Botnet continues massive H1N1 malware campaign

Zbot attack remains biggest e-mail threat, says researcher

A massive spam campaign that poses as a message from the Centers for Disease Control (CDC) asking people to register for H1N1 vaccinations remains a big problem today, a security researcher said.

The messages lead unwary users to a convincing-looking CDC site where they're asked to create a profile in order to receive a vaccination for the swine flu , which has made headlines for both its aggressive spread and a lack of vaccine. The site urges users to download a vaccination profile archive, and includes a link to that download.

Clicking on the link, however, actually downloads and installs a new variant of the "Zbot" Trojan horse. Called "Zeus" by some security companies, the malware is a bot Trojan that hijacks the Windows PC for nefarious activities, including sending more spam.

Tuesday, when the bogus CDC messages began hitting inboxes, several e-mail security firms said they were seeing an enormous number of messages hit their filters. Florida-based AppRiver, for example, said the campaign averaged about 18,000 messages per minute, or about 1.1 million per hour.

Today, AppRiver is seeing fewer messages -- about 9,500 a minute -- but still characterized the campaign as "very high volume" and the biggest malware-oriented run currently reaching its customers.

"It's slowed slightly," said Troy Gill, a security researcher with AppRiver today. "We've blocked approximately 13 million messages in the past 24 hours, but it's still the most predominant virus/phishing campaign right now."

The Zbot Trojan being distributed is a new variant that yesterday went undetected by 37 of 41 anti-virus detection engines, said Gill. "Today, 21 out of 41 are recognizing it," he said.

The fake CDC site also has a backup attack plan in place for those people cautious enough not to click on the link. The site includes an IFRAME -- a small invisible element on the page that contains attack code -- that exploits recent Adobe Software vulnerabilities, said Gill. "The hidden IFRAME has some references to Adobe [Reader] and Flash [Player] exploits," Gill said.

Adobe has patched Reader and Flash Player several times this year, as its popular applications have increasingly become targets for attackers frustrated by their inability to exploit Windows. The most recent Adobe Reader update, for instance, patched 29 vulnerabilities in the PDF viewer. The October update was the fourth this year that plugged a hole already being used by hackers.

Zbot is an especially active collection of compromised computers -- called a "botnet" in security parlance -- said Gill. "It's been the No. 1 botnet for months, at least as far as malicious activity," he noted.

Last month, a British couple were arrested by police and accused of using Zbot, or Zeus, to steal online banking account usernames and passwords. The Trojan can be crafted from a toolkit sold on the hacker black market.

According to rival security company McAfee , the fake CDC site is being hosted on servers located in Argentina, Chile, Colombia, Brazil, India and Malaysia.

Messages arrive bearing subject lines such as "State Vaccination H1N1 Program, "Governmental registration program on the H1N1 vaccination" and "Create your personal Vaccination Profile," McAfee added.

Join the PC World newsletter!

Error: Please check your email address.

Tags botnetsH1N1malwareswine flu

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?