Malware seeding campaign leveraging vaccination profiles for the H1N1 virus

by Karine de Ponteves
December 1, 2009 at 10:51 am

AV Lab’s honeypots have just started catching new malware seeding campaigns leveraging vaccination profiles for the H1N1 virus.

The message is sent as a notification from the “Centers for Disease Control and Prevention (CDC)”. Because the sender’s email is spoofed and because the URL leading to the rogue website contains a “gov” subdomain, which can be mistaken for the top-level domain, the message may seem plausible to many people.

Here is what the email looks like:

	From: "Centers for Disease Control and Prevention (CDC)" <info-mess-id:01203428med@cdcmails.gov>
	Sent: Tue, 1 Dec 2009 23:37:46 +0800
	To: [removed]@fortinet.com
	Subject: Creation of your personal Vaccination Profile

	You have received this e-mail because of the launching of State Vaccination H1N1 Program.

	You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website.
        The Vaccination is not obligatory, but every person that has reached the age of 18 has to have
        his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for
        the vaccinated people and the not-vaccinated ones. This profile is used for the registering system
        of vaccinated and not-vaccinated people.

	Create your Personal H1N1 Vaccination Profile using the link:

	Create Personal Profile (link to http://online.cdc.gov.yhnbad.[removed])

And here is a screenshot of the rogue site:

h1n1_2

Of course, the “Archive” (see “Download Archive” link) is in fact a Trojan horse.

Pay attention to those ever-going social-engineering attempts leveraging news items. Of course, this one is easily defeated by the fact the “vaccination profile” is an executable file, which is unlikely for an archive (although possible), especially sent by an official organization.

But when the malicious bits are embedded in actual documents (.pdf, .doc, .xls, etc.), it can sometimes be challenging to separate the wheat from the chaff…

Fortinet detects the downloaded file as W32/Vacc.A!tr

Author bio: Karine de Ponteves has always been into computer security and its many aspects. Her current responsibilities include preliminary analysis of malware and developing detection for new viruses.

One Response to “Malware seeding campaign leveraging vaccination profiles for the H1N1 virus”

  1. Malware seeding campaign leveraging vaccination profiles for the H1N1 virus « The LABVIRUS.COM Blog says:
    December 2, 2009 at 12:49 pm

    [...] http://blog.fortinet.com/malware-seeding-campaign-leveraging-vaccination-profiles-for-the-h1n1-virus... [...]

    Reply

Leave a Reply