RSS Alerts

Share

More services

Related Links

Related Stories

  • Sophos warns against Tamiflu scam
    Sophos has warned internet users against buying Tamiflu online, the drug designed to help stop people getting infected by the H1N1 virus also known as the swine flu.
  • Swine flu could give internet a cold
    A physical pandemic such as the swine flu (H1N1) could swamp internet service providers serving residential users, according to a report from the Government Accountability Office – and the Department Of Homeland Security doesn't have a plan to deal with it.
  • Android is exclusive focus of mobile malware writers, says McAfee
    Nearly all mobile malware in the third quarter targeted the Android mobile operating system, according to the latest threats report from McAfee Labs.
  • Spam campaign hypes the ‘iPhone 5’ but delivers malware
    Last month, spammers sent around an email with an advertisement touting the new “iPhone 5”. Unfortunately, the phone does not exist, but recipients who click on the email get instead a trojan designed to attack host PCs, according to AppRiver’s July Threat and Spamscape Report.
  • Bredolab botnet revealed by Kaspersky Lab analyst
    Kaspersky Lab's malware analyst Alexei Kadiev has posted an interesting analysis on how the Bredolab botnet – which infected around 30 million PCs at its height – functioned.

Top 5 Stories

News

Flu spoof delivers trojan

02 December 2009

The inevitable H1N1 flu trojan attacks have started. Yesterday, McAfee detected a new H1N1-related spam campaign, spoofing emails from the Center for Disease Control (CDC) and asking victims to fill out a 'vaccination profile' as part of a state-wide flu vaccination program.

The flu spam mail directs recipients to a spoof CDC website where they are asked to download a 'vaccination archive', purporting to be a document that they can use to fill out their profile information. Appriver said that the document delivers a malware dropper called XPack or Kryptic. McAfee said that the document delivers a very recent version of the Zeus banking trojan.

McAfee's Threat Avert Labs said that VirusTotal tested the new trojan variant against several anti-virus engines, and found that only seven out of 41 detected it. The low detection rate, along with the general public panic over the H1N1 flu, promise to make this spam trojan campaign a particularly virulent one.

"As of 9:15 (CST) we are seeing these messages at the extremely high rate of nearly 18 000 messages per minute netting over 1 million of these messages in the first hour alone", said Appriver in a blog post.

"The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be", said McAfee.

The DNS servers that were authoritative for the domains used in the H1N1 flu trojan attack were purchased from Xin Net Technologies, a Chinese registrar. However, the servers were located across the world, and some had previously been involved with the Cutwail botnet, which McAfee said may indicate that the servers are legitimate ones that have been compromised. 

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012