Thursday, December 3, 2009

EMAIL VIRUS ALERT : h1n1 info from CDC

« on: December 02, 2009, 10:36:53 AM »
Reply with quoteQuote

(one of our IT Vendors) just sent me a courtesy email saying they are getting blitzed with calls from their customers today who have been infected with a virus. Apparently the virus spreads via an official looking email from the Centers for Disease Control with information about the H1N1 virus, and is causing a lot of trouble today for many businesses.

Just a heads up. This appears to be a real virus not a socially engineered spam courtesy spreader.

Thank you.


AV Lab’s honeypots have just started catching new malware seeding campaigns leveraging vaccination profiles for the H1N1 virus.

The message is sent as a notification from the “Centers for Disease Control and Prevention (CDC)”. Because the sender’s email is spoofed and because the URL leading to the rogue website contains a “gov” subdomain, which can be mistaken for the top-level domain, the message may seem plausible to many people.

Here is what the email looks like:

From: "Centers for Disease Control and Prevention (CDC)"
Sent: Tue, 1 Dec 2009 23:37:46 +0800
To: [removed]
Subject: Creation of your personal Vaccination Profile

You have received this e-mail because of the launching of State Vaccination H1N1 Program.

You need to create your personal H1N1 (swine flu) Vaccination Profile on the website.
The Vaccination is not obligatory, but every person that has reached the age of 18 has to have
his personal Vaccination Profile on the site. This profile has to be created both for
the vaccinated people and the not-vaccinated ones. This profile is used for the registering system
of vaccinated and not-vaccinated people.

Create your Personal H1N1 Vaccination Profile using the link:

Create Personal Profile (link to[removed])And here is a screenshot of the rogue site:

Of course, the “Archive” (see “Download Archive” link) is in fact a Trojan horse.

Pay attention to those ever-going social-engineering attempts leveraging news items. Of course, this one is easily defeated by the fact the “vaccination profile” is an executable file, which is unlikely for an archive (although possible), especially sent by an official organization.

But when the malicious bits are embedded in actual documents (.pdf, .doc, .xls, etc.), it can sometimes be challenging to separate the wheat from the chaff…

Fortinet detects the downloaded file as W32/Vacc.A!tr

No comments:

Post a Comment