Thursday, January 27, 2011

Your FaceBook password has been changed

... Or hasn't it ?

A recent spam campaign is spreading claming your Facebook password has been changed, and you need to open the document attached to view your new password.

You might think: "Why attach a document with the password in ? Why not just put it in the email ?"

The truth is of course is that your Facebook password hasn't been changed at all, it is the latest spam campaign trying to infect your computer.

I received the following email with subject:
Your facebook password has been changed. ID9049

Your Facebook password has been changed

Attached is a ZIP file called Included is the following file:

Facebook_Document.exe, seemingly a Word document

Does this look like a Word document ? Yes
Is it a Word document ? No
How can you tell ? By the .exe extension

Result: 35/43 (81.4%)
MD5: e354e01caea7c9e8171a0e839d5016b6
Anubis Report

Additionally, the file tries to connect to:

Domain Hash: 0d251df39c785768e0b9af27880fcc0f
Result: 6/18 (33 %)


If you receive emails like this, you should already be alerted:
"Why would Facebook send me an email my password is changed ?"

They don't. Whether you have Facebook or not, instantly delete the email. In this case, the file was zipped but there was no password.
If your email provider doesn't stop it, your Antivirus should. Keep everything up-to-date people !

I would like to add the blogpost Dancho Danchev made, it is the same spam campaign but with another subject and another malicious executable:

Thursday, January 20, 2011

Twitter worm spreading virally

Since today there's a Twitter worm spreading virally with the name "m28sx" . People and bots tweeting links that end with m28sx.html or have only an URL in their tweet are common today on the social network platform.

At time of writing this threat still persists, although Google has already disabled a lot of URLs. (URLs used in this attack are mainly and

After different redirects starting at:


and eventually landing on

Presents you with a nice message that you are infected:

Immediately you receive the well known fake scan page:

Infected search terms on Twitter also include:
50th anniversary of JFK's inauguration
John F. Kennedy inaugural address
Love the new homepage

Check out these search results for m28sx (be careful with the links on these pages, some of them might still be active ! ) on Twitter:!/search/links/m28sx.html or

Dropped files:

Result: 3/43 (7.0 %)
MD5: bae499fc5844d814f942e870900c9d57

Result: 3/43 (7.0 %)
MD5: 921b903e2ff6ae23833301aa2961be95

They payload is a rogueware called 'Security Shield'.

When executing either of the dropped files:

A warning that Security Shield was installed successfully.

Security Shield rogueware finding (non-existant) infections.


Pretty straightforward: do not click on any of the links ! ( You also might want to use a 3d party application to browse on Twitter, like Echofon or Twhirl. )

Always be careful when clicking on a URL that you do not recognize or is shortened so you cannot see the real URL.

If you do happen to land on one of these rogueware pages presenting you a fake scan of your disks, open Task Manager and end your browser's process.

Friday, January 7, 2011

Hotfile used to spread malware

You might remember my previous post where I stated that Rapidshare is used to spread rogueware .

Exactly the same tactic is applied with Hotfile, another file hosting service.

UPDATE 13/01/2011: Spreading malware through Hotfile is still common, so to speak. I've seen a TDSS variant spreading on it with the filename "surprise.exe" VirusTotal results can be found here . RapidShare seems to be faster in cleaning up infected files.

I received an email from one of my contacts with no subject. It contained the following link:

Link from hotfile which downloads a trojan horse. Link edited for your safety.

Result: 11/41 (26.8%)
MD5: 4169dc3f5e44067435016d79336c4e1a
Anubis Report
ThreatExpert Report

After executing the file it connects to remote hosts which can download other malware.


The conclusion is actually the same as in my previous post, but I will state it once again:

You should never trust an email which has:

- only a URL included in the message
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, simply delete it and don't look back ;) .

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!