Botnet continues massive H1N1 malware campaign
Zbot attack remains biggest e-mail threat, says researcher
Computerworld - A massive spam campaign that poses as a message from the Centers for Disease Control (CDC) asking people to register for H1N1 vaccinations remains a big problem today, a security researcher said.
The messages lead unwary users to a convincing-looking CDC site where they're asked to create a profile in order to receive a vaccination for the swine flu, which has made headlines for both its aggressive spread and a lack of vaccine. The site urges users to download a vaccination profile archive, and includes a link to that download.
Clicking on the link, however, actually downloads and installs a new variant of the "Zbot" Trojan horse. Called "Zeus" by some security companies, the malware is a bot Trojan that hijacks the Windows PC for nefarious activities, including sending more spam.
Tuesday, when the bogus CDC messages began hitting inboxes, several e-mail security firms said they were seeing an enormous number of messages hit their filters. Florida-based AppRiver, for example, said the campaign averaged about 18,000 messages per minute, or about 1.1 million per hour.
Today, AppRiver is seeing fewer messages -- about 9,500 a minute -- but still characterized the campaign as "very high volume" and the biggest malware-oriented run currently reaching its customers.
"It's slowed slightly," said Troy Gill, a security researcher with AppRiver today. "We've blocked approximately 13 million messages in the past 24 hours, but it's still the most predominant virus/phishing campaign right now."
The Zbot Trojan being distributed is a new variant that yesterday went undetected by 37 of 41 anti-virus detection engines, said Gill. "Today, 21 out of 41 are recognizing it," he said.
The fake CDC site also has a backup attack plan in place for those people cautious enough not to click on the link. The site includes an IFRAME -- a small invisible element on the page that contains attack code -- that exploits recent Adobe Software vulnerabilities, said Gill. "The hidden IFRAME has some references to Adobe [Reader] and Flash [Player] exploits," Gill said.
Adobe has patched Reader and Flash Player several times this year, as its popular applications have increasingly become targets for attackers frustrated by their inability to exploit Windows. The most recent Adobe Reader update, for instance, patched 29 vulnerabilities in the PDF viewer. The October update was the fourth this year that plugged a hole already being used by hackers.
Zbot is an especially active collection of compromised computers -- called a "botnet" in security parlance -- said Gill. "It's been the No. 1 botnet for months, at least as far as malicious activity," he noted.
Last month, a British couple were arrested by police and accused of using Zbot, or Zeus, to steal online banking account usernames and passwords. The Trojan can be crafted from a toolkit sold on the hacker black market.
According to rival security company McAfee, the fake CDC site is being hosted on servers located in Argentina, Chile, Colombia, Brazil, India and Malaysia.
Messages arrive bearing subject lines such as "State Vaccination H1N1 Program, "Governmental registration program on the H1N1 vaccination" and "Create your personal Vaccination Profile," McAfee added.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Logicalis eBook: SAP HANA: The Need for Speed Without timely business insights, organizations today can suffer logistical, manufacturing, and even financial disaster in a matter of minutes
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Cybercrime and Hacking White Papers | Webcasts