Another spam run of Zbot messages are going out as this is written.
As in previous posts, we find that the end game is to install password stealing components. Some of the subject lines look like
“FaceBook message: Very Beautiful facebook girl Dance Video! (Last rated by __insert name here__)”
“FaceBook message: facebook members Dancing In Striptease (Last rated by __name here__)”
“FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing (Last rated by __name here__)”
The message content includes text like
“You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 21, 2009! We’re absolutely shocked!”. Proceed to view full video message: hxxp://facebook.xxx.xxx(dot)personalid-aa(dot)management(dot)324uptdate(dot)com/home.htm?/logon/application=999″
Clicking on the link in turn redirects the user’s browser to another set of sites hosting a video, prompting the user to download and install Flash_Adobe11.exe. Don’t bother, it’s still not the real flash player. Instead, Zbot malware is installed. Here is a censored screenshot of one of the attacking sites:
ThreatFire is preventing the malware from running on a fair number of community systems right now. Do not run Flash_Adobe11.exe from these sites.