Trojan Malware Infects Swine Flu Users
The email appears to be coming from the Centers for Disease Control and Prevention (CDC). But instead of protecting your health it serves up a Trojan malware to make your computer sick.
Hackers have figures out how to send out what appears to be legitimate email that appears to come from the CDC. It invites readers tocreate a profile for a swine flu vaccine program.
But according to security provider, AppRiver, it’s a malware scam.
Digital Degenerate reports it first saw the campaign about 8:15 (CST) Tuesday morning.
Here’s how it works – the visitor receives a temporary ID and a link to a profile. It is actually an executable file containing a copy of a Trojan most commonly identified as Zbot, reports AppRiver.
MacAfee reports the file is a VERY recent Zeus Trojan variant. When that is installed, the Trojan opens your computer creating a security-free gateway that allows additional malware into your computer without any further authorization from you.
Say goodbye to any security. The hacker can steal data from your computer including credit card information and passwords, it can log your typed keystrokes and send confidential personal and financial data to a remote hacker.
AppRiver says it’s reached more than one million in the first hour alone at a rate of 18,000 messages per minute. You are advised to ignore any email from the CDC that invites users to create a profile on the CDC Web site as part of a “State Vaccination H1N1 Program.”
MacAfee also says the email may be associated with other campaigns including:
Governmental registration program on the H1N1 vaccination
State Vaccination H1N1 Program
Your personal Vaccination Profile
Create your personal Vaccination Profile
State Vaccination Program
Creation of personal Vaccination Profile
Instructions on creation of your personal Vaccination Profile
Creation of your personal Vaccination Profile
According to McAfee, “The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be.
“The DNS servers that are authoritative for the spam domains were purchased from a Chinese registrar “Xin Net Technologies”, but the DNS servers themselves are being hosted from locations in the US, Japan and Hong Kong. We even see some of the dns servers being used as previously having been associated with sending spam mail for the Cutwail botnet, which has been known to use the Zeus Trojan. This could indicate the possibility that some the dns servers themselves may simply be infected hosts.
“These hostnames are associated with 135 distinct IP addresses associated with the websites hosting the Trojan, which stem from all over the world and appear to be dsl accounts.
“The primary countries hosting the websites at the time of this writing are in Colombia, Brazil, India, Malaysia, Chile and Argentina.” #