When BREDOLAB entered the threat landscape several months ago, it was initially thought of as a common downloader (that downloads executable files) designed for malware infection only. However, Trend Micro researchers noticed a sudden increase in its activities in August 2009. This pushed our researchers to delve more into the inner workings and behaviors of BREDOLAB.

Our analysis then observed BREDOLAB’s connections to two notorious malware families, FAKEAV and ZBOT/ZeuS. The samples always include the aforementioned malware in its download repertoire. Adding BREDOLAB to their long lists of carriers, these malware families mostly focused on information and financial theft.

BREDOLAB also exhibited certain similarities with another well-known botnet, PUSHDO in terms of downloading routine. This led our threat researchers to believe that the cybercriminals behind PUSHDO and BREDOLAB are the same.

Trend Micro’s Senior Threat Researcher David Sancho has written an in-depth analysis on this new threat. Read it here: You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Trend Micro threat analysts found spammed messages that pretended to be a letter coming from the “boss.” The messages bore the subject “get back to my office for more details” and instructed users to extract and read the letter contained in the attached .ZIP file. The attachment, of course, does not contain a letter but an .EXE file (info.exe) detected by Trend Micro as TROJ_CUTWAIL.GT.

Upon execution, TROJ_CUTWAIL.GT creates registry entries to automatically execute at every system startup. It also drops a Trojan dropper detected as TROJ_DROPR.ST. Cutwail is known as the “spam engine” of the notorious botnet, PUSHDO, which spammed around 7.7 billion messages a day in the second quarter.

In the past few days or so, Trend Micro has reported various spam that used malicious attachments (ZIP or RAR) to hide malware. This suggests that old tactics never die and continue to be an effective way of infecting users. We blogged about this in the following posts:

• Spoofed Contract Carries Malware
• Fake Facebook Password Notification Leads to Malware
• FAKEAV Uses Conficker Worm as Bait

Users are advised to be wary when opening any attached file even if it comes from a person with authority or one’s “boss.” Trend Micro users are protected via the Trend Micro Smart Protection Network, which detects TROJ_CUTWAIL.GT and blocks the spammed email message. Non-Trend Micro products users can use free tools like HouseCall to stay secure from this attack.

With Christmas just right around the corner, spammers are already flooding users’ inboxes with unwanted email. No surprises there. Spammers are known to exploit the holidays to further their malicious causes.

Just recently, Trend Micro threat analysts found another spammed message that claimed to be a “replication specialist” and enticed users to buy replica products like watches, handbags, and jewelry at discounted prices.

The email can bear any of the following subjects:

• Better early than late
• New models are here
• Quantities are low
• Reminder
• Some supplies are low

Morever, the email also encourages users to place their orders before November 1 because of limited supplies. Clicking the URL in the email message leads users to a fraudulent site that sells expensive imitation products. The email messages used various URLs though these pointed to the same landing page. As early as September, Trend Micro has already alerted users of holiday-themed spam.

As usual, users are advised not to avail of any product from spammers. Trend Micro protects users from this attack through the Smart Protection Network. Non-Trend Micro products users can use free tools like eMail ID to stay secure.