Facebook says time to reset password? Facebook users better think twice before they open a "Password Reset Confirmation" email from Facebook. There's a new trojan variant of Bredolab on the loose that uses fake "Facebook Password Reset Confirmation" emails to spread itself. The fake "Facebook Password Reset Confirmation" email comes with an attached .exe, which according to the email message, contains the new password but instead the recipient is tricked into downloading the Bredolab-ridden file.
The trojan variant, with botnet capabilities, is known as Bredolab.gen.a, Trojan.Downloader.Bredolab.AZ (BitDefender), or W32/Obfuscated.D2!genr (Norman). Bredolab downloads from the Web and executes malicious files on an infected computer. Bredolab includes code that after it finishes encrypting user data files, it can quit the botnet after reboot or if an external program attempts to analyze its activities. With the Bredolab botnet, attackers can gain complete control of the PC and collect data; for example, steal personal information and send spam emails to the user's list of email addresses.
The 'From' address in the email shows as "The Facebook Team
The fake "Facebook Password Reset Confirmation" email message reads:
Hey [Facebook User],
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
The Facebook Team
Trojan.Downloader.Bredolab.AZ will create the files %AppData%\wiaservg.log and %Programs%\Startup\isqsys32.exe. In order to bypass firewalls, Bredolab adds its own code into the real processes svchost.exe and explorer.exe. Then Bredolab will try to connect to the remote host 188.8.131.52 on port 80.
If you have a Facebook account and receive the fake "Facebook Password Reset Confirmation" email, don't be fooled by it at first sight with its seemingly reliable e-mail attachment and don't fall into a trap of attackers unwarily. Furthermore, if you did not request for a password reset from Facebook, there's no reason for you to be getting a "Password Reset Confirmation" email. And even if you did request for a password reset, Facebook is not going to send a new password as an email attachment.
How about you? Have you received the fake "Facebook Password Reset Confirmation" email with the Bredolab variant attached?