Early yesterday morning, security vendor AppRiver started to notice a boom in H1N1 related Spam. The emails, which report to come from the CDC, lead directly to an interesting variant of the Kryptik family of Malware.
Fake CDC warning and H1N1 fear being used to spread Malware.(IMG:J.Anderson)
So far, AppRiver has noted that the emails are being blasted at a rate of 18,000 per minute, or well over 1 million per hour. The emails tell you that you are a part of a “State Wide H1N1 Vaccination Program” and ask that you create a vaccination profile on the CDC website.
[Note: Earlier this morning AppRiver sent the following, "AppRiver is currently intercepting 10,000 messages a minute and has successfully blocked more than 12 million messages within the last 24 hours.]
“The link provided in the email takes you to a very convincing looking imitation of a CDC web page where you are given a temporary ID and a link to your ‘vaccination profile’,” noted AppRiver.
“The link is in fact…an executable file that contains a copy of a Trojan most commonly identified as xpack or Kryptik…once installed on your PC, this Trojan will create a security-free gateway on your system and will proceed to download and install additional Malware without your authorization. It also enables a remote hacker to take complete control of your computer.” Adding to this is a warning from Symantec that some of the fake CDC profile pages use Iframes in an attempt to load Adobe related exploits.
The Iframe links to a Ukrainian website and checks for unpatched Adobe installations. If discovered, those unpatched installs are hijacked and Malware is delivered to the system. Symantec would not comment on the Malware delivered via the Iframe exploit or if it was related to the Kryptik installations.
It goes without saying that the CDC has no such program. In the event that such program did exist, the CDC would use local media channels to alert the public, such as local TV news as well as print media such as the Indianapolis Star for those of you in Indianapolis.
The fear over H1N1 has caused panic on an impressive scale, and the lack of vaccinations in some areas has only fueled this fear. Information from the CDC on H1N1 vaccinations can be found here. The Tech Herald recently spoke to several medical professionals about the virus, and you can read that report here.
If there is more information on the Spam campaign pushing the false CDC alerts we’ll update this article.
Update 2:
The CDC has issued the following warning.
"CDC has received reports of fraudulent emails (phishing) referencing a CDC sponsored State Vaccination Program. The messages request that users must create a personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The message then states that anyone that has reached the age of 18 has to have his/her personal Vaccination Profile on the cdc.gov site. The CDC has NOT implemented a state vaccination program requiring registration on www.cdc.gov. Users that click on the email are at risk of having malicious code installed on their system."
Update:
Security Vendor Webroot has the following information to add, which includes the addition of new Malware.
"The URLs involved in the scheme all begin with the “hxxp://online.cdc.gov” — the “online.” sub domain is not used by the CDC — followed by a six- to seven-character random domain name and a non-.gov top-level domain," said Andrew Brandt of Webroot.
"There’s a link labeled “Download Archive (130Kb)” that, when you click it, pulls down the ZBot installer from the malicious server. The file name is vacc_profile.exe. Please don’t execute this file if you happen to download it," he added.
Brandt notes that ZBot will target several popular Windows FTP and SCP client applications, including SmartFTP, WSFTP, FlashFXP, CoreFTP, FTP Commander, Total Commander, WinSCP, FileZilla, and FAR Manager. Once stolen, the passwords are used to hijack other servers and accounts online and push the Malware further.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story