H1N1 Vaccination Profile – A path to infection
Tuesday December 1, 2009 at 3:37 pm CST
Posted by Adam Wosotowsky
On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online.
This email has been associated with the following subjects, but there are likely to be more as the campaign progresses:
Governmental registration program on the H1N1 vaccination
State Vaccination H1N1 Program
Your personal Vaccination Profile
Create your personal Vaccination Profile
State Vaccination Program
Creation of personal Vaccination Profile
Instructions on creation of your personal Vaccination Profile
Creation of your personal Vaccination Profile
These emails contain a url that points to a website which urges the victim to download a vaccination profile archive:
The link is an executable that installs a VERY recent Zeus trojan variant. Zeus is an easy-to-use tool for constructing trojans and has been associated with numerous botnets. As of the time of this writing, McAfee is among only a handful of AV engines that detects this strain (7/41 engines detected it according to VirusTotal, and McAfee had 2 of those 7 engines).
The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be.
The DNS servers that are authoritative for the spam domains were purchased from a Chinese registrar “Xin Net Technologies”, but the DNS servers themselves are being hosted from locations in the US, Japan and Hong Kong. We even see some of the dns servers being used as previously having been associated with sending spam mail for the Cutwail botnet, which has been known to use the Zeus Trojan. This could indicate the possibility that some the dns servers themselves may simply be infected hosts.
These hostnames are associated with 135 distinct IP addresses associated with the websites hosting the Trojan, which stem from all over the world and appear to be dsl accounts.
The primary countries hosting the websites at the time of this writing are in Colombia, Brazil, India, Malaysia, Chile and Argentina.
Stay updated and stay safe!!
December 2nd, 2009 at 10:28
this cdc spam is more dangerous than it looks.
you should warn your readers that this spam run, like the recent facebook and irs runs, contains a hidden iframe on the first page pictured. the first iframe will open a russian site that contains two more iframes, one a boobytrapped pdf and the other a javascript infector. these try to do a drive-by malware install via adobe exploits. the nested “russian doll” iframe within iframe nature of this seems to sneak past many current filters.
if you’re careless and your patches are not fully up to date, a curious click on the link in the spam can Hurt you.
put this one firmly in the “delete before reading” category.
December 2nd, 2009 at 12:13
[...] the "Centers for Disease Control and Prevention (CDC)," according to a screen shot in McAfee’s post. Subject lines vary, but might be "Your personal Vaccination Profile" or [...]
December 3rd, 2009 at 08:36
[...] McAfee example of the swine flu email: http://www.avertlabs.com/research/blog/index.php/2009/12/01/h1n1-vaccination-profile-a-path-to-infec... [...]
December 7th, 2009 at 10:39
[...] mentioned on McAfee Labs blog, the email might be received with the following subjects and it is expected to have different [...]
December 8th, 2009 at 09:49
[...] Comments Trackback We recently alerted our readers to spam campaigns using the H1N1 vaccination program to prompt recipients to open the mail. And we have frequently mentioned that crooks love to take [...]