Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Zeus Trojan Catches Swine Flu

Created: 01 Dec 2009 18:53:34 GMT • Updated: 23 Jan 2014 18:30:57 GMT
Hon Lau's picture
0 0 Votes
Login to vote

Piggybacking (pun intended) on the swine flu pandemic is the Zeus bot crew, whose latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page.
 
 image002.png
 
The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine.
 
image003.png
 
 
The subject lines used in the emails are quite variable; for example, the following have been seen:

•        Instructions on creation of your personal Vaccination Profile

•        Governmental registration program on the H1N1 vaccination

•        Your personal Vaccination Profile

 
The domain used in these email links has the format of online.cdc.gov.[RANDOM CHARS].[TLD NAME].im
 
For example:

•        online.cdc.gov.yhnbad.com.im

•        online.cdc.gov.yttt4r.org.im

•        online.cdc.gov.yhnbam.co.im

 
As is usually the case with these campaigns, the URL that is supposed to be a document actually leads to an executable file. This one is named vacc_profile.exe and is detected by Symantec as Infostealer.Banker.C. Incidentally, the URL is also “personalized” with the email address of the recipient to make it look that little bit more authentic and less like mass-mailed spam.
 
For those who are concerned about H1N1 (Swine Flu) they should read the information available from the legitimate CDC source.