Then Bredolab will try to connect to the remote host 202.39.17.53 on port 80.

If you have a Facebook account and receive the fake “Facebook Password Reset Confirmation” email, don’t be fooled by it at first sight with its seemingly reliable e-mail attachment and don’t fall into a trap of attackers unwarily. Furthermore, if you did not request for a password reset from Facebook, there’s no reason for you to be getting a “Password Reset Confirmation” email. And even if you did request for a password reset, Facebook is not going to send a new password as an email attachment.

How about you? Have you received the fake “Facebook Password Reset Confirmation” email with the Bredolab variant attached?