Email regarding Facebook account update is a phish – part 2

MX Lab did intercepted  emails what appeared as Facebook phishing emails. The From address is obviously fake and not related to Facebook in any way. These come in with the subjects: Facebook Account Update Facebook Update Tool new login system But now we did managed to get a working host where the supposed phishing site was hosted. We have visited htxxp://www.facebook.com.ujtqwaqo.eu/globaldirectory/LoginFacebook.php?ref=xxxemail= This e-mail address is being protected from spambots. You need JavaScript enabled to view it and [...]


MX Lab did intercepted  emails what appeared as Facebook phishing emails.

The From address is obviously fake and not related to Facebook in any way. These come in with the subjects:

Facebook Account Update
Facebook Update Tool
new login system

But now we did managed to get a working host where the supposed phishing site was hosted. We have visited htxxp://www.facebook.com.ujtqwaqo.eu/globaldirectory/LoginFacebook.php?ref=xxx&email= This e-mail address is being protected from spambots. You need JavaScript enabled to view it and got the login screen.

When filling in dummy login and password we got redirected to the following screen and to our suprise we didn’t found a webform to submit personal details but instead a link to a malware file updatetool.exe.

This malware is known as Gen:Trojan.Heur.Zbot.gq0@cS0Ulyb (BitDefender), PWS:Win32/Zbot.gen!R (Microsoft) or Mal/EncPk-LE (Sophos). As you may know by know, ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system. Hidden files are being created: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll all together with a hidden directory %System%\lowsec.

New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe, %System%\alg.exe adn %ProgramFiles%\internet explorer\iexplore.exe.

Windows registry modification are also part of the infection and a connection to a remote host will be established: hxxp://193.104.27.42/lcc/ip2.gif and hxxp://193.104.27.42/ip.php.

Virus Total permlink and MD5: 1ccbe2c88bbaeb8a72ca0ef7e5e51738. It is detected by only 17 of the 41 AV engines at Virus Total.


Read Full Article
Written on Saturday, 31 October 2009 22:50 by

Viewed 59 times so far.
Like this? Tweet it to your followers!
Published in Subscribe to the RSS feed of Network Security & Hacking News  Network Security & Hacking News / Subscribe to the RSS feed of Latest Security News  Latest Security News
Like this? Let your friends know now!

Rate this article

Latest articles from

Latest 'tweets' from GovernmentSecurity

  • News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
  • News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
  • News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
  • News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
  • Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38
blog comments powered by Disqus
back to top

Site Search

Disqus Tools