Malware seeding campaign leveraging vaccination profiles for the H1N1 virus

by Karine de Ponteves
December 1, 2009 at 10:51 am

AV Lab’s honeypots have just started catching new malware seeding campaigns leveraging vaccination profiles for the H1N1 virus.

The message is sent as a notification from the “Centers for Disease Control and Prevention (CDC)”. Because the sender’s email is spoofed and because the URL leading to the rogue website contains a “gov” subdomain, which can be mistaken for the top-level domain, the message may seem plausible to many people.

Here is what the email looks like:

	From: "Centers for Disease Control and Prevention (CDC)" <info-mess-id:01203428med@cdcmails.gov>
	Sent: Tue, 1 Dec 2009 23:37:46 +0800
	To: [removed]@fortinet.com
	Subject: Creation of your personal Vaccination Profile

	You have received this e-mail because of the launching of State Vaccination H1N1 Program.

	You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website.
        The Vaccination is not obligatory, but every person that has reached the age of 18 has to have
        his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for
        the vaccinated people and the not-vaccinated ones. This profile is used for the registering system
        of vaccinated and not-vaccinated people.

	Create your Personal H1N1 Vaccination Profile using the link:

	Create Personal Profile (link to http://online.cdc.gov.yhnbad.[removed])

And here is a screenshot of the rogue site:

h1n1_2

Of course, the “Archive” (see “Download Archive” link) is in fact a Trojan horse.

Pay attention to those ever-going social-engineering attempts leveraging news items. Of course, this one is easily defeated by the fact the “vaccination profile” is an executable file, which is unlikely for an archive (although possible), especially sent by an official organization.

But when the malicious bits are embedded in actual documents (.pdf, .doc, .xls, etc.), it can sometimes be challenging to separate the wheat from the chaff…

Fortinet detects the downloaded file as W32/Vacc.A!tr

Author bio: Karine de Ponteves has always been into computer security and its many aspects. Her current responsibilities include analysis and research for Fortinet's FortiGuard Global Security Research Team.

Keep your phone healthy: H1N1 vs. SymbOS/Yxes

by Axelle Apvrille
October 13, 2009 at 7:47 am

Lately, we’ve been fed with H1N1 flu security measures, with recommendations regarding how to clean our hands, sneeze or cough. I just wonder if we’d be so obedient if the same recommendations were issued for our computers or phones.

Have a look at the advice below: on the left are CDC’s recommendations against H1N1. On the right… Fortinet’s recommendations against SymbOS/Yxes.

h1n1

Convinced? Will you follow them?

Author bio: Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS. She is a senior antivirus analyst and researcher for Fortinet, where she more specifically looks into mobile malware.