New spam: Your bank has failed, download this Trojan

October 27, 2009, 8:36 PM — Spam that tells victims their bank has failed urges them to on a link that will tell if their accounts are insured but that really tries to trick them into downloading a Trojan that will turn their machine into a bot.

If they download Zbot Trojan, it will take over the computer and have it send out more of the spam, says M86 in a security blog. 

The spam is addressed as if it comes from the Federal Deposit Insurance Corp. (FDIC), but it’s not. “Recipients should consider the intent of this e-mail as an attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to on-line banking services or to conduct identity theft,” the FDIC says in a warning. The agency says it doesn't send out any unsolicited e-mails.

The link to the bogus FDIC site starts with www.fdic.gov, but it later contains a null character followed by the actual domain name, says Bradley Anstis, vice president of technology strategy at M86.

The FDIC spam is being sent by the Pushdo botnet, which has also recently been distributing a similar ruse having to do with the IRS and Michael Jackson, M86 says. 

M86 says it has seen these subject lines on the FDIC spam: FDIC alert: check your Bank Deposit Insurance Coverage; FDIC has officially named your bank a failed bank; and You need to check your Bank Deposit Insurance Coverage.

Pushdo is also mailing a new Facebook-password ruse. The “From” field of the e-mail says “The Facebook Team” and urges recipients to open a zipped attachment that contains their new Facebook password. Their old password has been changed “to provide safety”, the spam says. The zipped file really contains the malicious Bredolab downloader, which downloads Pushdo and turns the victim’s machine into a bot that starts spamming more of the Facebook e-mails.

Because of its enormous membership, Facebook is the target of many scams, including ones to use the social networking site as a means to distribute malware.

Pushdo is the second most active bot, responsible for 29.4% of all spam behind Rustock, which is responsible for 37.8%, according to M86. The two go back and forth for first place, Anstis says.