Botnet continues massive H1N1 malware campaign

Zbot attack remains biggest e-mail threat, says researcher

A massive spam campaign that poses as a message from the Centers for Disease Control (CDC) asking people to register for H1N1 vaccinations remains a big problem today, a security researcher said.

The messages lead unwary users to a convincing-looking CDC site where they're asked to create a profile in order to receive a vaccination for the swine flu , which has made headlines for both its aggressive spread and a lack of vaccine. The site urges users to download a vaccination profile archive, and includes a link to that download.

Clicking on the link, however, actually downloads and installs a new variant of the "Zbot" Trojan horse. Called "Zeus" by some security companies, the malware is a bot Trojan that hijacks the Windows PC for nefarious activities, including sending more spam.

Tuesday, when the bogus CDC messages began hitting inboxes, several e-mail security firms said they were seeing an enormous number of messages hit their filters. Florida-based AppRiver, for example, said the campaign averaged about 18,000 messages per minute, or about 1.1 million per hour.

Today, AppRiver is seeing fewer messages -- about 9,500 a minute -- but still characterized the campaign as "very high volume" and the biggest malware-oriented run currently reaching its customers.

"It's slowed slightly," said Troy Gill, a security researcher with AppRiver today. "We've blocked approximately 13 million messages in the past 24 hours, but it's still the most predominant virus/phishing campaign right now."

The Zbot Trojan being distributed is a new variant that yesterday went undetected by 37 of 41 anti-virus detection engines, said Gill. "Today, 21 out of 41 are recognizing it," he said.

The fake CDC site also has a backup attack plan in place for those people cautious enough not to click on the link. The site includes an IFRAME -- a small invisible element on the page that contains attack code -- that exploits recent Adobe Software vulnerabilities, said Gill. "The hidden IFRAME has some references to Adobe [Reader] and Flash [Player] exploits," Gill said.

Adobe has patched Reader and Flash Player several times this year, as its popular applications have increasingly become targets for attackers frustrated by their inability to exploit Windows. The most recent Adobe Reader update, for instance, patched 29 vulnerabilities in the PDF viewer. The October update was the fourth this year that plugged a hole already being used by hackers.

Zbot is an especially active collection of compromised computers -- called a "botnet" in security parlance -- said Gill. "It's been the No. 1 botnet for months, at least as far as malicious activity," he noted.

Last month, a British couple were arrested by police and accused of using Zbot, or Zeus, to steal online banking account usernames and passwords. The Trojan can be crafted from a toolkit sold on the hacker black market.

According to rival security company McAfee , the fake CDC site is being hosted on servers located in Argentina, Chile, Colombia, Brazil, India and Malaysia.

Messages arrive bearing subject lines such as "State Vaccination H1N1 Program, "Governmental registration program on the H1N1 vaccination" and "Create your personal Vaccination Profile," McAfee added.

Join the PC World newsletter!

Error: Please check your email address.

Tags botnetsH1N1malwareswine flu

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

Xiro Drone Xplorer V -3 Axis Gimbal & 1080p Full HD 14MP Camera

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

Gadgets & Things


Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Stocking Stuffer

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?