Sophos Cloud Optix
SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient.
The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file (IMG0893.zip) which contains a Trojan horse.
Subject lines used in the spammed-out malware campaign include:
- RE:Check the attachment you have to react somehow to this picture
- FW:Check the attachment you have to react somehow to this picture
- RE:You HAVE to check this photo in attachment man
- RE:They killed your privacy man your photo is all over facebook! NAKED!
- RE:Why did you put this photo online?
The message bodies contained inside the email can also vary. Here are some examples:
- Hi there ,
I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??.
- Hi there ,
I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than i thought about you man :)))).
- Excuse me,
But i really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.
You can imagine how some people would react if they received a message like this in their email. Many might open the attachment out of curiousity (or even with trepidation that a private photo had leaked onto the internet!) and end up having their Windows computer infected as a result.
Sophos products protect users against the threat, detecting it as Troj/Bredo-VV and Mal/BredoZp-B.
The Bredo Trojan is nothing new, and we regularly see variants of it spammed out widely across the internet using a variety of social engineering lures to trick users into opening the dangerous attachment.
Keep your wits about you, and your anti-virus up-to-date, and you should have little to fear.
Just got it. Trend Micro is not detecting it.
I stopped feeling sorry for people who still fall for this crap a long time ago – especially the "It doesn't matter 'cause I have a Mac" people. Ugh. Let 'em find out the hard way.
How about, "It doesn't matter because I have a Mac running Sophos Anti-Virus, I don't use Facebook, and I don't open stupid messages like the ones shown above."
Of course, the same is true when I work on a PC with a good anti-virus application and up-to-date software patches and virus definitions. I don't do stupid things there either.
It has nothing to do with one's operating system. I don't understand why ANYONE would think they're immune to malware in this day and age…well, other than sheer irresponsibility. If you think that characteristic is limited to Mac users, you should check your assumptions.
Can you upload to virustotal? I am curious the detection rate.
I knew it that Graham Cluley was in the illuminati hence the 1 eye picture.
Sheez! Dump Facebook and be done with it. I have been viewing Sophos for several years.without seeing a single Facebook scam. However, within the past year, not many days go by without a scam or two. Gullible folks should not be involved in social sites.
Also, I'm weary of the ignorant celebs whining about their naked photos appearing on sites without their knowledge, Well, why do have those photos on their phones. Surely they are sharing with someone..
Had a couple of these coming through normal email. Latest one from;
Evan Jennings <questioningh10@fiemg.com.br>
Text field states "Excuse me ,
But I really need to ask you – is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter… The question is is it really you???.
Conatined a IMG 0962 zip attached file which contaned a Troj/DwnLdr-JXD
The variation I got was this "but this chick looks a lot like your ex-gf. "
Kind of odd… as I am a GIRL!
The warning message popped up with this: Virus scan did not complete.
Virus detected. So I didn't.
Ugh 'Ive had two this week. Warning to anyone out there. If u get a suspect email, just copy and paste it into a search engine and see what comes up. You will usually find forums mentioning them. WHY do people do this?
A FB friend’s account sent this ZIP to me via FB private message. I asked her if she sent it. She said no, but that she had had others complain.
I told her to reset her FB password and check APP permissions. She says she does not allow any apps.
I sandboxed the zip in a Virtual Linux instance with no access to local machine and looked at the zip contents. Not an expert other than recognizing a JAR file and some JS the meant nothing to to me.
What can she do so that her FB will stop sending the messages and is her computer infected?