Botnet continues massive H1N1 malware campaign

Zbot attack remains biggest e-mail threat, says researcher

A massive spam campaign that poses as a message from the Centers for Disease Control (CDC) asking people to register for H1N1 vaccinations remains a big problem today, a security researcher said.

The messages lead unwary users to a convincing-looking CDC site where they're asked to create a profile in order to receive a vaccination for the swine flu, which has made headlines for both its aggressive spread and a lack of vaccine. The site urges users to download a vaccination profile archive, and includes a link to that download.

Clicking on the link, however, actually downloads and installs a new variant of the "Zbot" Trojan horse. Called "Zeus" by some security companies, the malware is a bot Trojan that hijacks the Windows PC for nefarious activities, including sending more spam.

Tuesday, when the bogus CDC messages began hitting inboxes, several e-mail security firms said they were seeing an enormous number of messages hit their filters. Florida-based AppRiver, for example, said the campaign averaged about 18,000 messages per minute, or about 1.1 million per hour.

Today, AppRiver is seeing fewer messages -- about 9,500 a minute -- but still characterized the campaign as "very high volume" and the biggest malware-oriented run currently reaching its customers.

"It's slowed slightly," said Troy Gill, a security researcher with AppRiver today. "We've blocked approximately 13 million messages in the past 24 hours, but it's still the most predominant virus/phishing campaign right now."

The Zbot Trojan being distributed is a new variant that yesterday went undetected by 37 of 41 anti-virus detection engines, said Gill. "Today, 21 out of 41 are recognizing it," he said.

The fake CDC site also has a backup attack plan in place for those people cautious enough not to click on the link. The site includes an IFRAME -- a small invisible element on the page that contains attack code -- that exploits recent Adobe Software vulnerabilities, said Gill. "The hidden IFRAME has some references to Adobe [Reader] and Flash [Player] exploits," Gill said.

Adobe has patched Reader and Flash Player several times this year, as its popular applications have increasingly become targets for attackers frustrated by their inability to exploit Windows. The most recent Adobe Reader update, for instance, patched 29 vulnerabilities in the PDF viewer. The October update was the fourth this year that plugged a hole already being used by hackers.

Zbot is an especially active collection of compromised computers -- called a "botnet" in security parlance -- said Gill. "It's been the No. 1 botnet for months, at least as far as malicious activity," he noted.

Last month, a British couple were arrested by police and accused of using Zbot, or Zeus, to steal online banking account usernames and passwords. The Trojan can be crafted from a toolkit sold on the hacker black market.

According to rival security company McAfee, the fake CDC site is being hosted on servers located in Argentina, Chile, Colombia, Brazil, India and Malaysia.

Messages arrive bearing subject lines such as "State Vaccination H1N1 Program, "Governmental registration program on the H1N1 vaccination" and "Create your personal Vaccination Profile," McAfee added.

Join the discussion
Be the first to comment on this article. Our Commenting Policies