FYI...
ZBOT targets Facebook again (with SPAM)
- http://blog.trendmicro.com/zbot-targets-facebook-again/
Dec. 15, 2009 - "ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again. By clicking the link embedded in the email, users will land on a Facebook phishing page. This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS. For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe -or- the ZBOT binary (detected as TSPY_ZBOT.CCB)..."
(Screenshot available at the URL above.)
DHL - SPAM appears to have come from known courier DHL
- http://blog.trendmicro.com/bredolab-regifts-old-spam/
Dec. 15, 2009 - "BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL. The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file. The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB. The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack..."
(Screenshot available at the URL above.)