Botnet continues massive H1N1 malware campaign

Zbot attack remains biggest e-mail threat, says researcher

A massive spam campaign that poses as a message from the Centers for Disease Control (CDC) asking people to register for H1N1 vaccinations remains a big problem today, a security researcher said.

The messages lead unwary users to a convincing-looking CDC site where they're asked to create a profile in order to receive a vaccination for the swine flu , which has made headlines for both its aggressive spread and a lack of vaccine. The site urges users to download a vaccination profile archive, and includes a link to that download.

Clicking on the link, however, actually downloads and installs a new variant of the "Zbot" Trojan horse. Called "Zeus" by some security companies, the malware is a bot Trojan that hijacks the Windows PC for nefarious activities, including sending more spam.

Tuesday, when the bogus CDC messages began hitting inboxes, several e-mail security firms said they were seeing an enormous number of messages hit their filters. Florida-based AppRiver, for example, said the campaign averaged about 18,000 messages per minute, or about 1.1 million per hour.

Today, AppRiver is seeing fewer messages -- about 9,500 a minute -- but still characterized the campaign as "very high volume" and the biggest malware-oriented run currently reaching its customers.

"It's slowed slightly," said Troy Gill, a security researcher with AppRiver today. "We've blocked approximately 13 million messages in the past 24 hours, but it's still the most predominant virus/phishing campaign right now."

The Zbot Trojan being distributed is a new variant that yesterday went undetected by 37 of 41 anti-virus detection engines, said Gill. "Today, 21 out of 41 are recognizing it," he said.

The fake CDC site also has a backup attack plan in place for those people cautious enough not to click on the link. The site includes an IFRAME -- a small invisible element on the page that contains attack code -- that exploits recent Adobe Software vulnerabilities, said Gill. "The hidden IFRAME has some references to Adobe [Reader] and Flash [Player] exploits," Gill said.

Adobe has patched Reader and Flash Player several times this year, as its popular applications have increasingly become targets for attackers frustrated by their inability to exploit Windows. The most recent Adobe Reader update, for instance, patched 29 vulnerabilities in the PDF viewer. The October update was the fourth this year that plugged a hole already being used by hackers.

Zbot is an especially active collection of compromised computers -- called a "botnet" in security parlance -- said Gill. "It's been the No. 1 botnet for months, at least as far as malicious activity," he noted.

Last month, a British couple were arrested by police and accused of using Zbot, or Zeus, to steal online banking account usernames and passwords. The Trojan can be crafted from a toolkit sold on the hacker black market.

According to rival security company McAfee , the fake CDC site is being hosted on servers located in Argentina, Chile, Colombia, Brazil, India and Malaysia.

Messages arrive bearing subject lines such as "State Vaccination H1N1 Program, "Governmental registration program on the H1N1 vaccination" and "Create your personal Vaccination Profile," McAfee added.

Tags H1N1botnetsswine flumalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?